CN111783162B - Data protection implementation method and device and computer equipment - Google Patents

Data protection implementation method and device and computer equipment Download PDF

Info

Publication number
CN111783162B
CN111783162B CN202010622280.5A CN202010622280A CN111783162B CN 111783162 B CN111783162 B CN 111783162B CN 202010622280 A CN202010622280 A CN 202010622280A CN 111783162 B CN111783162 B CN 111783162B
Authority
CN
China
Prior art keywords
storage space
write
firmware
firmware storage
protection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010622280.5A
Other languages
Chinese (zh)
Other versions
CN111783162A (en
Inventor
陈融
董彦生
何士贵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Beijing Ltd
Original Assignee
Lenovo Beijing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Beijing Ltd filed Critical Lenovo Beijing Ltd
Priority to CN202010622280.5A priority Critical patent/CN111783162B/en
Publication of CN111783162A publication Critical patent/CN111783162A/en
Application granted granted Critical
Publication of CN111783162B publication Critical patent/CN111783162B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a data protection realization method, a device and a computer device, which are used for solving the limit of a platform of the computer device which adopts a hardware ordering mode to send SPI ROM instructions to the main board controller and reliably realizing OTP operation on a second firmware storage space.

Description

Data protection implementation method and device and computer equipment
Technical Field
The present application relates generally to the field of computer security applications, and more particularly, to a method and apparatus for implementing data protection, and a computer device.
Background
The primary function of the BIOS (Basic Input and Output System, which may be referred to as firmware) is to provide the lowest, most direct hardware setup and control for the computer device, where important data is burned into a Read-Only Memory (ROM) Read-Only area on the motherboard, and once the BIOS important data is destroyed, the system will fail unpredictably.
In order to realize the write protection of the BIOS important data, the prior art is usually realized by using a write protection pin in a ROM chip, specifically, by pulling up the voltage of the write protection pin, an input instruction can only perform a read operation on the BIOS important data, and the erasing or rewriting operation is not allowed, so as to avoid the BIOS important data from being damaged.
However, in practical application, the existing data protection implementation manner of pulling up the voltage of the write protection pin of the ROM chip is easy to pull down the voltage of the write protection pin by configuring a voltage change circuit, so that the write protection state of the ROM chip is invalid, and further important data of the BIOS is tampered randomly, so that the security of the computer system cannot be ensured.
Disclosure of Invention
In view of this, in order to achieve permanent write protection of important data in a computer device, in one aspect, the present application provides a data protection implementation method, which includes:
Acquiring a target working parameter, and adjusting the first working parameter of a first firmware storage space of computer equipment to the target working parameter so that a main board controller of the computer equipment is switched from a hardware ordering mode to a software ordering mode to work;
receiving a write protection starting instruction sent by the main board controller in the software ordering mode;
And responding to the write-protection starting instruction, and executing one-time write-protection operation aiming at the second firmware storage space of the computer equipment.
Optionally, before the performing the write-once protection operation for the second firmware storage space of the computer device, the method further comprises:
responsive to a partitioning request for a firmware storage space of the computer device, partitioning the firmware storage space into a first firmware storage space and a second firmware storage space;
Obtaining data to be protected, and writing the data to be protected into the second firmware storage space;
And in the running process of the application of the computer equipment, responding to the data writing request aiming at the first firmware storage space can be forbidden.
Optionally, the obtaining the target working parameter, adjusting the first working parameter of the first firmware storage space of the computer device to the target working parameter, includes:
acquiring a first target state parameter of a first register aiming at a first firmware storage space of computer equipment and a second target state parameter of a second register;
Updating a first state parameter of the first register to the first target state parameter and updating a second state parameter of the second register to the second target state parameter.
Optionally, the method further comprises:
verifying whether a write-once protection operation for the second firmware storage space is successful;
If the first firmware storage space is successful, the current target working parameters of the first firmware storage space are restored to the first working parameters, so that the mainboard controller is switched from the software ordering mode to the hardware ordering mode for working;
And responding to a data reading request aiming at the second firmware storage space, and reading request data stored in the second firmware storage space.
In yet another aspect, the present application further provides a data protection implementation method, where the method includes:
Determining that a first working parameter of a first firmware storage space of the computer equipment firmware is adjusted to be a target working parameter, and switching from a hardware ordering mode to a software ordering mode for working;
acquiring a write-protection starting instruction for starting a write-once protection operation;
And sending the write-protection starting instruction to the firmware so that the firmware responds to the write-protection starting instruction to execute the write-once protection operation of the second firmware storage space of the firmware.
Optionally, the method further comprises:
Reading a main board type identifier recorded in an external interface memory, wherein the main board type identifier is written into the external interface memory in a write-once protection mode in the main board configuration process of computer equipment;
Responding to a motherboard configuration request, and configuring the motherboard of the computer equipment according to motherboard configuration specifications corresponding to the motherboard type identifiers; or alternatively, the first and second heat exchangers may be,
And responding to a motherboard configuration detection request, detecting the motherboard type identifier as a target identifier, and detecting motherboard configuration information of the computer equipment according to motherboard configuration specifications corresponding to the target identifier.
Optionally, the method further comprises:
And sending the write-protection starting instruction to a microcontroller of the computer equipment, so that the microcontroller responds to the write-protection starting instruction, performs one-time write-protection operation aiming at the external interface memory, and writes the main board type identifier into the external interface memory.
In yet another aspect, the present application further provides a data protection implementation apparatus, where the apparatus includes:
The system comprises a reference adjustment module, a hardware ordering mode, a software ordering mode and a control module, wherein the reference adjustment module is used for acquiring target working parameters and adjusting first working parameters of a first firmware storage space of computer equipment to the target working parameters so that a main board controller of the computer equipment can be switched from the hardware ordering mode to the software ordering mode to work;
The write protection instruction receiving module is used for receiving a write protection starting instruction sent by the main board controller in the software ordering mode;
And the write protection execution module is used for responding to the write protection starting instruction and executing write-once protection operation aiming at the second firmware storage space of the computer equipment.
In yet another aspect, the present application further provides a data protection implementation apparatus, where the apparatus includes:
the ordering mode switching module is used for determining that a first working parameter of a first firmware storage space of the computer equipment firmware is a target working parameter, and switching from a hardware ordering mode to a software ordering mode to work;
The write-protection starting instruction acquisition module is used for acquiring a write-protection starting instruction for starting one-time write-protection operation;
and the write protection starting instruction sending module is used for sending the write protection starting instruction to the firmware so that the firmware responds to the write protection starting instruction and performs one-time write protection operation on a second firmware storage space of the firmware.
In yet another aspect, the present application also proposes a computer device comprising:
A main board;
firmware and a motherboard controller disposed in the motherboard, wherein:
The firmware is used for loading and executing a pre-stored first program to realize the steps of the data protection realization method described from the perspective of the computer equipment firmware;
The main board controller is used for loading and executing a pre-stored second program to realize the steps of the data protection realization method described from the perspective of the main board controller of the computer equipment.
Therefore, in order to improve the safety and reliability of the second firmware storage space for storing important information in the computer device, the application can avoid the change and removal of the data stored in the second firmware storage space after leaving the factory, and realize the write protection of the data stored in the second firmware storage space by adopting an OTP mode, so that the computer device working in a hardware ordering mode for the main board controller can receive the write protection instruction sent by the main board controller, and can reliably realize the OTP operation on the second firmware storage space by solving the limit of the platform for sending SPI ROM instruction number to the main board controller.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an alternative example of a data protection implementation method according to the present application;
FIG. 2 is a schematic diagram illustrating a division manner of firmware memory space suitable for the data protection implementation method according to the present application;
FIG. 3 is a flow chart illustrating yet another alternative example of a data protection implementation method proposed by the present application;
FIG. 4 is a schematic diagram of the hardware architecture of a further computer device implementing the data protection implementation method proposed by the present application;
FIG. 5 is a flow chart illustrating yet another alternative example of a data protection implementation method proposed by the present application;
FIG. 6 is a flow chart illustrating yet another alternative example of a data protection implementation method proposed by the present application;
FIG. 7 is a flow chart illustrating yet another alternative example of a data protection implementation method proposed by the present application;
FIG. 8 is a schematic diagram showing the hardware configuration of a computer device for implementing the data protection implementation method according to the present application;
FIG. 9 is a schematic diagram of an alternative embodiment of a data protection implementation device according to the present application;
FIG. 10 is a schematic diagram of a data protection implementation device according to another alternative embodiment of the present application;
FIG. 11 is a schematic diagram of a data protection implementation device according to another alternative embodiment of the present application;
Fig. 12 is a schematic diagram of an alternative architecture of a computer device implementing the data protection implementation method proposed by the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
For convenience of description, only a portion related to the present application is shown in the drawings. Embodiments of the application and features of the embodiments may be combined with each other without conflict.
It is to be understood that the terms "system," "apparatus," "unit," and/or "module" as used herein are one means for distinguishing between different components, elements, parts, portions, or assemblies at different levels. However, if other words can achieve the same purpose, the word can be replaced by other expressions.
As used in the specification and in the claims, the terms "a," "an," "the," and/or "the" are not specific to a singular, but may include a plurality, unless the context clearly dictates otherwise. In general, the terms "comprises" and "comprising" merely indicate that the steps and elements are explicitly identified, and they do not constitute an exclusive list, as other steps or elements may be included in a method or apparatus. The inclusion of an element defined by the phrase "comprising one … …" does not preclude the presence of additional identical elements in a process, method, article, or apparatus that comprises an element.
Wherein, in the description of the embodiments of the present application, unless otherwise indicated, "/" means or, for example, a/B may represent a or B; "and/or" herein is merely an association relationship describing an association object, and means that three relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. In addition, in the description of the embodiments of the present application, "plurality" means two or more than two. The following terms "first", "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature.
In addition, flowcharts are used in the present application to illustrate the operations performed by systems according to embodiments of the present application. It should be appreciated that the preceding or following operations are not necessarily performed in order precisely. Rather, the steps may be processed in reverse order or simultaneously. Also, other operations may be added to or removed from these processes.
Referring to fig. 1, a flow chart of an alternative example of a data protection implementation method according to the present application, which may be applied to a computer device, such as a notebook computer, a desktop computer, etc., the device type of the computer device is not limited by the present application, and the data protection implementation method according to the present embodiment may be implemented by a firmware BIOS (Basic Input and Output System, basic input output system) of the computer device, as shown in fig. 1, and may include, but is not limited to, the following steps:
Step S11, acquiring target working parameters, and adjusting the first working parameters of a first firmware storage space of the computer equipment to the target working parameters so that a main board controller of the computer equipment is switched from a hardware ordering mode to a software ordering mode to work;
In practical application, the storage space of the computer device firmware BIOS can be divided into a first firmware storage space and a second firmware storage space, and some important data for the computer device, such as some data which is not hoped to be changed randomly by a user or some data which can influence the normal operation and the safety of the computer device system, and the like. For example, the data of the important areas such as the RO (Read-Only) area of Coreboot and the boot block area of the UEFI (Unified Extensible FIRMWARE INTERFACE) and some key data such as special flag (identification) set in the BIOS, OA3 key of the machine, MTM (Model MACHINE TYPE) and the like, if the information is modified after the computer equipment leaves the factory, adverse effects are often caused on the user data, the use mode and the use safety of the computer equipment, so that the user cannot normally and safely use the computer equipment.
Therefore, the application can write the data listed above but not limited to the data listed above into the second firmware storage space as the data to be protected, and change the second firmware storage space into a permanent read-only storage space before the computer equipment leaves the factory, thereby ensuring that the data stored in the second firmware storage space cannot be tampered and deleted after leaving the factory, and enhancing the protection of BIOS startup.
Therefore, in the running process of the application of the computer device, the computer device can respond to the data writing request and the data reading request aiming at the first firmware storage space, but can prohibit responding to the data writing request aiming at the second firmware storage space and can only respond to the data reading request aiming at the second firmware storage space. The application does not limit the division mode of the firmware storage space of the computer device, namely the first firmware storage space and the second firmware storage space of the BIOS storage space.
For example, for an SPI ROM (SERIAL PERIPHERAL INTERFACE ROM) Flash chip supporting OTP (One Time Program, write-once protection), as shown in fig. 2, before the computer device leaves the factory, the whole storage space of the BIOS SPI ROM may be divided into Read-WRITE FLASH (i.e. a first firmware storage space with a data Read-write attribute) and Read-Only Flash (i.e. a second firmware storage space with a data Read-Only attribute), key information listed above but not limited to the above is written into the Read-Only Flash to be divided, and between leaves the factory, the part of the firmware storage space is changed into a permanent Read-Only area, so that the data stored in the Read-Only Flash cannot be rewritten or destroyed any more, and the protection of the user data is enhanced, thereby meeting the software and hardware security requirements of the computer device purchaser (such as a personal user, a regional or a national government unit, an enterprise unit, etc.).
Based on the analysis, the application can adopt a mode of writing a certain number of write protection starting instructions into a firmware storage space (such as a storage space of a BIOS SPI ROM) of computer equipment and performing OTP operation on the second firmware storage space to realize subsequent permanent protection on the second firmware storage space, and the prior art problems described in the background art part are solved. However, for a computer device using an Intel big core (i.e. Intel big core) processor architecture, since its motherboard controller (such as Platform Controller Hub, abbreviated as PCH, integrated south bridge, and also may be called platform controller center) generally adopts hardware sequencing (hardware ordering mode) to send instructions to a firmware storage space of the computer device, only a limited number of instructions can be sent in this way, and it is often impossible to send all instructions for starting an OTP operation to a BIOS SPI ROM, and thus an OTP operation on a second firmware storage space cannot be implemented.
In order to further solve the above-mentioned problems, the present application proposes to complete transmission of all instructions for starting the OTP operation by adopting a software sequencing mode (software ordering mode), so as to solve the technical problem that the number of instructions capable of being sent to the BIOS SPI ROM by using a hardware sequencing mode is limited and the OTP operation for the second firmware storage space cannot be started. The application will not be described in detail with respect to the principle of operation of a computer device operating in either software sequencing or hardware sequencing modes.
In combination with the description of the inventive concept, the application can determine the implementation distinction between the computer device working in hardware sequencing mode and the computer device working in software sequencing mode, that is, determine whether the computer device is a key parameter in hardware sequencing mode or software sequencing mode, and change the key parameter to realize the switching between the two modes.
The key parameter determined by analysis may be a first working parameter of a first firmware storage space of the computer device, such as a state parameter of a corresponding register for implementing a conventional CSM MRC buffer event log in Read-WRITE FLASH in fig. 2, which is not limited to the specific content of the first working parameter, and may be determined in combination with the working principle of hardware sequencing.
Similarly, the present application may also determine the target operating parameter of the first firmware memory space, such as the target state parameter of the register, when the computer device is operating in the software sequencing manner. In this way, when the OTP operation needs to be executed on the second firmware storage space in the computer device, the PCH may send the target working parameter to the computer device firmware (for example, BIOS), specifically may send the target working parameter to the BIOS SPI ROM, so that the firmware adjusts the first working parameter in the first firmware storage space to the target working parameter, that is, clears the first working parameter, and writes the target working parameter.
Step S12, a write protection starting instruction sent by the main board controller in a software ordering mode is received;
As described above, for the firmware memory (such as the BIOS SPI ROM) hung on the main board controller PCH, the OTP operation needs to be performed on the second firmware memory space (such as the RO area where the Read-Only Flash is located) included in the firmware memory (such as the ROM area), and the operating mode of the PCH is switched to software sequencing according to the above manner, since the SPI ROM instruction sent by the PCH is not limited by the computer device core processor architecture platform when operating in software sequencing mode, the PCH may send the write protection start instruction for starting the OTP operation of the second firmware memory space of the computer device, that is, all the SPI ROM instructions for implementing the OTP operation, to the BIOS SPI ROM, so that the BIOS obtains all the start instructions capable of starting the OTP operation on the RO area in the BIOS SPI ROM.
It should be noted that, regarding the implementation process of the PCH in software sequencing mode to send the SPI ROM command, it can be determined by combining the working principle of software sequencing mode, and the present application will not be described in detail.
In addition, for different types of computer devices produced by different manufacturers, the data stored in the second firmware storage space required to perform the OTP operation may be different, and the number and content of the write-protection starting instruction for implementing the OTP operation may also be different. In practical application of this embodiment, the BIOS may write the received write-protection start instruction into the status register in sequence, which is not described in detail in this embodiment of the implementation process
In step S13, in response to the write-protect initiation instruction, a write-once operation for the second firmware storage space of the computer device is performed.
As described above, the process of starting the OTP operation is relatively complex, and therefore, the number of write-protect starting instructions in this embodiment is plural, but the specific instruction number and content of the plural write-protect starting instructions are not limited, and may be determined according to practical situations.
According to the above manner, after the PCH is in software sequencing manner and a plurality of required write protection starting instructions are sent to the BIOS SPI ROM, the OTP operation for the second firmware storage space may be started in response to the plurality of write protection starting instructions, and the specific implementation process of the OTP operation is not described in detail in the present application.
The OTP is a memory type of the singlechip, which means that the OTP is programmable at one time, namely, after the program is burnt into the singlechip, the OTP cannot be changed and cleared again. Based on the principle, after the data to be protected of the computer equipment is determined, the method starts and executes one-time programming aiming at the second firmware storage space, namely the Read-Only Flash, and the data to be protected and the program supporting the work of the Read-Only Flash are written into the Read-Only Flash, so that the subsequent change and removal of the data are avoided, and the stored data security is improved.
In some embodiments, in order to protect important BIOS data, an OTP register may be configured inside Flash to indicate that the register is only programmed once, and complete programming of the computer device before the computer device leaves the factory, so as to ensure that data stored in the computer device after the factory is not changed and cleared. In order to realize protection of the OTP register, a LOCK register can be provided, the working principle of the LOCK register is similar to that of the OTP register, the LOCK register can only be programmed once, each bit of the LOCK register corresponds to one OTP register and is used for locking the OTP register, and the OTP register can not be written any more, so that the data stored in the FLASH chip where the OTP register is located can be protected from being changed or cleared.
Similarly, for other storage devices of the computer device, the protection of the stored data of the storage devices can be realized by disposing an OTP register and a LOCK register, and the detailed description of the specific implementation process is omitted. In practical application, the data and storage devices that need to perform OTP operation can be determined according to the needs of the operators and clients, and the implementation process of OTP operation for each storage device is similar, and the implementation process of OTP operation for Read-Only Flash of BIOS SPI ROM described in this embodiment can be referred to.
In summary, in order to improve the safety and reliability of the second firmware storage space for storing important information in the computer device, the data stored in the second firmware storage space after leaving the factory is prevented from being changed and cleared, and an OTP mode is adopted to implement write protection of the stored data in the second firmware storage space, so that, for a computer device that uses a hardware ordering mode to work on a motherboard controller, in order to solve the limitation of the number of SPI ROM instructions sent by a platform to the motherboard controller, OTP operation on the second firmware storage space is reliably implemented.
Referring to fig. 3, a flow chart of still another alternative example of the data protection implementation method according to the present application may be an alternative refinement implementation of the data protection implementation method described in the foregoing embodiment, but is not limited to this refinement implementation described in the foregoing embodiment, and as shown in fig. 3, the method may include:
Step S31, a first target state parameter of a first register aiming at a first firmware storage space of computer equipment and a second target state parameter of a second register are obtained;
Step S32, updating the first state parameter of the first register to a first target state parameter, and updating the second state parameter of the second register to a second target state parameter;
In combination with the above description of two operation modes of hardware sequencing and software sequencing of the motherboard controller of the computer device, the distinguishing information of the two operation modes may be parameters in the status registers, so that the first register and the second register of the embodiment may be status registers in Read-WRITE FLASH, which are usually undefined registers, but not limited to specific information of the two registers, and may be determined according to, but not limited to, differences of PCH operation modes, requirements of a processor architecture platform of the computer device, and other factors, which are not described in detail herein.
Based on this, the present application can determine the first operating parameter and the target operating parameter according to the above manner, and when determining that the PCH operating mode is affected and selecting hardware sequencing modes, the state parameters of the first register and the second register are respectively and correspondingly recorded as the first state parameter and the second state parameter, and the specific contents of the two state parameters can be determined according to the hardware sequencing operating principle.
Similarly, the target state parameters of the first register and the second register may be determined according to factors such as the working principle of software sequencing, and are sequentially recorded as the first target state parameter and the second target state parameter, after the computer device firmware obtains the first target state parameter and the second target state parameter, the original state parameter of the corresponding register in the second firmware storage space of the computer device firmware may be directly cleared, and the target state parameter is written into the corresponding register, so that the computer device satisfies the condition that the PCH works in software sequencing mode, and in this way, in the subsequent working process of the PCH, since the state parameters in the two registers have been changed, a new state parameter will be executed, and in this way, the PCH will work in software sequencing mode.
It should be noted that, the implementation method for switching the motherboard controller of the computer device from the hardware ordering mode to the software ordering mode includes, but is not limited to, the method described in this embodiment, and for the computer device firmware of the present application, it is required to use a chip supporting OTP operation, but not limited to the type of the chip used, such as a FLASH chip. In addition, for the computer device implementing the data protection implementing method provided by the present application, a main stream MAF architecture is generally adopted, and the firmware memory is only hung on the PCH, that is, the PCH implements the instruction transmission to the BIOS SPI ROM, and the present application does not describe in detail about the working principles of the MAF architecture and the PCH.
Step S33, receiving a write protection instruction sent by a main board controller of the computer equipment in the working process of switching the main board controller from a hardware ordering mode to a software ordering mode;
In step S34, in response to the write-protect initiation instruction, a write-once operation for the second firmware storage space of the computer device is performed.
Regarding the implementation procedure of step S33 and step S34, reference may be made to the descriptions of the corresponding parts of the above embodiments, which are not repeated herein.
In summary, in this embodiment, the data to be protected of the computer device is written into the second firmware storage space, such as the RO area after the storage space division is performed by the BIOS SPI ROM, and because the main controller PCH of the computer device works in the hardware sequencing manner, the complete write protection starting instruction for implementing the OTP operation cannot be sent to the BIOS SPI ROM, and thus the BIOS cannot implement the OTP operation on the RO area, the embodiment proposes to adjust the state parameters of the two registers in the first firmware storage space, that is, the RW area, to the target state parameters that can enable the PCH to work in the software sequencing manner, so that the PCH works in the software sequencing manner, and the complete write protection starting instruction for implementing the OTP operation is sent to the BIOS SPI ROM, so that in response to these write protection starting instructions, the OTP operation on the second firmware storage space can be reliably implemented, that is, the permanent lock of the second firmware storage space cannot be implemented any write operation on the data stored in the second firmware storage space any more, thereby greatly improving the security reliability of data storage, and meeting the requirements of special clients for implementing specific function data protection of the computer device.
In practical application, in order to realize reliability of OTP operation executed on the second firmware storage space, the application may also perform write protection verification on the second firmware storage space, specifically referring to the schematic diagram of the computer device structure shown in fig. 4, the write protection verification module of the read-only area may implement verification of OTP operation on the RO area in the BIOS SPI ROM, so as to prompt and re-perform OTP operation in time in case of failure of OTP operation.
Based on this, referring to a flowchart of yet another alternative example of the data protection implementation method proposed by the present application shown in fig. 5, the method may include:
Step S51, obtaining target working parameters, and adjusting the first working parameters of the first firmware storage space of the computer equipment to the target working parameters so that a main board controller of the computer equipment is switched from a hardware ordering mode to a software ordering mode to work;
Step S52, receiving a write protection starting instruction sent by the main board controller in the working process of the main board controller in a software ordering mode;
step S53, in response to the write-protection start instruction, performing OTP operation for the second firmware storage space of the computer device;
For the specific implementation process of step S51 to step S53, reference may be made to the description of the corresponding parts of the above embodiment, which is not repeated herein.
Step S54, verifying whether the OTP operation on the second firmware memory space is successful, if so, entering step S55; if not, returning to the step S51 to carry out write-once protection operation on the second firmware storage space again;
In the process of powering on and starting the computer equipment, BIOS self-checking is usually performed, in the stage of starting protection verification, besides implementing other protection verification on BIOS, starting protection verification can be performed on an RO area of the BIOS SPI ROM, for example, whether the RO area can be subjected to writing operation is verified, so as to judge whether the OTP operation performed on the RO area before is successful or not, but the method is not limited to the starting protection verification method, and flexible adjustment can be performed according to actual requirements, and the application is not described in detail.
After the verification, it is determined that the OTP operation performed on the second firmware storage space before is unsuccessful, and the data protection implementation method may be directly returned to step S51 to re-perform the OTP operation on the second firmware storage space in a manner described in this embodiment.
In still other embodiments, if the verification is unsuccessful, the embodiment may also return to step S53 to respond to the write-protection start instruction again, and perform a write-once protection operation for the second firmware storage space of the computer device, so as to reduce the time taken for switching or detecting the PCH operating mode and sending the write-protection start instruction, so as to improve the efficiency of the data protection implementation method.
In practical applications of this further embodiment, the number of failures allowed to execute the OTP operation may be preset, so this embodiment may count the number of times of executing the OTP operation on the second firmware storage space, and in case of verifying that the currently executed OTP operation fails, detect whether the number of times of executing the currently counted number of times reaches the preset number of failures, and if not, may continue to execute step S53, execute the OTP operation again on the second firmware storage space, and if so, return to step S51, and execute the data protection implementation method proposed by the present application again, so as to implement the OTP operation on the second firmware storage space.
It should be understood that in the process of returning to step S51 to re-perform the OTP operation, the operating parameter currently possessed by the first firmware storage space (i.e., the target state parameter adjusted last time) may be taken as the first operating parameter, and updated to the re-acquired target state parameter.
In still other embodiments, if the execution of one or more OTP operations on the second firmware storage space in the foregoing manner is unsuccessful, corresponding alarm information may be output to inform relevant inspectors to overhaul the BIOS configuration and other software and hardware configurations of the computer device, so as to ensure that the OTP operation on the second firmware storage space is implemented, and detailed description of a specific overhaul process is omitted.
Step S55, recovering the current target working parameters of the first firmware storage space to the first working parameters, so that the main board controller is switched from a software ordering mode to a hardware ordering mode to work;
As described above for the computer device suitable for the data protection implementation method provided by the present application, in general, the motherboard controller of the computer device will work in hardware sequencing modes to meet the data read-write requirements in the application running process of the computer device. Therefore, after determining that the OTP operation on the second firmware storage space is successfully completed, the present application can restore the operation mode of the motherboard controller to hardware sequencing modes.
Specifically, in combination with the above description of the switching control process between the hardware sequencing mode and the software sequencing mode, the present embodiment may switch the working mode of the PCH from software sequencing to hardware sequencing mode by adopting the reverse process of the step S51, and the detailed description of the implementation process is omitted.
Step S56, in response to the data reading request for the second firmware storage space, the request data stored in the second firmware storage space is read.
Because the present application has executed the OTP operation on the second firmware storage space of the computer device, after the PCH of the computer device returns to hardware sequencing mode, in response to a data reading instruction from any application to the second firmware storage space, after sending a data reading request for the second firmware storage space to the firmware of the computer device, the firmware of the computer device may read the request data stored in the second firmware storage space in response to the data reading request, and this embodiment of the data reading process for the second firmware storage space will not be described in detail.
According to the above manner, the computer device firmware receives the data writing request for the second firmware storage space, and because the second firmware storage space executes the OTP operation, the response to the data writing request is prohibited, the data writing request can be directly ignored or deleted, and the prompt information for prohibiting the writing operation can also be fed back to the application that initiates the data writing request, which is not limited in this aspect of the application.
In summary, in the case that the processor architecture platform needs to write protection to some important data in the computer device working in the hardware ordering manner, before the computer device leaves the factory, the important data may be written into the second firmware storage space of the computer device, and then, by adjusting the first working parameter of the first firmware storage space to the target working parameter, the main board controller of the computer device is temporarily switched to the software ordering manner to work, so that the main board controller of the computer device can send all the plurality of write protection starting instructions required for implementing the OTP operation to the firmware of the computer device, so that the firmware of the computer device responds to the write protection starting instruction, and the OTP operation to the second firmware storage space, that is, the permanent write protection to the data stored in the second firmware storage space can be implemented.
In order to further improve the reliability of the OTP operation, the embodiment proposes that in the process of starting self-checking of the computer device, the OTP operation in the second firmware storage space is verified in reliability, that is, whether the OTP operation in the second firmware storage space is successful or not is verified, if not, the OTP operation is performed again, the OTP operation in the second firmware storage space is ensured to be successfully realized, then, the working mode of the computer device platform is restored to the original hardware ordering mode, the application running requirement of the computer device is met, and the normal, safe and reliable work of the computer device after leaving the factory is ensured.
In connection with the implementation procedure of the data protection implementation method described from the perspective of the firmware of the computer device, the data protection implementation method will be described from the perspective of the motherboard controller of the computer device, and since the motherboard controller interacts with the firmware of the computer device, the data protection implementation method proposed by the present application is implemented, and for part of the content in the implementation procedure, reference may be made to, but not limited to, the description of the corresponding part of the foregoing embodiment.
Referring to fig. 6, a flow chart of still another alternative example of the data protection implementation method proposed in the present application, as the above analysis, the method may be applicable to the motherboard controller of the above computer device, such as the PCH in fig. 4, and as shown in fig. 6, the data protection implementation method executed by the PCH may include, but is not limited to, the following steps:
step S61, determining that a first working parameter of a first firmware storage space of computer equipment firmware is adjusted to be a target working parameter, and switching from a hardware ordering mode to a software ordering mode for working;
for the implementation process of adjusting the first working parameter of the first firmware storage space to the target working parameter, reference may be made to the description of the above embodiment, which is not repeated herein.
In some embodiments, if the first operating parameter of the first firmware storage space to be adjusted is the state parameter of each of the first register and the second register, after the computer device firmware BIOS adjusts the state parameters of the two registers to corresponding target state parameters, the adjustment result may be fed back to the motherboard controller, so that the motherboard controller determines that the first operating parameter of the first firmware storage space is adjusted to the target operating parameter, and then the motherboard controller will operate in a software ordering manner.
The adjustment result fed back to the BIOS may be a sequence mode switching instruction, so that the motherboard controller may switch to a software sequence mode to operate in response to the sequence mode switching instruction, but is not limited to the adjustment result content and the sequence mode switching implementation mode.
In practical application of the application, the BIOS can read the data in the BIOS SPI ROM by the subsequent PCH work without feeding back the adjustment result, and can work in a software ordering mode directly according to the data content (mainly the target working parameters).
Step S62, a write-protection starting instruction for starting a write-once protection operation is obtained;
As can be seen from the above description of the write-protection starting instruction, for computer devices of different models and different manufacturers, the number and content of the write-protection starting instruction for implementing the OTP operation may be different.
Step S63, a write-protect start instruction is sent to the firmware, so that the firmware performs a write-once operation for the second firmware storage space of the firmware in response to the write-protect start instruction.
The application can realize data transmission between the main board controller PCH and the firmware BIOS according to the data communication protocol between the two, namely, the main board controller PCH sends the obtained all write protection starting instructions for realizing OTP operation to the BIOS of the computer equipment, and particularly as shown in figure 4, the write protection starting instructions can be sent to BIOS SPIROM to execute OTP operation on an RO area (namely a second firmware storage space) in the write protection starting instructions, so that permanent write protection on the stored data of the RO area is realized.
In summary, when it is necessary to permanently write-protect important data stored in the second firmware storage space of the computer device, so as to avoid that the data are rewritten and cleared after the computer device leaves the factory, and the normal safe use of the computer device is affected, the embodiment may adopt a mode of adjusting the first working parameter of the first firmware storage space to be the target working parameter, so that the motherboard controller is switched from the common hardware ordering mode to the software ordering mode to work, and all write-protect starting instructions for implementing the OTP operation are guaranteed to be sent to the computer device firmware, so that the firmware responds to the write-protect starting instructions to execute the OTP operation on the second firmware storage space, permanently lock the data stored in the second firmware storage space, and cannot write the data stored in the second firmware storage space any more, thereby improving the storage security of such data, and further guaranteeing the operation security and reliability of the computer device.
In practical applications, special security requirements may be applied to the computer device for different sales objects or regions of the computer device, so that a hardware level distinction exists between the mainboards of the corresponding computer device, and in the process of assembling the computer device, in order to ensure that the assembled mainboards meet the corresponding security requirements, a mainboard type identifier, such as a Board ID, may be configured. Currently, the product mainly provides a hardware-level Board ID to a system component of a computer device, such as BIOS, EC, etc., by means of a General-purpose input/output (GPIO) table. This approach tends to increase the complexity and operating cost of the motherboard.
In order to solve the above problems, the present application further proposes to perform OTP operation on an existing memory chip of a computer device, so as to implement a reversible multi-hardware-level Board ID configuration under a bill of materials (bill of materials). Based on this, referring to fig. 7, a flowchart of another alternative example of the data protection implementation method provided by the present application is mainly described how to implement the process of OTP encoding for motherboard type identification by using an existing memory chip of a computer device, and as shown in fig. 7, the method may include:
step S71, reading a main board type identifier recorded by an external interface memory;
The main board type identifier may be written into the external interface memory by adopting a write-once protection mode in the main board configuration process of the computer device.
With reference to the structural schematic diagram shown in fig. 8, after determining that the computer device should be equipped with the motherboard type identifier card ID of the motherboard, the card ID may be written into the SPI chip (i.e. the external interface memory) and OTP operation is performed on the same, so as to ensure that the recorded card ID is not randomly changed and cleared. For a specific implementation process of executing the OTP operation on the Board ID recorded by the SPI chip, reference may be made to the description of the corresponding portion of the foregoing embodiment, which is not repeated herein.
In some embodiments, after the computer device system is powered on, the production line may configure the Board ID to the microcontroller of the computer device, such as EC or eSIO (embedded microcontroller and conventional input/output device) in fig. 8, according to the configuration requirement, that is, a write-protect start instruction for implementing the OTP operation is sent to the microprocessor, and the microprocessor executes the OTP operation for the external interface memory in response to the write-protect start instruction, that is, implements OTP encoding for the Board ID, which is not described in detail in the specific implementation process.
It can be seen that, in order to achieve the permanent storage of the Board ID, the PCH or other controller may send a write-protect initiation instruction to the microcontroller of the computer device, so that the microcontroller performs a write-protect operation for the external interface memory once in response to the write-protect initiation instruction, and writes the motherboard type identifier into the external interface memory.
Before the OTP operation is executed, the EC or eSIO may check BoardID to be configured, if the check fails, the BoardID error may be considered, and corresponding prompt information may be output to update the Board ID, if the check succeeds, the integrity verification may be further performed on the received write protection instruction, and after the verification passes, the OTP operation is executed, and the Board ID is permanently written into the SPI chip.
In still other embodiments, for the implementation procedure of permanently writing the Board ID into the SPI chip by using the OTP encoding scheme, the implementation procedure may be implemented by the PCH in fig. 8, and the implementation procedure is similar, which is not described in detail in the present application.
Step S72, responding to the mainboard configuration request, and configuring the mainboard of the computer equipment according to the mainboard configuration specification corresponding to the mainboard type identifier;
step S73, responding to the motherboard configuration detection request, detecting the motherboard type identifier as a target identifier, and detecting motherboard configuration information of the computer equipment according to motherboard configuration specifications corresponding to the target identifier.
In practical application of this embodiment, after implementing the irreversible hardware-level Board ID write protection according to the above manner, the BIOS, firmware or software of the system may implement different requirements according to BoardID inputs, and specific requirements are not described in detail in the present application, and a main Board configuration process and a configured main Board detection process are mainly described herein, and the execution stages of the two processes are not limited in the present application.
When a motherboard needs to be configured for the computer device, that is, a motherboard configuration request is received, the stored motherboard type identifier can be read in response to the motherboard configuration request to obtain a motherboard configuration specification corresponding to the motherboard type identifier, for example, what configuration the motherboard with the motherboard type identifier should have, so that motherboard configuration for the computer device is completed according to the motherboard configuration specification, and the configured motherboard structure is ensured to meet corresponding requirements. For the main boards with different main board type identifiers, the required main board configuration structures are often different, the main board configuration specification corresponding to the different main board type identifiers can be determined according to various demands such as market demands, customer demands and the like, and specific contents are not limited.
After the configuration of the motherboard of the computer device is completed in the above manner, the motherboard configuration detection request can be further responded to perform correctness verification on motherboard configuration information of the computer device, a specific verification manner is not limited, and verification content can still be determined according to motherboard configuration specifications corresponding to motherboard type identifiers of the computer device, which is not described in detail in the present application.
In summary, the embodiment utilizes the existing memory chip of the computer device to realize the write-once protection coding of the motherboard type identifier of the irreversible hardware level, does not increase the complexity and the operation cost of the motherboard hardware circuit, can ensure the memory security of the motherboard type identifier, avoids malicious modification and elimination, and can improve the motherboard configuration efficiency and the reliability of the computer device according to the motherboard type identifier.
Referring to fig. 9, a schematic structural diagram of an alternative example of a data protection implementation apparatus according to the present application, where the apparatus may be applicable to firmware of a computer device, as shown in fig. 9, may include:
The reference adjustment module 91 is configured to obtain a target operating parameter, and adjust a first operating parameter of a first firmware storage space of a computer device to the target operating parameter, so that a motherboard controller of the computer device switches from a hardware ordering mode to a software ordering mode;
in one possible implementation, the reference adjustment module 91 may include:
A target state parameter obtaining unit, configured to obtain a first target state parameter of a first register for a first firmware storage space of a computer device, and a second target state parameter of a second register;
and the state parameter adjusting unit is used for updating the first state parameter of the first register to the first target state parameter and updating the second state parameter of the second register to the second target state parameter.
The write protection instruction receiving module 92 is configured to receive a write protection start instruction sent by the motherboard controller in the software ordering mode;
a write-protection execution module 93, configured to execute a write-protection operation for the second firmware storage space of the computer device in response to the write-protection start instruction.
In some embodiments, the data protection implementing apparatus provided by the present application may include:
The storage space dividing module is used for responding to a dividing request for the firmware storage space of the computer equipment and dividing the firmware storage space into a first firmware storage space and a second firmware storage space;
The data to be protected is written into the second firmware storage space by the module to be protected, and the data to be protected is obtained;
And in the running process of the application of the computer equipment, responding to the data writing request aiming at the first firmware storage space can be forbidden.
In still other embodiments, on the basis of the data protection implementing apparatus described in the above embodiments, as shown in fig. 10, the apparatus may further include:
a verification module 94, configured to verify whether a write-once protection operation for the second firmware storage space is successful;
The working parameter recovery module 95 is configured to recover, when the verification result of the verification module is yes, the current target working parameter of the first firmware storage space to the first working parameter, so that the motherboard controller switches from the software ordering mode to the hardware ordering mode for working;
And the data reading module 96 is configured to read the request data stored in the second firmware storage space in response to a data reading request for the second firmware storage space.
Referring to fig. 11, a schematic structural diagram of another alternative example of the data protection implementation apparatus provided in the present application, where the apparatus may be applicable to a motherboard controller of a computer device, as shown in fig. 11, the apparatus may include:
a sorting mode switching module 111, configured to determine that a first working parameter of a first firmware storage space of the firmware of the computer device is a target working parameter, and switch from a hardware sorting mode to a software sorting mode;
A write-protection initiation instruction acquisition module 112, configured to acquire a write-protection initiation instruction for initiating a write-once operation;
and the write protection starting instruction sending module 113 is configured to send the write protection starting instruction to the firmware, so that the firmware responds to the write protection starting instruction, and performs a write-once protection operation on a second firmware storage space of the firmware.
In some embodiments, the apparatus may further comprise:
The main board type identification reading module is used for reading a main board type identification recorded in an external interface memory, wherein the main board type identification is written into the external interface memory in a write-once protection mode in the main board configuration process of the computer equipment;
in one possible implementation, the apparatus may further include:
And the write protection starting instruction sending module is used for sending the write protection starting instruction to a microcontroller of the computer equipment, so that the microcontroller responds to the write protection starting instruction, performs one-time write protection operation aiming at the external interface memory, and writes the main board type identifier into the external interface memory.
The main board configuration module is used for responding to a main board configuration request and realizing the main board configuration of the computer equipment according to the main board configuration specification corresponding to the main board type identifier; and/or the number of the groups of groups,
And the main board configuration detection module is used for responding to a main board configuration detection request, detecting the main board type identifier as a target identifier, and detecting main board configuration information of the computer equipment according to main board configuration specifications corresponding to the target identifier.
It should be noted that, regarding the various modules, units, and the like in the foregoing embodiments of the apparatus, the various modules and units may be stored as program modules in a memory, and the processor executes the program modules stored in the memory to implement corresponding functions, and regarding the functions implemented by each program module and the combination thereof, and the achieved technical effects, reference may be made to descriptions of corresponding parts of the foregoing method embodiments, which are not repeated herein.
The present application also provides a storage medium on which a computer program can be stored, which computer program can be called and loaded by a processor to implement the steps of the data protection implementation method described in the above embodiments.
Referring to fig. 12, for implementing an alternative architecture of a computer device for implementing a data protection implementation method according to the present application, the computer device may include: a main board 121, and a firmware 122 and a main board controller 123 provided in the main board 121, wherein:
Motherboard 121, also called a motherboard, system board, or motherboard, is mounted within the chassis and is one of the most basic and important components of a computer device. The main board 121 is a generally rectangular circuit board, on which the main circuit systems of the computer device, such as BIOS chips, I/O control chips, keyboard and panel control switch interfaces, indicator light connectors, expansion slots, and dc power connectors of the main board and cards, are mounted.
In practical application, the manufacturing quality of the motherboard is high and low, and the stability of the hardware system is determined. And the chips of the motherboard are typically motherboard chipsets that determine the specification, performance and general functionality of the motherboard, which in turn can affect the performance of the overall computer device system. Therefore, when the computer equipment is produced, the assembly of the mainboard chipset of the computer equipment can be realized according to the demands of markets, special clients and the like, and corresponding mainboard type identifiers are configured so as to realize the rapid detection and verification of the mainboard types subsequently, and the specific implementation process can be described with reference to the corresponding parts of the embodiment.
The firmware 122 in this embodiment may be a BIOS chip, which is called ROM-BIOS for short, is a basic input/output system of a ROM, and may provide a program of the lowest most direct hardware control for a computer device, and is a hub connected between a software program and a hardware device, and is responsible for solving the real-time requirement of hardware, and executing according to the operation requirement of software on hardware.
In the embodiment of the present application, in combination with the above description, the storage space, i.e. the BIOS SPI ROM, may be divided into two areas, i.e. the first firmware storage space (i.e. the RW area) and the second firmware storage space (i.e. the RO area), and after the BIOS important data is written into the RO area, the OTP operation is performed on the two areas, so as to implement permanent write protection on the stored data in the RO area, and for the specific implementation procedure of the OTP operation, reference may be made to the description of the corresponding parts of the above embodiment. It can be seen that the firmware 122 can load and execute a first program to implement the steps of the data protection implementation method described above from a firmware perspective.
The main board controller 123 may be the PCH above, and as the analysis described above may enter a software ordering manner, and send a complete write-protection start instruction to the BIOS to implement the OTP operation on the RO area in the BIOS, it can be seen that the main board controller 123 may load and execute a second program to implement each step of the data protection implementation method described from the perspective of the main board controller, and the specific implementation process is not described herein. And the application is not described in detail herein with respect to the functions that the PCH may implement in a computer device.
It should be understood that the structure of the computer device shown in fig. 12 does not limit the computer device in the embodiment of the present application, and in practical application, the computer device may include more or less components than those shown in fig. 12, or some components may be combined, and the microprocessor EC/eSIO, SPI chip, and other input devices, output devices, etc. shown in fig. 8 are not listed here.
Finally, it should be noted that, in the present description, each embodiment is described in a progressive or parallel manner, and each embodiment is mainly described as different from other embodiments, and identical and similar parts between the embodiments are only required to be referred to each other. For the apparatus and the computer device disclosed in the embodiments, the description is relatively simple, and the relevant places refer to the description of the method section because the apparatus and the computer device correspond to the methods disclosed in the embodiments.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A data protection implementation method, the method comprising:
Acquiring a target working parameter, and adjusting the first working parameter of a first firmware storage space of computer equipment to the target working parameter so that a main board controller of the computer equipment is switched from a hardware ordering mode to a software ordering mode to work; the first working parameters are key parameters influencing the work of the hardware ordering mode, and the target working parameters are key parameters guaranteeing the work of the software ordering mode;
receiving a write protection starting instruction sent by the main board controller in the software ordering mode;
Responsive to the write-protect initiation instruction, performing a write-once operation for a second firmware storage space of the computer device; the first firmware storage space is a read-write attribute, and the second firmware storage space is a read-only attribute.
2. The method of claim 1, prior to the performing the write-once protection operation for the second firmware storage space of the computer device, the method further comprising:
responsive to a partitioning request for a firmware storage space of the computer device, partitioning the firmware storage space into a first firmware storage space and a second firmware storage space;
Obtaining data to be protected, and writing the data to be protected into the second firmware storage space;
And in the running process of the application of the computer equipment, responding to the data writing request aiming at the first firmware storage space can be forbidden.
3. The method of claim 1, the obtaining the target operating parameter, adjusting the first operating parameter of the first firmware storage space of the computer device to the target operating parameter, comprising:
acquiring a first target state parameter of a first register aiming at a first firmware storage space of computer equipment and a second target state parameter of a second register;
Updating a first state parameter of the first register to the first target state parameter and updating a second state parameter of the second register to the second target state parameter.
4. A method according to any one of claims 1 to 3, the method further comprising:
verifying whether a write-once protection operation for the second firmware storage space is successful;
If the first firmware storage space is successful, the current target working parameters of the first firmware storage space are restored to the first working parameters, so that the mainboard controller is switched from the software ordering mode to the hardware ordering mode for working;
And responding to a data reading request aiming at the second firmware storage space, and reading request data stored in the second firmware storage space.
5. A data protection implementation method, the method comprising:
Determining that a first working parameter of a first firmware storage space of the computer equipment firmware is adjusted to be a target working parameter, and switching from a hardware ordering mode to a software ordering mode for working; the first working parameters are key parameters influencing the work of the hardware ordering mode, and the target working parameters are key parameters guaranteeing the work of the software ordering mode;
acquiring a write-protection starting instruction for starting a write-once protection operation;
Sending the write-protection starting instruction to the firmware so that the firmware responds to the write-protection starting instruction to execute one-time write-protection operation aiming at a second firmware storage space of the firmware; the first firmware storage space is a read-write attribute, and the second firmware storage space is a read-only attribute.
6. The method of claim 5, the method further comprising:
Reading a main board type identifier recorded in an external interface memory, wherein the main board type identifier is written into the external interface memory in a write-once protection mode in the main board configuration process of computer equipment;
Responding to a motherboard configuration request, and configuring the motherboard of the computer equipment according to motherboard configuration specifications corresponding to the motherboard type identifiers; or alternatively, the first and second heat exchangers may be,
And responding to a motherboard configuration detection request, detecting the motherboard type identifier as a target identifier, and detecting motherboard configuration information of the computer equipment according to motherboard configuration specifications corresponding to the target identifier.
7. The method of claim 6, the method further comprising:
And sending the write-protection starting instruction to a microcontroller of the computer equipment, so that the microcontroller responds to the write-protection starting instruction, performs one-time write-protection operation aiming at the external interface memory, and writes the main board type identifier into the external interface memory.
8. A data protection implementation apparatus, the apparatus comprising:
The system comprises a reference adjustment module, a hardware ordering mode, a software ordering mode and a control module, wherein the reference adjustment module is used for acquiring target working parameters and adjusting first working parameters of a first firmware storage space of computer equipment to the target working parameters so that a main board controller of the computer equipment can be switched from the hardware ordering mode to the software ordering mode to work; the first working parameters are key parameters influencing the work of the hardware ordering mode, and the target working parameters are key parameters guaranteeing the work of the software ordering mode;
The write protection instruction receiving module is used for receiving a write protection starting instruction sent by the main board controller in the software ordering mode;
The write protection execution module is used for responding to the write protection starting instruction and executing one-time write protection operation aiming at the second firmware storage space of the computer equipment; the first firmware storage space is a read-write attribute, and the second firmware storage space is a read-only attribute.
9. A data protection implementation apparatus, the apparatus comprising:
The ordering mode switching module is used for determining that a first working parameter of a first firmware storage space of the computer equipment firmware is a target working parameter, and switching from a hardware ordering mode to a software ordering mode to work; the first working parameters are key parameters influencing the work of the hardware ordering mode, and the target working parameters are key parameters guaranteeing the work of the software ordering mode;
The write-protection starting instruction acquisition module is used for acquiring a write-protection starting instruction for starting one-time write-protection operation;
The write protection starting instruction sending module is used for sending the write protection starting instruction to the firmware so that the firmware responds to the write protection starting instruction and performs one-time write protection operation on a second firmware storage space of the firmware; the first firmware storage space is a read-write attribute, and the second firmware storage space is a read-only attribute.
10. A computer device, the computer device comprising:
A main board;
firmware and a motherboard controller disposed in the motherboard, wherein:
the firmware is used for loading and executing a pre-stored first program to realize the steps of the data protection realizing method according to any one of claims 1-4;
The main board controller is configured to load and execute a pre-stored second program to implement the steps of the data protection implementation method according to any one of claims 5 to 7.
CN202010622280.5A 2020-06-30 2020-06-30 Data protection implementation method and device and computer equipment Active CN111783162B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010622280.5A CN111783162B (en) 2020-06-30 2020-06-30 Data protection implementation method and device and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010622280.5A CN111783162B (en) 2020-06-30 2020-06-30 Data protection implementation method and device and computer equipment

Publications (2)

Publication Number Publication Date
CN111783162A CN111783162A (en) 2020-10-16
CN111783162B true CN111783162B (en) 2024-06-18

Family

ID=72761638

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010622280.5A Active CN111783162B (en) 2020-06-30 2020-06-30 Data protection implementation method and device and computer equipment

Country Status (1)

Country Link
CN (1) CN111783162B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117668859B (en) * 2024-01-31 2024-04-19 湖南博匠信息科技有限公司 VPX computing board card credit double-firmware starting method and system

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017182089A1 (en) * 2016-04-21 2017-10-26 Huawei Technologies Co., Ltd. Method for write-protecting boot code if boot sequence integrity check fails

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7836219B1 (en) * 2004-02-10 2010-11-16 Pmc-Sierra Us, Inc. System and method for authentication of embedded RAID on a host RAID card
JP2007323488A (en) * 2006-06-02 2007-12-13 Seiko Epson Corp Data storage device and data access method
JP5342649B2 (en) * 2008-11-24 2013-11-13 サーティコム コーポレーション System and method for hardware-based security
CN103853566B (en) * 2012-11-30 2017-05-03 鸿富锦精密工业(深圳)有限公司 Basic input output system (BIOS) updating system and method
US20140297922A1 (en) * 2013-03-29 2014-10-02 Nitin V. Sarangdhar Method and apparatus for managing serial peripheral interface (spi) flash
EP2854066B1 (en) * 2013-08-21 2018-02-28 Nxp B.V. System and method for firmware integrity verification using multiple keys and OTP memory
CN105354009B (en) * 2015-10-14 2021-01-01 北京深思数盾科技股份有限公司 Protection method for firmware
US10397271B2 (en) * 2017-07-11 2019-08-27 Cisco Technology, Inc. Distributed denial of service mitigation for web conferencing
CN109361616B (en) * 2018-10-31 2022-05-31 晶晨半导体(上海)股份有限公司 Control method for improving network performance

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017182089A1 (en) * 2016-04-21 2017-10-26 Huawei Technologies Co., Ltd. Method for write-protecting boot code if boot sequence integrity check fails

Also Published As

Publication number Publication date
CN111783162A (en) 2020-10-16

Similar Documents

Publication Publication Date Title
US8751783B2 (en) Booting computing devices with EFI aware operating systems
CN109670319B (en) Server flash safety management method and system thereof
US7650556B2 (en) System and method for checking and correcting BIOS errors
CN111399919A (en) Starting method and system of server, electronic equipment and storage medium
CN107315616B (en) Firmware loading method and device and electronic equipment
US20150199190A1 (en) System and method for updating firmware
CN103377063A (en) Method and system for recovering unified extensible firmware interface (UEFI) pre-starting environment from legacy operation system environment
US10922071B2 (en) Centralized off-board flash memory for server devices
CN108345464A (en) A kind of the startup method and Android vehicle device of Android system
US8375198B2 (en) Boot system and method having a BIOS that reads an operating system from first storage device via an input/output chip based on detecting a temperature of a second storage device
CN111143132A (en) BIOS recovery method, device, equipment and readable storage medium
CN113672306B (en) Server component self-checking abnormity recovery method, device, system and medium
CN111783162B (en) Data protection implementation method and device and computer equipment
US20060206764A1 (en) Memory reliability detection system and method
CN114579971A (en) Starting method of safety control module and related device
CN114895845A (en) EMmC data storage control method and embedded mainboard
CN112394965B (en) Battery management system upgrade and operation method, controller, battery management system and storage medium
CN117130672A (en) Server start flow control method, system, terminal and storage medium
CN113867812B (en) Method, system, equipment and medium for BMC to acquire link information
CN113094107B (en) Data protection method, device, equipment and computer storage medium
CN113297010A (en) Firmware recovery method, device and system based on system on chip and storage medium
CN117574352B (en) Software and hardware combined anti-counterfeiting method, system, equipment and storage medium
CN111258805B (en) Hard disk state monitoring method and device for server and computer device
CN118093240A (en) Hard disk fault processing method, device, computer equipment, storage medium and program product
CN113127044A (en) BMC upgrading method and device and related components

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant