CN116340953A - Trusted application method of embedded device of multi-CPU board card and embedded device - Google Patents
Trusted application method of embedded device of multi-CPU board card and embedded device Download PDFInfo
- Publication number
- CN116340953A CN116340953A CN202310267168.8A CN202310267168A CN116340953A CN 116340953 A CN116340953 A CN 116340953A CN 202310267168 A CN202310267168 A CN 202310267168A CN 116340953 A CN116340953 A CN 116340953A
- Authority
- CN
- China
- Prior art keywords
- trusted
- board card
- embedded device
- cpu
- board
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 21
- 238000012360 testing method Methods 0.000 claims abstract description 6
- 238000004891 communication Methods 0.000 claims description 3
- 238000005259 measurement Methods 0.000 description 6
- 230000007547 defect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000002513 implantation Methods 0.000 description 1
- 238000013515 script Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Multi Processors (AREA)
Abstract
The invention discloses a trusted application method of an embedded device of a multi-CPU board card and the embedded device, wherein the embedded device of the multi-CPU board card comprises a plurality of CPU board cards connected through a data bus, the CPU board cards are divided into a master trusted board card and a plurality of slave trusted board cards, a trusted platform control module is arranged on the master trusted board card, and the method is executed by the trusted platform control module and comprises the following steps: after the power-on self-test of the trusted platform control module is finished, the operating system of the main trusted board card is guided to start; after the master trusted board card is started, the operating system of the slave trusted board card is guided to start. The invention standardizes the trusted management flow of the embedded device of the multi-CPU board card and improves the safety of the embedded device of the multi-CPU board card.
Description
Technical Field
The invention belongs to the technical field of embedded devices, and particularly relates to a trusted application method of an embedded device of a multi-CPU board card and the embedded device.
Background
The existing multi-CPU embedded device mainly adopts safety protection measures of boundary protection, lacks safety protection capability of application management of equipment, and has the following defects: 1) When the device is powered on and started and operated, the device is easy to attack by a malicious program implanted in advance, so that the system operation environment is unsafe; 2) The multi-CPU embedded device is difficult to intensively control respective CPU boards, is more vulnerable to virus programs, and affects the safety of equipment; 3) The prior trusted application technology aims at a single CPU board card, and the application on an embedded device of a plurality of CPU board cards can cause the trusted management confusion.
Disclosure of Invention
In order to solve the defects in the prior art, the invention provides a trusted application method of the embedded device of the multi-CPU board card and the embedded device, which standardizes the trusted management flow of the embedded device of the multi-CPU board card and improves the safety of the embedded device of the multi-CPU board card.
In order to achieve the above purpose, the technical scheme adopted by the invention is as follows:
in a first aspect, a trusted application method of an embedded device is provided, where the embedded device includes a plurality of CPU boards connected by a data bus, the CPU boards are divided into a master trusted board and a plurality of slave trusted boards, and a trusted platform control module is installed on the master trusted board, and the method is executed by the trusted platform control module and includes: after the power-on self-test of the trusted platform control module is finished, the operating system of the main trusted board card is guided to start; after the master trusted board card is started, the operating system of the slave trusted board card is guided to start.
Further, a trusted agent is embedded in the operating system kernel of each CPU board card.
Further, each CPU board card is provided with a trusted software base for managing the application program white list of the CPU board card.
Further, the trusted platform control module is in communication with each slave trusted board card through a data bus and a proprietary protocol.
In a second aspect, an embedded device is provided, including a plurality of CPU boards connected by a data bus, where the CPU boards are divided into a master trusted board and a plurality of slave trusted boards, and a trusted platform control module is installed on the master trusted board.
Compared with the prior art, the invention has the beneficial effects that:
(1) The invention is divided into a main trusted board card and a plurality of slave trusted board cards by a plurality of CPU board cards connected through a data bus, wherein a trusted platform control module is arranged on the main trusted board card, and an operating system of the main trusted board card is guided to start after the power-on self-test of the trusted platform control module is finished; after the master trusted board card is started, the operating system of the slave trusted board card is guided to start; the trusted management flow of the embedded device of the multi-CPU board card is standardized, and the safety of the embedded device of the multi-CPU board card is improved;
(2) The trusted platform control module firstly performs power-on self-test, ensures the credibility of the system operation hardware environment, and avoids implantation attack of malicious programs;
(3) The control function of the trusted software base is supported by the trusted platform control module, and an operating environment is provided for the trusted software base;
(4) The invention supports the control function of the trusted software base through the trusted platform control module and provides an operating environment for the trusted software base. Synchronizing the trusted management function of the trusted platform control module through an internal bus and a private protocol, wherein the trusted platform control module measures all CPU board cards through the bus, and ensures the trusted of all board card hardware environments;
(5) The invention completes the white list management of the application program through the trusted software base on each board card, and prevents the malicious process outside the white list from starting.
Drawings
Fig. 1 is a schematic diagram of a trusted application method of an embedded device of a multi-CPU board card according to an embodiment of the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings. The following examples are only for more clearly illustrating the technical aspects of the present invention, and are not intended to limit the scope of the present invention.
As shown in fig. 1, a trusted application method of an embedded device of a multi-CPU board card, the embedded device of the multi-CPU board card includes a plurality of CPU boards connected through a data bus, the CPU boards are divided into a master trusted board and a plurality of slave trusted boards, a Trusted Platform Control Module (TPCM) is installed on the master trusted board, and the method is executed by the trusted platform control module and includes: after the power-on self-test of the trusted platform control module is finished, the operating system of the main trusted board card is guided to start; after the master trusted board card is started, the operating system of the slave trusted board card is guided to start.
After the embedded device of the multi-CPU board card is electrified, a trusted platform control module TPCM integrated on a main trusted board card of the embedded device is electrified to run self-checking, after the state checking is completed, the TPCM guides the main trusted board card uboot to start, and control rights are given to the CPU of the main trusted board card, and the control device becomes a control device and provides trusted service for the calculation process. In the whole process from the system to the normal operation of the device, the TPCM independently works in parallel with and is not influenced by the computing component of the device, and the TPCM module supports the trusted computing function of the whole device and ensures the credibility of the system operation hardware environment. And starting an operating system of the main trusted board card through a trusted platform control module TPCM, and ensuring the credibility of the operating environment after the main trusted board card is powered on.
After the embedded device of the multi-CPU board card is electrified, the slave trusted board card is physically connected with the master trusted board card through the special data bus, after TPCM self-checking is finished, uboot on the slave trusted board card is guided to start through a private protocol, and after trusted measurement is finished, control right is given to the CPU of the slave trusted board card. The master and slave trusted boards are connected through an internal data bus, and the measurement and control functions of the TPCM are synchronized through the bus, so that the operating system of the slave trusted board is actively measured after the TPCM is powered on, and the credibility of the operating environment of the slave trusted board is ensured after the slave trusted board is powered on.
The control function of the trusted software base is supported by the TPCM, the trusted software base provides a trusted software running environment for system software and application programs on respective boards, and the trusted software base realizes active measurement of the system software and the application software under the support of the TPCM.
The trusted software base is installed on the master and slave trusted boards, the trusted management of the application programs required by the device is completed through the measurement function of the trusted software base, the application programs required by the normal operation of the device are added into the white list management catalog, the starting of malicious processes outside the white list is prevented, and the equipment is prevented from being attacked by modes such as the starting of the malicious programs in the operation process. The application program in the invention comprises the following steps: binary executable programs, running scripts and the like, and when detecting that the measurement results of hardware, system software and application programs are inconsistent with the expected results, recording the measurement results and prompting an alarm.
The embedded device of the multi-CPU board card shares the trusted root of the main trusted board card, the unique trust source point ensures the trusted running environment of the device, greatly improves the endogenous security defense capability of the device, simplifies the trusted management flow of the multi-CPU embedded device, and further improves the safety and usability of the device.
The invention also provides an embedded device, which comprises a plurality of CPU boards connected through a data bus, wherein the CPU boards are divided into a master trusted board and a plurality of slave trusted boards, and a trusted platform control module is arranged on the master trusted board. The operating system kernel of each CPU board is embedded with a trusted agent. And each CPU board card is provided with a trusted software base for managing the application program white list of the CPU board card. The trusted platform control module is connected with each slave trusted board card through a data bus and a private protocol.
The foregoing is merely a preferred embodiment of the present invention, and it should be noted that modifications and variations could be made by those skilled in the art without departing from the technical principles of the present invention, and such modifications and variations should also be regarded as being within the scope of the invention.
Claims (8)
1. The trusted application method of the embedded device is characterized in that the embedded device comprises a plurality of CPU boards connected through a data bus, the CPU boards are divided into a master trusted board and a plurality of slave trusted boards, a trusted platform control module is installed on the master trusted board, and the method is executed by the trusted platform control module and comprises the following steps:
after the power-on self-test of the trusted platform control module is finished, the operating system of the main trusted board card is guided to start;
after the master trusted board card is started, the operating system of the slave trusted board card is guided to start.
2. The method of claim 1, wherein a trusted agent is embedded in an operating system kernel of each CPU board.
3. The method of claim 1, wherein each of the CPU boards has a trusted software base installed thereon for managing a white list of applications on the CPU board.
4. The method of claim 1, wherein the trusted platform control module is in communication with each slave trusted board card via a data bus and a proprietary protocol.
5. The embedded device is characterized by comprising a plurality of CPU boards connected through a data bus, wherein the CPU boards are divided into a master trusted board and a plurality of slave trusted boards, and a trusted platform control module is arranged on the master trusted board.
6. The embedded device of claim 5, wherein a trusted agent is embedded in an operating system kernel of each of the CPU boards.
7. The embedded device of claim 5, wherein each of the CPU boards has a trusted software base installed thereon for managing a white list of applications for the CPU board.
8. The embedded appliance of claim 5, wherein the trusted platform control module is in communication with each slave trusted board card via a data bus and a proprietary protocol.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310267168.8A CN116340953A (en) | 2023-03-20 | 2023-03-20 | Trusted application method of embedded device of multi-CPU board card and embedded device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310267168.8A CN116340953A (en) | 2023-03-20 | 2023-03-20 | Trusted application method of embedded device of multi-CPU board card and embedded device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116340953A true CN116340953A (en) | 2023-06-27 |
Family
ID=86883326
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310267168.8A Pending CN116340953A (en) | 2023-03-20 | 2023-03-20 | Trusted application method of embedded device of multi-CPU board card and embedded device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116340953A (en) |
-
2023
- 2023-03-20 CN CN202310267168.8A patent/CN116340953A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11093258B2 (en) | Method for trusted booting of PLC based on measurement mechanism | |
| EP1727625B1 (en) | Cooperative embedded agents | |
| KR100524055B1 (en) | Computer system having the function of remote waking up and method for remote waking up the computer system | |
| US20190073478A1 (en) | Hardware-enforced firmware security | |
| US9990325B2 (en) | Universal serial bus (USB) filter hub malicious code prevention system | |
| JP2012198926A (en) | Hardware-based anti-virus scan service | |
| CN113468535B (en) | Trusted measurement method and related device | |
| CN109670349A (en) | The hardware structure of trusted computer and the credible starting method of computer | |
| CN110348223B (en) | Static measurement method based on dual-architecture trusted computing platform | |
| US20220405393A1 (en) | Perform verification check in response to change in page table base register | |
| TW202044022A (en) | Update signals | |
| CN111125707A (en) | BMC (baseboard management controller) safe starting method, system and equipment based on trusted password module | |
| US20230222226A1 (en) | Memory scan-based process monitoring | |
| US20080148390A1 (en) | Secure program launch | |
| CN112883369A (en) | Credible virtualization system | |
| CN114077739A (en) | Method and device for starting rapid Peripheral Component Interconnect (PCI) equipment and storage medium | |
| CN116340953A (en) | Trusted application method of embedded device of multi-CPU board card and embedded device | |
| CN112219186A (en) | Method for installing a program code package in a device, device and motor vehicle | |
| US20200244461A1 (en) | Data Processing Method and Apparatus | |
| CN115964117A (en) | Credibility measuring method and device, computer equipment and readable medium | |
| CN113922988A (en) | Host security policy detection method and system based on network | |
| Intel | ||
| US20160246637A1 (en) | Determining Trustworthiness of a Virtual Machine Operating System Prior To Boot UP | |
| CN114625600B (en) | Method for executing by computer system, computer readable storage medium and computer platform | |
| TW202024980A (en) | Hardware structure of a trusted computer and trusted booting method for a computer |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |