CN116561734A

CN116561734A - Verification method, verification device, computer and computer configuration system

Info

Publication number: CN116561734A
Application number: CN202310511593.7A
Authority: CN
Inventors: 郑臣明; 吴宗友
Original assignee: Haiguang Information Technology Co Ltd
Current assignee: Haiguang Information Technology Co Ltd
Priority date: 2023-05-08
Filing date: 2023-05-08
Publication date: 2023-08-08

Abstract

The embodiment of the application provides a verification method, a verification device, a computer and a computer configuration system, wherein the verification method comprises the following steps: responding to a power-on and power-on instruction of the computer, and reading a BIOS code and BIOS verification information from a BIOS chip of the computer by the processor, wherein the BIOS code stores a unique identifier of computer hardware of the computer; the processor performs BIOS code security verification according to the BIOS code and the BIOS verification information; if the BIOS code security verification is passed, the processor runs the BIOS code to start the work of power-on initialization of the computer, wherein the work comprises verifying computer hardware; in the process of verifying the computer hardware, verifying whether the computer hardware of the computer is legal or not according to the unique identifier of the computer hardware pre-stored in the BIOS code. The embodiment of the application can guarantee the reliability of computer verification through the two-way verification of BIOS code security verification and computer hardware validity verification in the computer power-on and power-on stage, thereby improving the security of the computer.

Description

Verification method, verification device, computer and computer configuration system

Technical Field

The embodiment of the application relates to the technical field of computers, in particular to a verification method, a verification device, a computer and a computer configuration system.

Background

In order to ensure normal and stable operation of the computer, the computer needs to be verified when the computer is powered on, so that the starting of the computer operating system is allowed to be completed after the computer passes the verification. As an important means for ensuring normal and stable operation of a computer, how to provide a technical means to support the improvement of the reliability of computer verification becomes a technical problem to be solved by those skilled in the art.

Disclosure of Invention

In view of this, the embodiments of the present application provide a verification method, device, computer and computer configuration system, so as to verify the security of the BIOS code prior to verifying the computer by using the BIOS code, and add validity verification to computer hardware when verifying the computer, thereby ensuring the reliability of computer verification through bidirectional verification (BIOS code security verification and computer hardware validity verification).

In order to achieve the above purpose, the embodiments of the present application provide the following technical solutions.

In a first aspect, an embodiment of the present application provides a verification method, including:

responding to a power-on and power-on instruction of a computer, and reading a BIOS code and BIOS verification information from a BIOS chip of the computer, wherein the BIOS code is pre-stored with a unique identifier of computer hardware of the computer;

performing BIOS code security verification according to the BIOS code and the BIOS verification information;

if the BIOS code security verification is passed, running the BIOS code to start the work of power-on initialization of the computer, wherein the work comprises verifying computer hardware;

in the process of verifying the computer hardware, verifying whether the computer hardware of the computer is legal or not according to the unique identifier of the computer hardware pre-stored in the BIOS code.

In a second aspect, an embodiment of the present application provides an authentication apparatus, including:

the information reading module is used for responding to a power-on starting instruction of the computer, reading a BIOS code and BIOS verification information from a BIOS chip of the computer, wherein the BIOS code is pre-stored with a unique identifier of computer hardware of the computer;

the BIOS verification module is used for carrying out BIOS code security verification according to the BIOS code and the BIOS verification information;

The code running module is used for running the BIOS code to start the work of power-on initialization of the computer if the BIOS code security verification is passed, wherein the work comprises verification of computer hardware;

and the hardware verification module is used for verifying whether the computer hardware of the computer is legal or not according to the unique identifier of the computer hardware which is pre-stored in the BIOS code in the process of verifying the computer hardware.

In a third aspect, embodiments of the present application provide a computer, comprising: a processor and a BIOS chip; wherein the processor is configured to perform the verification method according to the first aspect, the BIOS chip has a BIOS code and BIOS verification information, wherein the BIOS code is pre-stored with a unique identifier of computer hardware of the computer.

In a fourth aspect, embodiments of the present application provide a computer configuration system, including: BIOS configures the device system and digital certificate device system; the digital certificate device system is configured for a processor and BIOS chip configuration information to be configured for the computer, and the computer is a computer according to the third aspect.

The verification method provided by the embodiment of the application can carry out security verification on the BIOS code by the processor in the computer when the computer is powered on, so that the processor can respond to the power-on instruction of the computer and read the BIOS code and BIOS verification information from the BIOS chip of the computer, wherein the BIOS code stores the unique identifier of the computer hardware of the computer in advance; furthermore, the processor can perform BIOS code security verification according to the BIOS code and the BIOS verification information; after the BIOS code security verification is passed, the processor may run the read BIOS code to begin a computer power-on initialization operation, including verifying computer hardware; in the process of verifying the computer hardware, the processor can verify whether the computer hardware of the computer is legal or not according to the unique identifier of the computer hardware pre-stored in the BIOS code so as to verify the legitimacy of the computer hardware. Therefore, the verification method provided by the embodiment of the application can realize the security verification of the BIOS code by the processor and the validity verification of the computer hardware after the BIOS code is operated in the power-on and power-on stage of the computer.

Therefore, the embodiment of the application can guarantee the reliability of computer verification through the two-way verification of BIOS code security verification and computer hardware validity verification in the computer power-on and power-on stage, so that whether the computer is damaged by attack and tampered (including the condition that the BIOS code is damaged by attack and tampered and the condition that the computer hardware is damaged by attack and tampered) is comprehensively detected, the running safety risk of the computer under the condition that the computer is damaged by attack and tampered is avoided, and the safety of the computer is improved.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings may be obtained according to the provided drawings without inventive effort to a person skilled in the art.

Fig. 1 is a block diagram of a computer configuration system provided in an embodiment of the present application.

Fig. 2 is a flowchart of a computer configuration method provided in an embodiment of the present application.

Fig. 3 is an exemplary diagram of information burned by the processor and the BIOS chip in the embodiment of the present application.

Fig. 4 is a flowchart of a verification method provided in an embodiment of the present application.

Fig. 5 is another flowchart of a verification method provided in an embodiment of the present application.

Fig. 6 is a block diagram of an authentication apparatus according to an embodiment of the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.

When the computer is powered on and started, the processor in the computer can load and run BIOS (Basic Input Output System ) codes to perform function detection on computer hardware such as the processor, the memory, the display card, the hard disk, the main board and the like in the computer through a startup self-checking program of the BIOS, so that the computer verification is performed when the computer is powered on and started by detecting whether the functions of the computer hardware are normal. The BIOS is a group of programs solidified to a BIOS chip (such as a Flash chip) and stores basic input and output programs, system setting information, a startup self-checking program, a system self-starting program and the like of the computer; the BIOS chip may be disposed on a computer motherboard. The BIOS, as software running when the computer is started, can provide the underlying and direct hardware setting and control for the computer, and is a bridge connecting the underlying hardware system and the software system.

Based on the importance of the BIOS, if the BIOS is problematic, the computer may not be started normally, and even the computer may be manipulated and information in the computer may be stolen because the BIOS is embedded with viruses by a hacker. Based on the fact that the BIOS has the function of verifying the computer when the computer is powered on and booted, in order to ensure the reliability of computer verification, the security of the BIOS code (BIOS code security, such as BIOS code legitimacy and integrity) can be verified before the computer is verified by using the BIOS code.

The inventor of the application considers that the remote server is utilized to perform security verification on the BIOS code of the computer when the computer is powered on and started, and further, the BIOS code is utilized to verify the computer after the security verification of the BIOS code is passed, so that the computer verification is performed when the computer is powered on and started.

The above manner of performing security verification on the BIOS code is a remote verification manner, that is, a remote server serving as a verifier is remotely set with respect to a computer, which may cause security risks in security verification of the BIOS code, and thus cause that reliability of computer verification based on the BIOS is difficult to guarantee.

Specifically, the reliability of the remote server is difficult to guarantee, which results in the reliability of the security verification result of the BIOS code of the computer being difficult to guarantee, thereby making the reliability of the BIOS-based computer verification result difficult to guarantee. For example, the processor, the hard disk and other key devices in the remote server may be replaced, but this does not affect the verification result of the security verification of the BIOS code of the computer by the remote server, and if the replaced processor of the remote server is buried in a trojan horse and the replaced hard disk is installed with illegal software, in the case that the processor, the hard disk and other key devices of the remote server are not secure, the accuracy of the result of the security verification of the BIOS code by the remote server is also difficult to be ensured, so that the reliability of the result of the computer verification based on the BIOS is also difficult to be ensured.

In addition, when the BIOS is verified by the remote server, BIOS related data in the computer needs to be remotely transmitted to the remote server, which increases the risk of interception of the computer data during transmission.

Based on this, the embodiments of the present application consider that when a computer is powered on and booted, a processor (e.g., a CPU) in the computer is used to perform security verification on the BIOS code, so that after the security verification of the BIOS code is passed, the processor may run the BIOS code to verify the computer by using the BIOS code. That is, the verification party of the BIOS code is changed from a remote server to a processor local to the computer, so that the potential safety hazard existing in the remote verification of the BIOS code is reduced. Meanwhile, considering the possibility that computer hardware such as a processor and a hard disk in a computer is illegally replaced and tampered, in the embodiment of the application, when the computer is verified by using the BIOS code, in addition to performing function detection of the computer hardware, verification of validity of the computer hardware such as the processor and the hard disk in the computer (for example, whether the computer hardware such as the processor and the hard disk in the computer is illegally replaced and tampered is detected) is added, so that the reliability of the computer verification is ensured by a bidirectional verification mode (the security verification of the BIOS code of the local computer and the validity verification of the computer hardware based on the BIOS code).

Based on the above-mentioned idea, taking BIOS code security verification as an example, including BIOS code validity verification and BIOS code integrity verification as an alternative implementation, when configuring a computer, the embodiment of the present application may burn a unique identifier of computer hardware in a BIOS code of a BIOS chip to be configured of the computer, and burn BIOS verification information for BIOS code security verification in the BIOS chip. In an alternative implementation, the BIOS authentication information may include at least: digital signature information, which is the result of the BIOS abstract corresponding to the BIOS code being encrypted by the BIOS private key; in a further alternative implementation, the BIOS authentication information may further include: the digital certificate information is the result of the encryption of the BIOS public key by the digital certificate private key, and the BIOS public key corresponds to the BIOS private key.

As an optional implementation, when configuring the computer, the embodiment of the application may also burn the digital certificate public key corresponding to the digital certificate private key in a processor (for example, a CPU) to be configured by the computer. Therefore, when the computer is configured and the computer is powered on and started, a processor in the computer can decrypt the digital certificate information of the BIOS chip through the pre-burnt digital certificate public key to obtain the BIOS public key; the processor can decrypt the digital signature information of the BIOS chip by using the BIOS public key so as to realize secondary BIOS code legitimacy verification through the decryption processing of the digital certificate information by the digital certificate public key and the decryption processing of the digital signature information by the BIOS public key.

After the validity of the BIOS code is verified, the processor can verify whether the BIOS code is complete or not based on the BIOS abstract obtained from the digital signature information so as to realize the integrity verification of the BIOS code. After the verification of the validity of the BIOS code and the verification of the integrity of the BIOS code are passed, the processor can confirm that the verification of the security of the BIOS code is passed, so that the processor can run the BIOS code to start the power-on initialization of the computer. In the power-on initialization of the computer, the processor can utilize the BIOS code to verify the computer hardware (for example, based on the boot self-checking program of the BIOS code, to verify the computer hardware), and in the process of verifying the computer hardware, the validity of the computer hardware is verified through the unique identifier of the computer hardware pre-stored in the BIOS code, so that the two-way verification of the power-on stage of the computer is realized by combining the BIOS code security verification before the BIOS code operates and the computer hardware validity verification in the BIOS code operating process, and support is provided for improving the reliability of the computer verification.

As an optional implementation, fig. 1 schematically illustrates an optional block diagram of a computer configuration system provided in an embodiment of the present application, where the computer configuration system shown in fig. 1 may provide a basis for bidirectional verification (security verification of BIOS code local to a computer and validity verification of computer hardware based on BIOS) of the embodiment of the present application, where the BIOS chip and processor to be configured for the computer are configured by the computer (e.g. during assembly and manufacturing of the computer).

As shown in fig. 1, the computer configuration system may include: the BIOS configures the device system 110, and the digital certificate device system 120. For the BIOS chips and processors that the computer has determined to configure, the BIOS configuration device system 110 may configure information for the BIOS chips to be configured by the computer, and the digital certificate device system 120 may configure information for the processors and BIOS chips to be configured by the computer.

In the case of a computer determining a configuration, the computer may include a BIOS chip for the determined configuration and a plurality of computer hardware, including a processor (CPU) and other computer hardware, such as hard disk, memory, and other hardware devices. In one example, in the production of BIOS chips, processors, and other computer hardware, the computer to be configured, assembled, by the produced BIOS chips, processors, and other computer hardware may be determined, thereby causing the computer to determine the configuration. For example, BIOS chips, processors, and other computer hardware have determined associations in the production link and are subsequently configured into the same computer based on the associations (e.g., are subsequently assembled into the same computer based on the associations).

The BIOS configuration device system 110 may be a device system responsible for configuring information of BIOS chips to be configured for a computer, and the device system may be composed of one or more devices. Optionally, the BIOS configuration device system 110 may generate a BIOS public key and a BIOS private key, and store in the BIOS code a unique identification of computer hardware to be configured by the computer; thus, the BIOS configuration device system 110 may encrypt the BIOS digest corresponding to the BIOS code using the BIOS private key to obtain digital signature information; also, the BIOS configuration device system 110 may obtain digital certificate information from the digital certificate device system 120; further, the BIOS configuration device system 110 may burn the BIOS code, the digital signature information, and the digital certificate information into a BIOS chip to be configured by the computer.

The BIOS configuration device system has information configuration and control authority of the BIOS chip. In some embodiments, the BIOS configuration device system may be a device system used by a provider of BIOS chips, for example, a BIOS vendor device system (e.g., a service device system such as a server of a BIOS vendor), a motherboard vendor device system (e.g., a service device system such as a server of a motherboard vendor), and so on.

The digital certificate device system 120 may be a trusted CA (Certificate Authority ) device system or may be implemented by a processor vendor device system in the event that the processor vendor may be trusted. Alternatively, the digital certificate device system 120 may generate a digital certificate private key and a digital certificate public key, where the digital certificate private key may be used to encrypt the BIOS public key to generate digital certificate information, and the digital certificate public key may be burned into a processor (CPU) to be configured by the computer, for example, the digital certificate public key may be burned into an internal ROM (Read Only Memory) of the processor and cured.

Alternatively, the digital certificate device system may implement the following functions: issuing digital certificate information, wherein the digital certificate information mainly proves the validity of a public key by a user, for example, the digital certificate information can list the user and the public key of the user and prove that the user has the listed public key legally; in addition, the digital certificate equipment system is also responsible for the validity check of the public key in the public key system. In some embodiments, the digital certificate device system may be a CA device system used by a CA, such as a service device system of a server of the CA, which is a digital certificate issuing authority of a third party, and needs to be trusted by a processor vendor, a BIOS vendor. In other embodiments, if the processor vendor and the BIOS vendor trust each other, the digital certificate device system may be implemented by a processor vendor device system, such as a service device system of a server of the processor vendor.

Based on the computer configuration system shown in fig. 1, in the computer configuration stage (for example, computer assembly and device manufacturing stage), in the case of defining the BIOS chip and computer hardware to be configured of the computer, the BIOS code (including the unique identifier of the computer hardware), the digital signature information, and the digital certificate information are burned and cured in the BIOS chip, and the digital certificate public key is burned and cured in the processor (for example, the ROM of the processor), so as to provide a basis for bidirectional verification in the embodiment of the present application.

As an alternative implementation, fig. 2 illustrates an alternative flowchart of a computer configuration method provided in an embodiment of the present application, and referring to fig. 2, the flowchart may be implemented by a BIOS configuration device system and a digital certificate device system. In an alternative implementation, the BIOS configures a device system, such as a BIOS vendor device system, a motherboard vendor device system, etc., to have information configuration and control authority on the BIOS chip in a computer configuration stage; the digital certificate device system may be a trusted device system having digital certificate information issuing authority, such as a CA device system, a processor vendor device system, or the like. Referring to fig. 2, the method flow may include the following steps.

In step S210, the BIOS configuration device system generates a BIOS public key and a BIOS private key.

In this embodiment of the present application, the BIOS private key is used to encrypt a BIOS code of the BIOS chip, and the BIOS public key is a decryption key corresponding to the BIOS private key.

In an alternative implementation, the BIOS configuration device system may invoke a key algorithm using a key generation tool to generate a pair of signed public-private key pairs comprising a BIOS public key and a BIOS private key. The key algorithm used by the key generation tool includes, but is not limited to, an asymmetric encryption algorithm. Among them, the asymmetric encryption algorithm is such as a large integer decomposition algorithm including, but not limited to RSA, DSA, ECDSA, rabin, etc., or a discrete logarithmic algorithm; discrete logarithm algorithms include, but are not limited to DH, DSA, ECC, ECDH, SM, SM9, etc.

In one implementation example, taking a BIOS configuration device system as a BIOS vendor device system and using an SM2 algorithm as an example, a BIOS vendor may run an SM2 algorithm key generation tool on the BIOS vendor device system, so as to generate a pair of signature public-private key pairs by using the SM2 algorithm key generation tool: a BIOS vendor public key and a BIOS vendor private key. In the case of using a BIOS vendor device system as the BIOS configuration device system, the BIOS vendor public key is an optional form of the BIOS public key, and the BIOS vendor private key is an optional form of the BIOS private key. Of course, the BIOS configuration device system may also be a motherboard vendor device system, and the BIOS public key generated accordingly, for example, a motherboard vendor public key, and the BIOS private key, for example, a motherboard vendor private key. Note that, the SM2 algorithm is an asymmetric algorithm, is a public key cryptographic algorithm based on elliptic curve cryptography, and includes a digital signature algorithm, a key negotiation protocol, a public key encryption algorithm, and the like.

In step S211, the BIOS configuration device system transmits the BIOS public key to the digital certificate device system.

After generating the BIOS public key and the BIOS private key, the BIOS configuration device system may send the BIOS public key to the digital certificate device system, so that the digital certificate device system performs validity authentication on the BIOS public key. In a further optional implementation, the BIOS configuration device system may secure the BIOS private key, for example, in a secure server corresponding to the BIOS configuration device system, the BIOS private key is saved. As an implementation example, taking the BIOS configuration device system as a BIOS vendor device system, a BIOS vendor private key (an example of a BIOS private key) may be stored in a security server of the BIOS vendor to securely store the BIOS vendor private key, and a BIOS vendor public key (an example of a BIOS public key) may be sent to the digital certificate device system.

In step S212, the digital certificate device system generates a digital certificate public key and a digital certificate private key; the digital certificate public key is burnt in a processor to be configured by the computer.

In an alternative implementation, the digital certificate device system may invoke a key algorithm using a key generation tool to generate a pair of signed public-private key pairs comprising a digital certificate public key and a digital certificate private key. The type of key algorithm used by the key generation tool may be referred to the description of the corresponding parts above.

In one implementation example, taking a digital certificate device system as a CA device system, and using the SM2 algorithm as an example, the CA device system may run an SM2 algorithm key generation tool, thereby employing the SM2 algorithm key generation tool to generate a pair of signed public-private key pairs: CA centric public key and CA centric private key. In the case of using the CA device system as the digital certificate device system, the CA center public key is an alternative form of the digital certificate public key, and the CA center private key is an alternative form of the digital certificate private key.

In another implementation example, taking a digital certificate device system as a processor vendor device system and using the SM2 algorithm as an example, the processor vendor may run an SM2 algorithm key generation tool on the processor vendor device system, thereby employing the SM2 algorithm key generation tool to generate a pair of signed public-private key pairs: processor vendor public key, processor vendor private key. In the case of using the processor vendor device system as the digital certificate device system, the processor vendor public key is an alternate form of the digital certificate public key and the processor vendor private key is an alternate form of the digital certificate private key.

Aiming at a digital certificate public key and a digital certificate private key generated by a digital certificate equipment system, the digital certificate private key can be used for encrypting the BIOS public key so as to perform legal authentication on the BIOS public key, thereby expressing that a provider (a BIOS manufacturer or a mainboard manufacturer and the like) of the BIOS chip has the BIOS public key legally; the digital certificate public key can be burnt into the ROM of the processor to be configured of the computer and solidified, so that after the processor chip is produced, the data in the ROM of the processor can be solidified and cannot be modified, and the security of the burnt digital certificate public key in the processor can be ensured.

In an alternative implementation example, if the digital certificate device system is a CA device system, the CA device system may send the CA center public key to the processor vendor device system, so that the processor vendor may burn the CA center public key into the ROM of the processor to be configured by the computer and perform curing in the processor production line based on the CA center public key obtained by the processor vendor device system. In an alternative implementation example, if the digital certificate device system is a processor vendor device system, the processor vendor may burn the processor vendor public key into the ROM of the processor to be configured by the computer and perform curing in the processor production line based on the processor vendor public key generated by the processor vendor device system.

In step S213, the digital certificate device system encrypts the BIOS public key according to the digital certificate private key to generate digital certificate information.

The digital certificate device system can perform validity authentication on the BIOS public key after generating the digital certificate public key and the digital certificate private key and acquiring the BIOS public key transmitted by the BIOS configuration device system. In the embodiment of the application, the digital certificate device system may encrypt the BIOS public key according to the digital certificate private key, so as to generate digital certificate information, so as to express a validity authentication result of the BIOS public key through the digital certificate information. In an alternative implementation, the digital certificate device system may invoke a key algorithm, such as the SM2 algorithm, to encrypt the BIOS public key with the digital certificate private key, thereby generating digital certificate information.

In one implementation example, taking the digital certificate device system as a CA device system and the BIOS configuration device system as a BIOS vendor device system as examples, the CA device system may call a key algorithm such as SM2 algorithm, and encrypt a BIOS vendor public key (an example of a BIOS public key) with a CA center private key (an example of a digital certificate private key) to generate digital certificate information of the BIOS vendor, so that the digital certificate information expresses that the BIOS vendor legitimately owns the BIOS vendor public key.

In another implementation example, taking the digital certificate device system as a processor vendor device system and the BIOS configuration device system as a BIOS vendor device system as examples, the processor vendor device system may call a key algorithm such as SM2 algorithm, and encrypt a BIOS vendor public key (an example of a BIOS public key) with a processor vendor private key (an example of a digital certificate private key) to generate digital certificate information of the BIOS vendor.

In step S214, the digital certificate device system transmits the digital certificate information to the BIOS configuration device system.

After the digital certificate device system generates the digital certificate information, the digital certificate information can be sent to the BIOS configuration device system, so that the BIOS configuration device system burns the digital certificate information into a BIOS chip to be configured by the computer. For example, in the case where the digital certificate device system is a CA device system, the CA device system may send a digital certificate of a BIOS vendor to the BIOS vendor device system, so that the BIOS vendor burns the digital certificate obtained by the BIOS vendor device system to a BIOS chip to be configured by the computer. For another example, in the case where the digital certificate device system is a processor vendor device system, the processor vendor device system may send the digital certificate of the BIOS vendor to the BIOS vendor device system, so that the BIOS vendor burns the digital certificate obtained by the BIOS vendor device system into a BIOS chip to be configured by the computer.

In step S215, the BIOS configuration device system saves the unique identification of the computer hardware to be configured by the computer in the BIOS code.

The provider of the BIOS chip (BIOS vendor or motherboard vendor, etc.) may collect the unique identifier of all or part of the computer hardware to be configured of the computer when the BIOS chip of the computer, and the computer hardware such as the processor and the hard disk are configured, and store the collected unique identifier of the computer hardware in the BIOS code by using the BIOS configuration device system (BIOS vendor device system or motherboard vendor device system). In alternative implementations, the unique identification of the computer hardware may be a unique ID of the computer hardware, such as a product serial number of the computer hardware, for uniquely identifying the computer hardware. In one example, a unique ID of a processor (such as a product serial number of the processor) is used to uniquely identify the processor, and a unique ID of a hard disk (such as a product serial number of the hard disk) is used to uniquely identify the hard disk.

In the embodiment of the application, besides being saved as basic code information for realizing basic functions of the BIOS, the BIOS code also saves a unique identifier of computer hardware of the computer so as to provide a data basis for the validity verification of the subsequent computer hardware. Optionally, basic code information for implementing basic functions of the BIOS is as follows: basic input/output program information, system setting information, startup self-checking program information, system self-starting program information, and the like. In an alternative implementation, the BIOS configuration device system may save a unique identifier (such as a product serial number) of computer hardware, such as a processor, a hard disk, etc., to be configured by the computer into the BIOS code to generate a BIOS image, thereby implementing the generation of the BIOS code with the unique identifier of the computer hardware saved.

In step S216, the BIOS configuration device system generates a BIOS digest corresponding to the BIOS code.

On the basis that the BIOS code stores basic code information for realizing basic functions of the BIOS and unique identification of computer hardware, the BIOS configuration equipment system can generate a BIOS abstract corresponding to the BIOS code, and the BIOS abstract can be used for verifying the integrity of the BIOS code, such as verifying whether the BIOS code is tampered or not, in a security verification stage of the BIOS code.

In an alternative implementation, the BIOS configuration device system may invoke a digest generation algorithm to generate a BIOS digest corresponding to the BIOS code. Digest generation algorithms such as hash algorithms, and the like having information digest generation capabilities. Alternatively, a hashing algorithm or hashing algorithm such as MD5, SHA-1, SHA-2, SM3, etc. In one implementation example, the BIOS configuration device system may call the SM3 algorithm to calculate a hash value for the BIOS image to generate a BIOS digest. It should be noted that, the SM3 algorithm is a hash algorithm, which is suitable for digital signature and verification, and generation and verification of message authentication codes, and can meet application requirements of electronic authentication service systems and the like by combining with other cryptographic algorithms.

In step S217, the BIOS configuration device system encrypts the BIOS digest according to the BIOS private key to generate digital signature information.

After generating the BIOS digest of the BIOS code, the BIOS configuration device system may further encrypt the BIOS digest according to the BIOS private key generated before, so as to obtain digital signature information. In the embodiment of the application, the digital signature information is used for verifying the validity of the BIOS code in the security verification stage of the BIOS code.

It should be noted that, based on that the BIOS private key corresponds to the BIOS public key, and the digital certificate information is the result of encrypting the BIOS private key by the digital certificate private key, after proving the validity of the digital certificate information (the validity of the digital certificate information can be demonstrated by whether the digital certificate public key pre-stored by the processor can successfully decrypt the digital certificate information), if the BIOS private key of the BIOS abstract is encrypted and corresponds to the BIOS public key in the digital certificate information, the validity and correctness of the BIOS private key can be demonstrated, and the BIOS private key in the BIOS chip can be demonstrated to belong to a legal and correct provider; if the BIOS private key of the BIOS abstract is encrypted and does not correspond to the BIOS public key in the digital certificate information, the BIOS private key is incorrect, namely the BIOS private key in the BIOS chip cannot be proved to belong to a legal and correct provider.

In an alternative implementation, the BIOS configuration device system may invoke a key algorithm, such as the SM2 algorithm, to encrypt the BIOS digest using the BIOS private key to generate the digital signature information. For example, the BIOS vendor device system may invoke a key algorithm, such as the SM2 algorithm, to encrypt the BIOS digest using the BIOS vendor private key, thereby generating the digital signature.

In the embodiment of the application, the BIOS code, the digital signature information and the digital certificate information recorded by the BIOS configuration device system may be burned into a BIOS chip to be configured by the computer.

Optionally, based on the BIOS code generated by the BIOS configuration device system, the digital signature information, and the digital certificate information obtained from the digital certificate device system, the BIOS chip provider (e.g., BIOS vendor) may burn the BIOS code, the digital signature information, and the digital certificate information into the BIOS chip to be configured by the computer to cure the BIOS code, the digital signature information, and the digital certificate information within the BIOS chip. In one implementation example, a BIOS vendor may burn BIOS code, digital signature information, and digital certificate information into a BIOS chip to be configured by a computer in a BIOS chip production line based on the BIOS code, digital signature information, and digital certificate information recorded in the BIOS configuration device system.

Based on the computer configuration method provided by the embodiment of the application, the embodiment of the application can burn and cure the related information and the related key in the ROM of the processor by the processor manufacturer and burn the related information and the related key in the BIOS by the BIOS chip provider through interaction of the digital certificate equipment system (such as a CA equipment system, a processor manufacturer equipment system and the like) and the BIOS configuration equipment system (such as a BIOS manufacturer equipment system, a mainboard manufacturer equipment system and the like) in the configuration stages of computer assembly, manufacture and the like. In one example, fig. 3 is an exemplary diagram illustrating information burned by a processor and a BIOS chip in an embodiment of the present application, and may be referred to.

As shown in fig. 3, the BIOS chip is burned with a BIOS code, digital signature information, and digital certificate information. The BIOS code has basic code information for realizing basic functions of the BIOS, and also has a unique identifier of computer hardware, wherein the unique identifier of the computer hardware is used for verifying the legitimacy of the computer hardware. The digital signature information is the result of the BIOS abstract corresponding to the BIOS code encrypted by the BIOS private key; the BIOS abstract is used for verifying the integrity of the BIOS code in the security verification stage of the BIOS code; the encrypted digital signature information is used to verify the legitimacy of the BIOS code (e.g., to verify whether the BIOS private key belongs to the correct legitimate provider) in conjunction with the BIOS public key in the digital certificate information (in the case where the digital certificate information can be successfully decrypted) during the security verification phase of the BIOS code. The digital certificate information is the result of the encryption of the BIOS public key by the digital certificate private key, and the ROM of the processor is burnt and solidified with the digital certificate public key, so as to verify the validity of the BIOS code (for example, verify whether the digital certificate private key belongs to a correct legal provider) by whether the digital certificate public key can correctly decrypt the digital certificate information in the BIOS chip in the security verification stage of the BIOS code.

Based on the processor of the computer and the related information and the key burnt in the BIOS chip, the embodiment of the application can verify the safety of the BIOS code (such as verifying the validity of the BIOS code and the integrity of the BIOS code) by the processor when the computer is powered on, so that after the safety verification of the BIOS code is passed, the processor can run the BIOS code to start the work of the computer power on initialization, further verify the computer hardware in the work of the computer power on initialization, and add the validity verification of the computer hardware in the process of verifying the computer hardware.

As an alternative implementation, fig. 4 illustrates an alternative flowchart of an authentication method provided in an embodiment of the present application, where the method flowchart may be implemented by a processor (CPU), and referring to fig. 4, the method flowchart may include the following steps.

In step S410, in response to the computer power-on instruction, the BIOS code, the digital signature information, and the digital certificate information are read from the BIOS chip.

When the computer is powered on and started, the BIOS code is not directly loaded and operated by the processor of the computer to perform the work of the power-on initialization of the computer, but the BIOS code, the digital signature information and the digital certificate information are read by the processor to perform security verification on the BIOS code. Therefore, when the computer is powered on and started, the processor can detect and operate the power-on and starting instruction of the computer; when the processor is running, the BIOS code, digital signature information, and digital certificate information may be read from the BIOS chip. As described above, the digital signature information is the result of the BIOS digest corresponding to the BIOS code being encrypted by the BIOS private key; the digital certificate information is the result of the BIOS public key being encrypted by the digital certificate private key; the BIOS private key corresponds to the BIOS public key.

In step S411, it is verified whether the digital certificate information is legal or not based on the pre-stored digital certificate public key, if not, step S412 is executed, and if yes, step S413 is executed.

The ROM of the processor is pre-burnt and solidified with a digital certificate public key, after the processor reads the digital certificate information from the BIOS chip, the processor can verify whether the digital certificate information is legal or not by utilizing the pre-stored digital certificate public key so as to realize first-stage validity verification of the BIOS code; if the digital certificate information is illegal, the process proceeds to step S412, and if the digital certificate information is legal, the process proceeds to step S413. In an alternative implementation, the processor may decrypt the digital certificate information according to a pre-stored digital certificate public key, and verify whether the digital certificate information is legal based on whether the decryption process is successful; if the decryption process is successful (i.e., the digital certificate information can be successfully decrypted using the digital certificate public key), confirming that the digital certificate information is legal; if the decryption process is not successful (i.e., the decryption of the digital certificate information using the digital certificate public key fails), the digital certificate information is confirmed to be illegal.

It should be noted that, the digital certificate public key and the digital certificate private key are public and private key pairs corresponding to each other one by one generated by the digital certificate equipment system, and have unique correspondence, and if the digital certificate information is that the BIOS public key is encrypted by using the legal digital certificate private key, the BIOS public key can be successfully decrypted by the corresponding legal digital certificate public key; if the processor fails to successfully decrypt the digital certificate information when using the corresponding legal digital certificate public key, it is indicated that the digital certificate information may not be encrypted by using the legal digital certificate private key, and the digital certificate information may be illegally tampered.

In an alternative implementation, the processor may invoke a key algorithm, such as an SM2 cryptographic algorithm, to decrypt the digital certificate information using a pre-stored digital certificate public key (a digital certificate public key that is cured in ROM) to verify whether the digital certificate information is legitimate by whether the decryption process was successful. In one example, taking the digital certificate public key as the CA center public key, the processor may call a key algorithm such as SM2 cryptographic algorithm, and perform decryption processing on the digital certificate information by using the CA center public key previously cured in the ROM, so as to verify whether the digital certificate information is legal through whether the decryption processing is successfully performed. In another example, taking the digital certificate public key as a processor manufacturer public key, the processor may call a key algorithm such as SM2 cryptographic algorithm, and perform decryption processing on the digital certificate information by using the pre-cured processor manufacturer public key in the ROM, so as to verify whether the digital certificate information is legal or not through whether the decryption processing is successfully performed.

In step S412, the computer is stopped and prompted.

Under the condition that the digital certificate information is verified to be illegal, the digital certificate information of the BIOS chip is possibly tampered illegally, so that if the computer continues to operate, potential safety hazards can exist, and the processor can stop the operation of the computer and prompt the computer. Optionally, the prompting mode includes outputting a prompting warning sound, displaying a prompting popup window, and the like, where, by way of example, the popup window content may prompt that the computer stops running because the digital certificate information of the BIOS chip is illegal, and the like.

In step S413, a BIOS public key decrypted from the digital certificate information is obtained, and based on the BIOS public key, whether the digital signature information is legal or not is verified, if not, step S412 is executed, and if yes, step S414 is executed.

Based on the fact that the digital certificate information is the result of the encryption of the BIOS public key by the digital certificate private key, under the condition that the digital certificate information is verified to be legal, the processor can successfully decrypt the digital certificate information according to the digital certificate public key to obtain the BIOS public key, and therefore the processor can obtain the BIOS public key. After the processor obtains the BIOS public key, based on the validity of the BIOS public key, it may indicate that the BIOS public key is a key that the provider of the BIOS chip has for the validity of the BIOS chip, so the processor may verify whether the digital signature information is valid based on the BIOS public key, so as to implement a second level validity verification on the BIOS code.

In an alternative implementation, the processor may decrypt the digital signature information according to the BIOS public key, based on whether the decryption process was successful, to verify whether the digital signature information is legitimate; if the decryption process is successfully performed (i.e., the digital signature information can be successfully decrypted by using the BIOS public key), the digital signature information is validated, i.e., the digital signature information is encrypted by using the BIOS private key corresponding to the validated BIOS public key, so that the validity of the BIOS code can be verified (for example, the BIOS private key belongs to the correct BIOS manufacturer); if the decryption process is not successful (i.e., the decryption of the digital signature information by using the BIOS public key fails), the digital signature information is confirmed to be illegal, i.e., the private key used for encrypting the digital signature information does not correspond to the legal BIOS public key, and the validity of the BIOS code cannot be verified.

In an alternative implementation, the processor may invoke a key algorithm, such as an SM2 cryptographic algorithm, to decrypt the digital signature information using the BIOS public key to verify whether the digital signature information is legitimate by whether the decryption process was successful. In one example, taking the public key of the BIOS as the public key of the BIOS manufacturer, correspondingly, the digital signature information is the result of encrypting the BIOS digest corresponding to the BIOS code by the private key of the BIOS manufacturer, and the processor may call a key algorithm such as the SM2 cryptographic algorithm, and perform decryption processing on the digital signature information by using the public key of the BIOS manufacturer, so as to verify whether the digital signature information is legal or not through whether the decryption processing is successfully performed.

In the case of verifying that the digital signature information is illegal, the processor may stop the computer and prompt. Optionally, the prompting mode includes outputting a prompting warning sound, displaying a prompting popup window, and the like, where, by way of example, the popup window content may prompt that the computer stops running because the digital signature information of the BIOS chip is illegal, and the like.

In step S414, the BIOS digest decrypted from the digital signature information is obtained, and the BIOS digest corresponding to the BIOS code is regenerated again.

Based on the fact that the digital signature information is the result of the BIOS abstract corresponding to the BIOS code being encrypted by the BIOS private key, under the condition that the digital signature information is verified to be legal, the processor can successfully decrypt the digital signature information according to the BIOS public key to obtain the BIOS abstract, and therefore the processor can obtain the BIOS abstract. After the processor obtains the BIOS digest, the processor may regenerate the BIOS digest for the BIOS code to verify whether the BIOS code is complete through comparison of the BIOS digests, thereby implementing verification of the integrity of the BIOS code.

In an alternative implementation, the processor may invoke a digest generation algorithm, such as an SM3 algorithm, to calculate a hash value on the BIOS code to obtain a regenerated BIOS digest.

In step S415, it is verified whether the BIOS code is complete according to the BIOS digest decrypted from the digital signature information and the regenerated BIOS digest, if not, step S412 is executed, and if yes, step S416 is executed.

After regenerating the BIOS abstract corresponding to the BIOS code, the processor can compare the BIOS abstract obtained by decryption from the digital signature information with the regenerated BIOS abstract, so as to verify whether the BIOS code is complete or not through the comparison result; if the BIOS abstract obtained by decryption from the digital signature information is consistent with the comparison result of the regenerated BIOS abstract, the BIOS code is not tampered, the BIOS code is complete, and the integrity verification of the BIOS code is passed; if the comparison results are inconsistent, the BIOS code is tampered, the BIOS code is incomplete, and the integrity verification of the BIOS code is not passed.

In the event that the verification BIOS code is incomplete, the processor may stop the computer and prompt. Optionally, the prompting mode, such as outputting a prompting warning sound, displaying a prompting popup, etc., where, by way of example, the popup content may prompt the computer to stop running due to incomplete BIOS code, etc.

In step S416, the BIOS code is run to begin a computer power-on initialization operation, including verifying computer hardware.

In the case that the processor verifies that the BIOS code is complete, the processor may confirm that the validation and integrity verification of the BIOS code pass, so that the processor may load and run the BIOS code to begin the work of power-on initialization of the computer through the running of the BIOS code. The processor may perform a system setup, a boot self-test, etc. by running a computer power-on initialization operation initiated by the BIOS code, where the boot self-test may implement a computer hardware verification (e.g., perform a computer hardware verification by a boot self-test program). During the verification of the computer hardware, the processor may verify the legitimacy of the computer hardware based on the unique identifier of the computer hardware pre-stored in the BIOS code.

In step S417, during the process of verifying the computer hardware, according to the unique identifier of the computer hardware of the computer stored in the BIOS code, whether the computer hardware of the computer is legal is verified, if not, step S412 is executed, and if yes, step S418 is executed.

Alternatively, the processor may verify the computer hardware by running a boot self-test program of the BIOS code and add to the validity verification of the computer hardware when verifying the computer hardware. For example, the embodiment of the application may add the validity verification logic to the computer hardware in the boot self-checking program of the BIOS code, so that in the process of running the BIOS code and verifying the computer hardware, the processor may verify whether the computer hardware of the computer is valid according to the unique identifier of the computer hardware pre-stored in the BIOS code.

In an alternative implementation, the processor may read the identifier of the computer hardware, compare the read identifier of the computer hardware with the unique identifier of the corresponding computer hardware stored in the BIOS code in advance, and if the comparison result is consistent, verify that the computer hardware is legal, and if the comparison result is inconsistent, verify that the computer hardware is illegal (for example, the computer hardware in the computer is tampered and replaced). Optionally, the BIOS code may store unique identifiers of all or part of the computer hardware in the computer, so that based on the type of computer hardware in which the BIOS code stores the unique identifiers in advance, the processor may read the identifiers of the computer hardware of the corresponding type; comparing the read identifiers of the various types of computer hardware with the unique identifiers of the corresponding types of computer hardware stored in the BIOS code; if the comparison results are consistent, verifying that the computer hardware is legal, and if any item of the comparison results are inconsistent, verifying that the computer hardware is illegal.

In one implementation example, taking the example of storing the IDs of the CPU, the hard disk, and other devices in the BIOS code, the processor may read the IDs of the CPU, the IDs of the hard disk, and the IDs of the various other devices; the processor can compare the read ID of the CPU with the ID of the CPU stored in the BIOS code, compare the read ID of the hard disk with the ID of the hard disk stored in the BIOS code, and respectively compare the read IDs of other devices with the IDs of corresponding devices stored in the BIOS code; if all the comparison results are consistent, verifying that the computer hardware is legal, and if any item of comparison results are inconsistent, verifying that the computer hardware is illegal.

In an alternative implementation, the computer hardware verification process involves detecting a function of the computer hardware, and the processor may read an identifier of the computer hardware before performing the function detection on the computer hardware in the process of running the BIOS code, so as to verify whether the computer hardware of the computer is legal according to the unique identifier of the computer hardware stored in the BIOS code and the read identifier of the computer hardware. In the optional implementation, the processor may also read the identifier of the computer hardware after performing function detection on the computer hardware in the process of running the BIOS code, and verify whether the computer hardware of the computer is legal according to the unique identifier of the computer hardware stored in the BIOS code and the read identifier of the computer hardware. In an alternative implementation, the processor may also read the identifier of the computer hardware in real time during running the BIOS code, for example, for the currently detected computer hardware, the BIOS chip may read the identifier of the currently detected computer hardware in real time, so as to verify, according to the unique identifier of the computer hardware stored in the BIOS code and the identifier of the currently detected computer hardware, whether the identifier of the currently detected computer hardware is consistent with the unique identifier corresponding to the stored BIOS code. It should be noted that, the verification timing of the validity verification of the computer hardware in the embodiment of the present application is not limited, and may be set at any node in the computer verification process.

In step S418, the computer continues to run.

Verifying that the computer hardware in the computer is illegal, explaining that the computer hardware in the computer may have illegal replacement, in order to reduce the risk of computer operation, the BIOS chip may stop the computer operation and prompt. Alternatively, the prompting mode may output a prompting warning sound, display a prompting popup, etc., where, for example, the popup content may prompt that the computer stops running because of illegal replacement of computer hardware (such as a type of computer hardware that may prompt illegal replacement).

If the computer hardware in the computer is verified to be legal, the computer can be continuously operated; for example, after other verification of the computer is passed, the operating system boot record may be read in, and the operating system boot record completes the start of the operating system.

The verification method provided by the embodiment of the application can carry out security verification on the BIOS code by a processor in the computer when the computer is powered on, wherein the security verification of the BIOS code comprises two-level BIOS code validity verification (validity verification based on digital certificate information and validity verification based on digital signature information) and BIOS code integrity verification, so that the processor can respond to a power-on instruction of the computer to read the BIOS code, the digital signature information and the digital certificate information from a BIOS chip; the digital signature information is a result of the BIOS abstract corresponding to the BIOS code being encrypted by a BIOS private key, the digital certificate information is a result of the BIOS public key being encrypted by a digital certificate private key, and the BIOS private key corresponds to the BIOS public key; furthermore, the processor can verify whether the digital certificate information is legal according to the pre-stored digital certificate public key, and if the digital certificate information is legal, the processor can obtain the BIOS public key obtained by decryption from the digital certificate information and verify whether the digital signature information is legal according to the BIOS public key; if the digital signature information is legal, the processor can obtain the BIOS abstract obtained by decryption from the digital signature information and reconstruct the BIOS abstract corresponding to the BIOS code; according to the BIOS abstract obtained by decryption from the digital signature information and the regenerated BIOS abstract, the processor can verify whether the BIOS code is complete; if the BIOS code is complete, the processor may run the BIOS code to begin a power-on initialization operation of the computer, including verifying the computer hardware; in the process of verifying the computer hardware, the processor can verify whether the computer hardware of the computer is legal or not according to the unique identifier of the computer hardware pre-stored in the BIOS code so as to verify the legitimacy of the computer hardware. Therefore, the embodiment of the application can realize the security verification of the processor to the BIOS code and the validity verification of the computer hardware in the process of running the BIOS code in the power-on and power-on stage of the computer.

Further, in the embodiment of the present application, the verifier of the BIOS is set as a processor local to the computer, and the key (for example, the digital certificate public key) for verifying the BIOS security is cured in the ROM of the processor, so that at least the following problems caused by the BIOS verification performed by the remote server can be avoided: the condition that BIOS related data are required to be remotely transmitted to a remote server is avoided, the setting cost of the remote server can be reduced, and the risk that computer data are intercepted by stealing in the remote transmission process is reduced.

It should be noted that fig. 2 and fig. 4 are optional configuration procedures of the computer and optional procedures of the computer verification performed in the case of the BIOS code security verification including two-level BIOS code validity verification (validity verification based on digital certificate information and validity verification based on digital signature information), and BIOS code integrity verification. Under the concept of performing two-way verification of BIOS code security verification and computer hardware validity verification, the embodiment of the application does not limit the specific mode of BIOS code security verification.

In other possible implementations, the BIOS code security verification may include a level one BIOS code legitimacy verification (legitimacy verification based on digital signature information), and BIOS code integrity verification; accordingly, in the configuration stage of the computer, the embodiment of the application can support the configuration of not performing the public key and the certificate key of the digital certificate. For example, in the case of trust of a BIOS vendor without the need for a third party to authenticate the BIOS public key, the processor vendor may obtain the BIOS public key directly from the BIOS vendor and burn the BIOS public key into the ROM of the processor for curing; therefore, when the computer is powered on and started, the processor can acquire the BIOS code and the digital signature information, and directly verifies whether the digital signature information is legal or not according to the pre-stored BIOS public key; under the condition that the processor verifies that the digital signature information is legal, the processor can obtain the BIOS abstract obtained by decryption from the digital signature information and re-reconstruct the BIOS abstract corresponding to the BIOS code so as to verify whether the BIOS code is complete or not through comparison of the BIOS abstract; under the condition of verifying the integrity of the BIOS code, the processor can run the BIOS code to start the power-on initialization work of the computer, and further verify whether the computer hardware of the computer is legal or not according to the unique identification of the computer hardware pre-stored in the BIOS code.

It should be noted that, the specific mode and form of the security verification of the BIOS code may be selected and determined according to the actual situation, and in the case that the BIOS code of the BIOS chip stores the unique identifier of the computer hardware of the computer, after the security verification of the BIOS code passes, in the process of verifying the computer hardware based on the BIOS, the embodiment of the present application may add validity verification of the computer hardware, thereby ensuring the reliability of the computer verification through bidirectional verification, and improving the security of the computer.

As an alternative implementation, fig. 5 illustrates another alternative flowchart of a verification method provided by an embodiment of the present application, where the method flowchart may be implemented by execution of a processor, and referring to fig. 5, the method flowchart may include the following steps.

In step S510, in response to the power-on instruction of the computer, the BIOS code and the BIOS verification information are read from the BIOS chip of the computer, wherein the BIOS code stores the unique identifier of the computer hardware of the computer.

In step S511, BIOS code security verification is performed according to the BIOS code and the BIOS verification information.

In some embodiments, the BIOS code security verification includes BIOS code validation verification and BIOS code integrity verification. The verification of the validity of the BIOS code can be realized based on the BIOS verification information, and the verification of the integrity of the BIOS code can be realized based on the BIOS code. That is, the BIOS code security verification includes BIOS code legitimacy verification based on the BIOS verification information, and BIOS code integrity verification based on the BIOS code.

In an alternative implementation, the BIOS verification information may at least include digital signature information, where the digital signature information is a result of encrypting a BIOS digest corresponding to the BIOS code by a BIOS private key. Thus, when the processor performs the security verification of the BIOS code, the processor may obtain the BIOS public key corresponding to the BIOS private key (the BIOS public key may be obtained by decrypting the digital certificate information by the processor, or may be pre-saved by the processor); verifying whether the digital signature information is legal or not according to the BIOS public key; if the digital signature information is legal, obtaining a BIOS abstract obtained by decryption from the digital signature information, and regenerating the BIOS abstract corresponding to the BIOS code; further, verifying whether the BIOS code is complete according to the BIOS abstract decrypted from the digital signature information and the regenerated BIOS abstract; wherein, if the BIOS code is verified to be complete, the BIOS code security verification passes.

In one implementation example, if the BIOS code security verification includes a secondary BIOS code legitimacy verification (legitimacy verification based on digital certificate information, and legitimacy verification based on digital signature information), and a BIOS code integrity verification, the BIOS verification information read by the processor from the BIOS chip may include digital certificate information as well as digital signature information. Accordingly, an optional process of the processor for performing the security verification of the BIOS code may refer to the flow shown in fig. 4, which is not described herein.

In other alternative implementations, if the BIOS code security verification includes a level of BIOS code legitimacy verification (legitimacy verification based on digital signature information), and BIOS code integrity verification, the BIOS verification information read by the processor from the BIOS chip may include digital signature information. Correspondingly, when the processor performs the security verification of the BIOS code, whether the digital signature information is legal or not can be verified according to the pre-stored BIOS public key; when the digital signature information is legal, obtaining a BIOS abstract obtained by decryption from the digital signature information, and regenerating the BIOS abstract corresponding to the BIOS code; further, the BIOS digest decrypted from the digital signature information is compared with the regenerated BIOS digest to verify whether the BIOS code is complete.

In step S512, if the BIOS code security verification passes, the BIOS code is run to begin a computer power-on initialization operation, including verifying the computer hardware.

In step S513, in the process of verifying the computer hardware, according to the unique identifier of the computer hardware pre-stored in the BIOS code, it is verified whether the computer hardware of the computer is legal.

Optionally, in the process of verifying the computer hardware, the processor may read the identifier of the computer hardware, compare the read identifier of the computer hardware with the unique identifier of the corresponding computer hardware stored in the BIOS code in advance, and verify that the computer hardware is legal if the comparison result is consistent, and verify that the computer hardware is illegal if the comparison result is inconsistent; if the computer hardware is verified to be illegal, the processor can stop the operation of the computer and prompt; if the computer hardware is verified to be legitimate, the processor may continue to run the computer.

It should be noted that, in the prior art, before the computer is started, the processor does not know the amount of computer hardware existing in the computer, but determines the amount of computer hardware in the computer by reading register information related to the computer hardware information when the processor runs the BIOS code. For example, taking a hard disk as an example, the working mechanism of the BIOS is to determine the number of hard disks in the computer by reading a register displayed on the number of hard disks after initializing the hard disk controller, so in the prior art, the BIOS chip does not pre-store a unique identifier such as an ID of the computer hardware in advance in the BIOS working mechanism of the prior art. According to the scheme provided by the embodiment of the application, the ID of the computer hardware such as the CPU and the hard disk configured by the computer is solidified into the BIOS code, and the validity of the computer hardware is verified when the computer is verified, so that the computer hardware of the computer cannot be deleted and replaced at will, and the safety of the computer can be enhanced under the condition that the BIOS code uniquely calibrates the computer hardware of the computer.

For example, the BIOS code is run by the processor to reversely verify the legitimacy of the computer hardware through the ID of the computer hardware, so that the computer hardware can be prevented from being illegally replaced by computer hardware of different models of the same manufacturer, and the problem possibly caused by verifying the computer hardware by only manufacturer information is avoided. In one example, taking a CPU (an example of a processor) as an example, the performance of CPUs of different models of the same manufacturer may be different, then the high-performance CPU in the computer is replaced with the low-performance CPU of the same manufacturer (i.e., the performance of the replaced CPU is lower than that of the CPU before replacement and belongs to the CPU of different models of the same manufacturer), and even the low-performance CPU is cloned into the high-performance CPU of the same manufacturer, which cannot be distinguished by verifying the manufacturer information of the CPU; based on the above, after the security verification of the BIOS is passed, the embodiment of the invention reversely verifies the validity of the ID of the current CPU in the computer by the ID of the CPU stored in the BIOS code, so that the security of the CPU can be enhanced under the condition of uniquely determining the legal CPU of the computer, the condition that the CPU is replaced with the low-performance CPU of the same manufacturer is reduced, and the condition that the CPU configured by the computer cannot be distinguished due to illegal replacement is avoided. In another example, taking a hard disk as an example, the embodiment of the present application performs verification on the hard disk, not on the computer operating system level, and the verification basis is not vendor information of the hard disk, but on the BIOS level (at the starting source point of the computer), based on the ID of the legal hard disk stored in advance in the BIOS code, the current hard disk in the computer is subjected to validity verification, which can reduce the occurrence of the situation that the hard disk is replaced with a low-performance hard disk of the same vendor, and improve the security of the hard disk. The validity verification of other computer hardware devices can be referred to in the same way, and the description is omitted here.

In a further alternative implementation, when a user needs to replace computer hardware such as a CPU, a hard disk, etc. configured by a computer, the embodiment of the present application allows, through a process of a computer configuration stage (for example, a process shown in fig. 2), by a trusted device system (for example, a BIOS vendor device system, a motherboard vendor device system, etc.) having BIOS code configuration and control authority, to write a unique identifier of the replaced computer hardware in the BIOS code of the BIOS chip again, so as to update the unique identifier of the computer hardware in the BIOS code and ensure that the legally replaced computer hardware can pass the legality verification under the condition that the computer hardware such as the CPU, the hard disk, etc. is allowed to be legally replaced by controlling the writing authority of the BIOS code.

According to the method and the device for verifying the security of the BIOS, the security verification of the BIOS and the validity verification of the computer hardware are utilized, the reliability of the computer verification can be improved through bidirectional verification, the computer is prevented from running under the conditions that the BIOS is unsafe and the computer hardware is illegally replaced, and the security of the computer can be improved. And the key for BIOS code security verification is solidified at the local processor of the computer, so that BIOS security verification is realized by the local processor of the computer, the cost problem caused by BIOS remote verification and the risk of intercepting computer data in the remote transmission process can be avoided, the cost of BIOS verification is reduced, and the security of computer data is improved.

The verification device provided in the embodiments of the present application is described below, and the verification device described below may be regarded as a functional module that is required to be set by the processor to implement the verification method provided in the embodiments of the present application. The contents of the devices described below may be referred to in correspondence with the contents described above.

As an alternative implementation, fig. 6 illustrates an alternative block diagram of an authentication apparatus provided in an embodiment of the present application, where the authentication apparatus may be applied to a processor, and referring to fig. 6, the authentication apparatus may include:

the information reading module 610 is configured to read a BIOS code and BIOS verification information from a BIOS chip of a computer in response to a power-on start instruction of the computer, where the BIOS code is pre-stored with a unique identifier of computer hardware of the computer;

a BIOS verification module 611, configured to perform BIOS code security verification according to the BIOS code and the BIOS verification information;

a code running module 612, configured to run the BIOS code to start a power-on initialization operation of the computer if the BIOS code security verification passes, where the operation includes verifying computer hardware;

and the hardware verification module 613 is configured to verify whether the computer hardware of the computer is legal according to the unique identifier of the computer hardware pre-stored in the BIOS code in the process of verifying the computer hardware.

Optionally, the BIOS code security verification includes a BIOS code legitimacy verification based on the BIOS verification information, and a BIOS code integrity verification based on the BIOS code.

Optionally, the BIOS verification information includes at least digital signature information, where the digital signature information is a result of encrypting a BIOS digest corresponding to the BIOS code by a BIOS private key;

correspondingly, the BIOS verification module 611 is configured to perform BIOS code security verification according to the BIOS code and the BIOS verification information, and includes:

obtaining a BIOS public key corresponding to the BIOS private key; verifying whether the digital signature information is legal or not according to the BIOS public key; if the digital signature information is legal, obtaining a BIOS abstract obtained by decryption from the digital signature information, and regenerating the BIOS abstract corresponding to the BIOS code; verifying whether the BIOS code is complete according to the BIOS abstract obtained by decryption from the digital signature information and the regenerated BIOS abstract; wherein, if the BIOS code is complete, the BIOS code security verification passes.

Optionally, in one aspect, the BIOS authentication information further includes digital certificate information, where the digital certificate information is a result of encrypting the BIOS public key by a digital certificate private key;

Correspondingly, the BIOS authentication module 611, configured to obtain a public key of the BIOS corresponding to the private key of the BIOS includes:

verifying whether the digital certificate information is legal or not according to a pre-stored digital certificate public key; and if the digital certificate information is verified to be legal, obtaining a BIOS public key obtained by decryption from the digital certificate information.

Alternatively, on the other hand, the BIOS public key corresponding to the BIOS private key may be pre-stored in the processor, such as by pre-curing the BIOS public key within the ROM of the processor.

Optionally, the verification device may further be configured to:

if the digital certificate information is verified to be illegal, or the digital signature information is verified to be illegal, or the BIOS code is verified to be incomplete, the BIOS code security verification is confirmed to be not passed, and the computer is stopped and prompted.

Optionally, the hardware verification module 613 is configured to verify whether the computer hardware of the computer is legal according to the unique identifier of the computer hardware pre-stored in the BIOS code in a process of verifying the computer hardware, where the verifying includes:

reading the identification of the computer hardware in the process of verifying the computer hardware;

comparing the read identifier of the computer hardware with the unique identifier of the corresponding computer hardware stored in the BIOS code; if the comparison results are consistent, verifying that the computer hardware is legal, and if the comparison results are inconsistent, verifying that the computer hardware is illegal.

Optionally, the verification device may further be configured to:

if the hardware of the computer is verified to be illegal, stopping the operation of the computer and prompting;

if the computer hardware is verified to be legal, the computer continues to run.

Optionally, the hardware verification module 613 is configured to, in a process of verifying the computer hardware, read the identity of the computer hardware, where the reading includes:

reading the identification of the computer hardware before the function detection of the computer hardware or after the function detection of the computer hardware;

or, for the currently detected computer hardware, reading the identity of the currently detected computer hardware.

Optionally, the BIOS public key is a BIOS vendor public key or a motherboard vendor public key; the BIOS private key is a BIOS manufacturer private key corresponding to the BIOS manufacturer public key, or a main board manufacturer private key corresponding to the main board manufacturer public key; the digital certificate public key is a CA center public key or a processor manufacturer public key; the digital certificate private key is a CA center private key corresponding to the CA center public key or a processor manufacturer private key corresponding to the processor manufacturer public key.

Embodiments of the present application also provide a computer that may have data processing capabilities (e.g., a data processing computer), and in one example, a computer such as a server device (e.g., a cloud service device) may also be a terminal (e.g., a personal computer). The computer may include a processor and a BIOS chip, wherein the processor is configured to perform the authentication method as provided by embodiments of the present application. Further, the BIOS chip is configured with BIOS code and BIOS verification information, wherein the BIOS code is pre-stored with a unique identifier of computer hardware of the computer.

In an alternative implementation, the processor may implement performing the verification method performed by the processor as provided in the embodiments of the present application by providing a verification device as illustrated in fig. 6.

The embodiment of the application also provides a computer configuration system, and in combination with the illustration in fig. 1, the computer configuration system may include a BIOS configuration device system and a digital certificate device system; the digital certificate equipment system is configured by a computer, wherein the BIOS configuration equipment system is BIOS chip configuration information to be configured by the computer, the digital certificate equipment system is configured by a processor and the BIOS chip configuration information to be configured by the computer, and the computer is provided by the embodiment of the application.

Optionally, the BIOS configuration device system is a device system having information configuration and control authority for a BIOS chip of the computer; the digital certificate equipment system is a trusted equipment system with digital certificate information issuing authority.

Optionally, the BIOS configuration device system is configured to: generating a BIOS public key and a BIOS private key; the method comprises the steps of sending a BIOS public key to a digital certificate equipment system, and obtaining digital certificate information sent by the digital certificate equipment system, wherein the digital certificate information is a result obtained by encrypting the BIOS public key according to a digital certificate private key generated by the digital certificate equipment system; storing the unique identifier of the computer hardware to be configured of the computer in a BIOS code; generating a BIOS abstract corresponding to the BIOS code; encrypting the BIOS abstract according to the BIOS private key to generate digital signature information; the BIOS code, the digital signature information and the digital certificate information are burnt into a BIOS chip to be configured by the computer.

Optionally, the digital certificate device system is configured to: generating a digital certificate public key and a digital certificate private key; encrypting the BIOS public key sent by the BIOS configuration equipment system according to the digital certificate private key to generate digital certificate information, and sending the digital certificate information to the BIOS configuration equipment system; the digital certificate public key is burnt into a processor to be configured by the computer.

Optionally, the digital certificate public key is burnt into an internal ROM of a processor to be configured by the computer, so that after the processor chip is produced, data in the ROM of the processor is solidified and cannot be modified, and the security of the burnt digital certificate public key in the processor can be ensured.

Optionally, the BIOS configuration device system is a BIOS vendor device system or a motherboard vendor device system; the BIOS public key is a BIOS manufacturer public key or a main board manufacturer public key; the BIOS private key is a BIOS manufacturer private key corresponding to the BIOS manufacturer public key, or a mainboard manufacturer private key corresponding to the mainboard manufacturer public key.

Optionally, the digital certificate equipment system is a CA equipment system or a processor manufacturer equipment system; the digital certificate public key is a CA center public key or a processor manufacturer public key; the digital certificate private key is a CA center private key corresponding to the CA center public key or a processor manufacturer private key corresponding to the processor manufacturer public key.

The foregoing describes a number of embodiments provided by embodiments of the present application, and the various alternatives presented by the various embodiments may be combined, cross-referenced, with each other without conflict, extending beyond what is possible, all of which may be considered embodiments disclosed and disclosed by embodiments of the present application.

Although the embodiments of the present application are disclosed above, the present application is not limited thereto. Various changes and modifications may be made by one skilled in the art without departing from the spirit and scope of the invention, and the scope of the invention shall be defined by the appended claims.

Claims

1. A method of authentication, comprising:

2. The authentication method of claim 1, wherein the BIOS code security authentication comprises a BIOS code legitimacy authentication based on the BIOS authentication information, and a BIOS code integrity authentication based on the BIOS code.

3. The method according to claim 2, wherein the BIOS verification information includes at least digital signature information, the digital signature information being a result of a BIOS digest corresponding to the BIOS code being encrypted by a BIOS private key;

the performing BIOS code security verification according to the BIOS code and the BIOS verification information includes:

obtaining a BIOS public key corresponding to the BIOS private key;

verifying whether the digital signature information is legal or not according to the BIOS public key;

if the digital signature information is legal, obtaining a BIOS abstract obtained by decryption from the digital signature information, and regenerating the BIOS abstract corresponding to the BIOS code;

verifying whether the BIOS code is complete according to the BIOS abstract obtained by decryption from the digital signature information and the regenerated BIOS abstract; and if the BIOS code is complete, the BIOS code security verification passes.

4. The authentication method of claim 3, wherein the BIOS authentication information further comprises digital certificate information, the digital certificate information being a result of the BIOS public key being encrypted by a digital certificate private key;

the obtaining the BIOS public key corresponding to the BIOS private key includes:

5. The authentication method of claim 4, further comprising:

6. The method according to any one of claims 1 to 5, wherein in the process of verifying the computer hardware, verifying whether the computer hardware of the computer is legitimate according to the unique identifier of the computer hardware stored in the BIOS code comprises:

7. The authentication method of claim 6, further comprising:

8. The method of claim 6, wherein, during the process of verifying the computer hardware, reading the identity of the computer hardware comprises:

9. The authentication method according to claim 4 or 5, wherein the BIOS public key is a BIOS vendor public key or a motherboard vendor public key; the BIOS private key is a BIOS manufacturer private key corresponding to the BIOS manufacturer public key, or a main board manufacturer private key corresponding to the main board manufacturer public key; the digital certificate public key is a CA center public key or a processor manufacturer public key; the digital certificate private key is a CA center private key corresponding to the CA center public key or a processor manufacturer private key corresponding to the processor manufacturer public key.

10. A verification apparatus, comprising:

11. A computer, comprising: a processor and a BIOS chip; wherein the processor is configured to perform the authentication method of any of claims 1-9, the BIOS chip configured with BIOS code and BIOS authentication information, wherein the BIOS code pre-holds a unique identification of the computer hardware of the computer.

12. A computer configuration system, comprising: BIOS configures the device system and digital certificate device system; the system of the BIOS configuration device is BIOS chip configuration information to be configured by a computer, the system of the digital certificate device is processor and BIOS chip configuration information to be configured by the computer, and the computer is the computer as claimed in claim 11.

13. The computer configuration system of claim 12, wherein the BIOS configuration device system is to: generating a BIOS public key and a BIOS private key; the method comprises the steps of sending a BIOS public key to a digital certificate equipment system, and obtaining digital certificate information sent by the digital certificate equipment system, wherein the digital certificate information is a result obtained by encrypting the BIOS public key according to a digital certificate private key generated by the digital certificate equipment system; storing the unique identifier of the computer hardware to be configured of the computer in a BIOS code; generating a BIOS abstract corresponding to the BIOS code; encrypting the BIOS abstract according to the BIOS private key to generate digital signature information; the BIOS code, the digital signature information and the digital certificate information are burnt into a BIOS chip to be configured by the computer;

The digital certificate device system is used for: generating a digital certificate public key and a digital certificate private key; encrypting the BIOS public key sent by the BIOS configuration equipment system according to the digital certificate private key to generate digital certificate information, and sending the digital certificate information to the BIOS configuration equipment system; the digital certificate public key is burnt into a processor to be configured by the computer.

14. The computer configuration system of claim 13 wherein the digital certificate public key is burned into an internal ROM of a processor to which the computer is to be configured.

15. The computer configuration system of claim 13, wherein the BIOS configuration device system is a BIOS vendor device system or a motherboard vendor device system; the BIOS public key is a BIOS manufacturer public key or a main board manufacturer public key; the BIOS private key is a BIOS manufacturer private key corresponding to the BIOS manufacturer public key, or a main board manufacturer private key corresponding to the main board manufacturer public key;

the digital certificate equipment system is a CA equipment system or a processor manufacturer equipment system; the digital certificate public key is a CA center public key or a processor manufacturer public key; the digital certificate private key is a CA center private key corresponding to the CA center public key or a processor manufacturer private key corresponding to the processor manufacturer public key.