CN109117643B - System processing method and related equipment - Google Patents
System processing method and related equipment Download PDFInfo
- Publication number
- CN109117643B CN109117643B CN201811034733.1A CN201811034733A CN109117643B CN 109117643 B CN109117643 B CN 109117643B CN 201811034733 A CN201811034733 A CN 201811034733A CN 109117643 B CN109117643 B CN 109117643B
- Authority
- CN
- China
- Prior art keywords
- tpcm
- target file
- bios
- hash value
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title abstract description 14
- 238000005259 measurement Methods 0.000 claims abstract description 47
- 238000000034 method Methods 0.000 claims abstract description 32
- JBWKIWSBJXDJDT-UHFFFAOYSA-N triphenylmethyl chloride Chemical compound C=1C=CC=CC=1C(C=1C=CC=CC=1)(Cl)C1=CC=CC=C1 JBWKIWSBJXDJDT-UHFFFAOYSA-N 0.000 claims abstract 23
- 238000012545 processing Methods 0.000 claims description 5
- 230000026676 system process Effects 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 239000000306 component Substances 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the application discloses a system processing method and related equipment, which are used for measuring files required by system starting when a system starting signal is received, and starting the system only when the measurement is successful, so that the file measurement before the system starting is realized, and the credibility of the started system is ensured. The method in the embodiment of the application comprises the following steps: when a trusted platform control device TPCM receives a system starting signal, target data are obtained, the target data are used for indicating the storage position of a target file, and the target file is a key file required by the system starting; the TPCM measures the target file; if the measurement of the target file fails, the TPCM outputs a warning; if the measurement of the target file is successful, the TPCM starts the system.
Description
Technical Field
The present application relates to the field of data security, and in particular, to a system processing method and related device.
Background
In the cloud computing era, ubiquitous information has become an important asset of countries, enterprises and individuals, and a trusted computing environment is provided to guarantee confidentiality, integrity and reliability of information, which is the most priority. In order to improve the security performance of the system, the computer architecture is started, and the credibility of the host is ensured by embedding a credible chip.
At present, two trusted chips, namely a Trusted Platform Module (TPM) and a Trusted Cryptography Module (TCM), have become core components of various trusted services and applications. After the system is started, the file used by the system is measured according to the call instruction of the system, so that the file is not maliciously modified, and the credibility of the system is further ensured.
Because the trusted chip provided by the prior art can only perform passive measurement on the system file according to the call instruction of the system, the file used by the system cannot be measured before the system is started, and thus the credibility of the started system cannot be ensured.
Disclosure of Invention
The embodiment of the application provides a system processing method and related equipment, which are used for measuring files required by system starting when a system starting signal is received, and starting the system only when the measurement is successful, so that the file measurement before the system starting is realized, and the credibility of the started system is ensured.
In a first aspect, an embodiment of the present application provides a system processing method, where the method includes:
when a trusted platform control device TPCM receives a system starting signal, target data are obtained, the target data are used for indicating the storage position of a target file, and the target file is a key file required by the system starting;
the TPCM measures the target file;
if the measurement of the target file fails, the TPCM outputs a warning;
if the measurement of the target file is successful, the TPCM starts the system.
In a second aspect, an embodiment of the present application provides a trusted platform control apparatus, where the TPCM includes:
the system comprises an acquisition unit, a storage unit and a processing unit, wherein the acquisition unit is used for acquiring target data when a system starting signal is received, the target data is used for indicating the storage position of a target file, and the target file is a key file required by the system starting;
the measuring unit is used for measuring the target file;
an output unit for outputting a warning when the measurement of the target document fails;
and the starting unit is used for starting the system when the measurement on the target file is successful.
In a third aspect, an embodiment of the present application provides a terminal, including a trusted platform control device TPCM and a system,
the TPCM is used for acquiring target data when receiving a system starting signal, wherein the target data is used for indicating the storage position of a target file, the target file is a key file required by the system starting, the target file is measured, and when the measurement of the target file fails, a warning is output;
the system is used for executing starting operation according to the target file when the TPCM successfully measures the target file.
In a fourth aspect, the present application provides a computer program product, which is configured to, when executed, perform the steps of the system processing method described in the first aspect.
In a fifth aspect, an embodiment of the present application provides a computer-readable storage medium, where instructions of a system process are stored in the computer-readable storage medium, and when the instructions are executed on a computer, the computer is caused to perform the steps of the system process method described in the first aspect.
In an eighth aspect, the present application provides a chip system, which includes a processor for enabling a network device to implement the functions referred to in the above aspects, for example, to transmit or process data and/or information referred to in the above methods. In one possible design, the system-on-chip further includes a memory for storing program instructions and data necessary for the network device. The chip system may be formed by a chip, or may include a chip and other discrete devices.
According to the technical scheme, the embodiment of the application has the following advantages:
after receiving a system starting signal, the TPCM acquires a key file required by system starting according to target data, measures the key file, outputs a warning if the measurement fails, and starts the system only if the measurement succeeds, so that the file measurement before the system starting is realized, and the credibility of the started system is ensured.
Drawings
FIG. 1 is a schematic structural diagram of a computer device according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of a system processing method according to an embodiment of the present disclosure;
FIG. 3 is a schematic flow chart of a system processing method according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of a trusted platform control apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a terminal according to an embodiment of the present application.
Detailed Description
The embodiment of the application provides a system processing method and related equipment, which are used for measuring files required by system starting when a system starting signal is received, and starting the system only when the measurement is successful, so that the file measurement before the system starting is realized, and the credibility of the started system is ensured.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Referring to fig. 1, a computer device 10 applied in the embodiment of the present application includes a Trusted Platform Control Module (TPCM) 100 and a system 110, where the trusted platform control module 100 is configured to establish and guarantee a trusted source point for the computer device 10, and provide a series of functions of trusted computing, such as integrity measurement, secure storage, trusted report, and cryptographic service, including measuring a file used by the system 110 in a starting and running process to ensure the trustworthiness of the system 110, and the above measurement operation performed on the file may also be referred to as authentication of the system corresponding to the file.
In this embodiment, the trusted platform control apparatus 100 may include an execution engine, a non-volatile storage (NV) space, a Platform Configuration Register (PCR), a volatile storage space, a key generator, a cryptographic algorithm engine, a random number generator, and an input/output unit, where the functional units are connected by a communication bus. The execution engine is a TPCM (trusted platform manager) operation execution unit, a nonvolatile storage space, a platform configuration register and a volatile storage space, which are all storage units for storing permanent data, a key generator and a cryptographic algorithm engine. In the embodiment of the present invention, the target data storage area is a nonvolatile storage unit and a platform configuration register, and the functions of other functional units are not described herein again.
In this embodiment, the TPCM100 may be embodied as a set of hardware and firmware, may adopt an independent package form, and may also adopt a mode for an Application Specific Integrated Circuit (ASIC) or a Field Programmable Gate Array (FPGA) to be integrated with other types of chips, so as to implement functions.
In the embodiment of the present application, the system 110 refers to a system running on a computer device 10 embedded in the trusted platform control apparatus 100, where the computer device 10 may be a cloud storage device storing important information of countries, enterprises, and individuals, or may be an individual or private local storage device. The system 110 may include a Basic Input Output System (BIOS), an operating system, or the like, and is not limited herein.
Referring to fig. 2, an embodiment of a system processing method according to the present invention may include:
201. when the TPCM receives a system start signal, target data is acquired.
In this embodiment, after the computer device where the TPCM is located is started, the TPCM may receive an electrical signal, that is, when the TPCM receives a system start signal, the TPCM may take over a start permission of the system, and obtain target data from the NV space of the TPCM by using the start permission, where the target data is used to indicate a storage location of a target file, and the target file is a file stored in the system and may be a key file required when the system is started.
In this embodiment, the target data may be a storage path of the target file, may also be a file name of the target file, and may also be other information that may indicate a storage location of the target file, which is not limited herein.
In this embodiment, the target file may be a kernel file, for example, since the system may include a BIOS, the target file may be a necessary file required when the BIOS is started; as another example, the object file may also include all files required by the BIOS and the operating system when starting, and a specific object file includes a file, which is not limited herein.
202. The TPCM performs measurement on the target file, and if the measurement on the target file fails, step 203 is executed; if the target file is successfully measured, step 204 is performed.
In this embodiment, after acquiring the target data by using the start permission, the TPCM may read a target file from a storage location of the target file, and may measure the target file to determine whether the target file is illegally tampered, so as to determine whether a system that executes a start operation by using the target file is trusted.
In this embodiment, the measuring the target file refers to comparing the target file before the system is started with the target file stored in the trusted state of the system, so as to determine whether the target file is tampered illegally.
In this embodiment, the measuring of the target file may be that before the system is started, the target file stored in the system in a trusted state may be acquired, and the target file acquired before the system is started is compared with the target file stored in the trusted state, so as to determine whether the target file stored in the system is illegally tampered before the system is started; the measurement of the target file can also be carried out by carrying out hash operation on the obtained target file before the system is started, and obtaining a second hash value from NV space of the TPCM, wherein the second hash value is obtained by carrying out hash operation on the target file when the system is in a credible state, and whether the target file is illegally tampered is judged by judging whether the first hash value is consistent with the second hash value; the target file may also be measured in other manners, which is not described herein any more.
203. The TPCM outputs a warning.
In this embodiment, if the TPCM fails to measure the target file, the TPCM may output a warning to notify the user that the target file is illegally tampered, and the current system is in an untrusted state. Wherein, the warning is output by outputting a reminding bullet frame; it may also be a voice prompt, such as, for example, an audible alert that the current system is not trusted; it is also possible to emit a certain sound, for example, a sound of "beep" when the measurement fails, and the specific manner of outputting the warning may be flexibly set according to the actual situation, and is not limited herein.
204. The TPCM starts the system.
In this embodiment, if the TPCM successfully measures the target file, it is verified that the system is in a trusted state, and the TPCM may start the system.
In this embodiment, after receiving a system start signal, the TPCM acquires a key file required for system start according to target data, measures the key file, outputs an alarm if measurement fails, and starts the system only if measurement succeeds, thereby implementing file measurement before system start and ensuring the credibility of the started system.
Based on the foregoing embodiment described in fig. 2, referring to fig. 3, another embodiment of the system processing method provided in the embodiment of the present application may include:
301. when the TPCM receives a system start signal, target data is acquired.
In this embodiment, step 301 is similar to step 201 in the embodiment shown in fig. 2, and is not described herein again.
302. The TPCM carries out hash operation on the target file to obtain a first hash value.
In this embodiment, the TPCM may perform hash operation on the key file required for starting the BIOS system before the system is started, that is, in a state where it is unknown whether the system is trusted, so as to obtain the first hash value of the target file.
In this embodiment, one or more target files may be used, and when there are multiple target files, multiple first hash values corresponding to the multiple target files may be obtained.
303. The TPCM determines whether the first hash value is consistent with the second hash value, if the first hash value is inconsistent with the second hash value, go to step 304; if the first hash value is consistent with the second hash value, go to step 307.
In this embodiment, the NV space of the TPCM may be pre-stored with a second hash value, where the second hash value is obtained by performing hash operation on the target file when the system is in a trusted state, and the TPCM may determine whether the first hash value is consistent with the second hash value, so as to determine whether the target file before the system is started is consistent with the target file in the trusted state, that is, determine whether the target file is illegally tampered before the system is started. According to the method and the device, whether the target file is illegally tampered is judged by comparing the hash values, so that the time consumption caused by detailed comparison of the files is reduced, and the speed of the system starting process is increased.
In this embodiment, since the NV spaces of the TPCM may be multiple, when the target file is multiple, the second hash value of the corresponding target file may be stored in different NV spaces, so that when the second hash value is read, the second hash value may be read from the corresponding NV space, thereby avoiding confusion among the multiple second hash values.
304. The TPCM stores the first hash value in a platform configuration register.
In this embodiment, the TPCM may store the first hash value in a platform configuration register if the first hash value is inconsistent with the second hash value. After the target file is illegally tampered, the target file needs to be analyzed to obtain the unreliable reason of the system, the first hash value when the system is in the unreliable state is stored, and when the first hash value is inconsistent with the second hash value again, the first hash value stored in the platform configuration register can be obtained, so that the accuracy of analyzing the unreliable reason of the system is improved, and the analysis speed can also be improved.
305. The TPCM outputs a warning.
In this embodiment, step 307 is similar to step 203 in the embodiment shown in fig. 2, and is not repeated here.
306. The TPCM prompts to input a password, and determines whether the input password is consistent with a preset password, if so, the TPCM proceeds to step 307; if the input password is not consistent with the preset password, go to step 308.
In this embodiment, the NV space of the TPCM may be pre-stored with a password, where the password may also be referred to as a start privilege code, and when the first hash value and the second hash value are different, the TPCM may prompt to input the password, and determine whether the input password is consistent with the start privilege code, and if so, may prove that the user is a privileged user.
In this embodiment, the TPCM may prompt to input the password by outputting a pop box, for example, a pop box with a display content of "please input the start privilege code"; for example, a voice prompt of "please input a fingerprint" may be output, and a password may be prompted by other manners, which should be flexibly set in combination with the actual situation, which is not described herein.
In this embodiment, the preset password may be a combination of numbers, a combination of characters and numbers, a combination of numbers, letters and punctuations, fingerprint information of privileged users, and the like, and is not limited herein.
In this embodiment, an NV space (NV, Non-volatile Storage) in the TCM is a secure space, and data stored in the NV space is encrypted and stored by a national crypto authority autonomous encryption algorithm, so that the data stored in the NV space is secure and reliable and cannot be tampered. In this embodiment, the target data and/or the second hash value and/or the preset password are/is stored in the NV space, so that the data is not tampered, and accuracy and credibility of the measurement result are ensured.
It is understood that the execution sequence of step 304, step 305, and step 306 is not limited in this embodiment, and step 304 may be executed first, then step 305 may be executed, and then step 306 may be executed; alternatively, step 305 may be performed first, then step 304 may be performed, and then step 306 may be performed; step 306, step 304, and step 305 may also be performed first, or any other sequence of step 304, step 305, and step 306 may also be performed, which is not described herein any more.
307. The TPCM powers up the BIOS.
In this embodiment, because the BIOS may run on a BIOS chip, when the first hash value is consistent with the second hash value, that is, the BIOS is in a trusted state, the TPCM powers on a chip where the BIOS is located; when the first hash value is not consistent with the second hash value, but the input password is consistent with the preset password, namely the user starts the system by inputting the privilege starting code, the TPCM can also power on the chip where the BIOS is located, and the user can manually delete the tampered illegal file after entering the BIOS system because the TPCM sends out the warning prompt.
In the embodiment, because the BIOS is started firstly in the system starting process, the TPCM only measures the necessary key files when the BIOS is started, and if the key files required by the BIOS are measured successfully, the BIOS is started firstly, so that the measurement of all the key files required by the system starting is avoided, the time of the system starting process is saved, and the system starting speed is improved.
308. The TPCM performs other procedures.
Fig. 4 is a schematic structural diagram of a trusted platform control apparatus according to an embodiment of the present application, where the trusted platform control apparatus 400 may include:
an obtaining unit 401, configured to obtain target data when a system start signal is received, where the target data is used to indicate a storage location of a target file, and the target file is a key file required when the system is started;
a measuring unit 402, configured to measure the target file;
an output unit 403 for outputting a warning when the measurement of the target file fails;
an initiating unit 404, configured to initiate the system when the measurement of the target file is successful.
In a possible implementation manner, the metric unit 402 is specifically configured to:
the TPCM carries out Hash operation on the target file to obtain a first Hash value; the TPCM judges whether the first hash value is consistent with a second hash value, wherein the second hash value is obtained by carrying out hash operation on the target file when the system is in a credible state; if the first hash value is not consistent with the second hash value, the TPCM determines that the measurement of the target file fails.
In a possible implementation manner, the output unit 403 is specifically configured to: when the TPCM fails to measure the target file, prompting to input a password;
the starting unit 404 is specifically configured to: and in the case that the input password is consistent with the preset password, the TPCM starts the system.
In a possible implementation manner, the TPCM includes a non-volatile storage NV space, and the target data and/or the second hash value and/or the preset password are stored in the NV space.
In a possible implementation manner, the TPCM includes a platform configuration register PCR, and the trusted platform control apparatus 400 may further include:
the storage unit 405 is configured to store the first hash value in the PCR by the TPCM if the first hash value is not consistent with the second hash value.
In a possible implementation manner, the system includes a BIOS, the target file includes a key file required by the BIOS when starting, and the starting unit 404 is specifically configured to:
the TPCM powers up the BIOS.
In this embodiment, the process executed by each unit in the trusted platform control device 400 is similar to the process executed by the trusted platform control device TPCM in the embodiment shown in fig. 2 and fig. 3, and is not described herein again.
In this embodiment, after the obtaining unit 401 receives a system start signal, a key file required when the system is started is obtained according to target data, the measuring unit 402 may measure the key file, if the measurement fails, the output unit 403 outputs an alarm, and only if the measurement succeeds, the starting unit 404 starts the system, so that file measurement before the system is started is achieved, and the credibility of the started system is ensured.
Fig. 5 is a schematic structural diagram of a terminal according to an embodiment of the present application, where the terminal 50 may include a trusted platform control apparatus 500 and a system 510,
the trusted platform control apparatus 500 may include an acquiring unit 5001, a measuring unit 5002, an outputting unit 5003, and an initiating unit 5004, and the system 510 may include a running unit 5101:
when a system start signal is received, the obtaining unit 501 obtains target data, where the target data is used to indicate a storage location of a target file, and the target file is a key file required when the system 510 is started; the measurement unit 502 measures the target file; when the measurement unit 502 fails to measure the target file, the output unit 503 outputs a warning; when the measurement unit 502 successfully measures the target file, the start unit 504 starts the system 510;
the operation unit 5101, after the start unit 504 triggers the system start operation, executes the start operation according to the target file.
In a possible implementation manner, the metric unit 502 is specifically configured to:
the TPCM performs hash operation on the target file stored in the system 510 to obtain a first hash value; the TPCM judges whether the first hash value is consistent with a second hash value, wherein the second hash value is obtained by carrying out hash operation on the target file when the system is in a credible state; if the first hash value is not consistent with the second hash value, the TPCM determines that the measurement of the target file fails.
In a possible implementation manner, the output unit 403 is specifically configured to: when the TPCM fails to measure the target file, prompting to input a password;
the starting unit 404 is specifically configured to: and in the case that the input password is consistent with the preset password, the TPCM starts the system.
In a possible implementation manner, the TPCM includes a non-volatile storage NV space, and the target data and/or the second hash value and/or the preset password are stored in the NV space.
In a possible implementation manner, the TPCM includes a platform configuration register PCR, and the trusted platform control apparatus 500 may further include: a storage unit 505, configured to store the first hash value in the PCR by the TPCM if the first hash value is inconsistent with the second hash value.
In a possible implementation manner, the system includes a BIOS, the target file includes a key file required by the BIOS when starting, and the starting unit 504 is specifically configured to: the TPCM powers up the BIOS.
In this embodiment, the process executed by each unit in the trusted platform control device 500 included in the terminal 50 is similar to the process executed by the trusted platform control device TPCM in the embodiments shown in fig. 2 and fig. 3, and is not described again here.
In this embodiment, after the obtaining unit 5001 receives a system start signal, a key file required when the system is started is obtained according to target data, the measuring unit 5002 may measure the key file, if the measurement fails, the output unit 5003 outputs an alarm, and only if the measurement succeeds, the starting unit 5004 triggers the start operation of the system, and then the running unit 5101 executes the start operation, so that file measurement before the system is started is realized, and the credibility of the started system is ensured.
Also provided in the embodiments of the present application is a computer program product, which is used to execute the steps of the system processing method described in the embodiments of fig. 3 and 4.
Also provided in the embodiments of the present application is a computer-readable storage medium, which stores instructions for caching data processing, and when the instructions are executed on a computer, the computer is caused to execute the steps of the system processing method described in the embodiments shown in fig. 3 and fig. 4.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Claims (8)
1. A method of system processing, the method comprising:
when a trusted platform control device (TPCM) receives a system starting signal, acquiring target data, wherein the target data is used for indicating the storage position of a target file, the system comprises a Basic Input Output System (BIOS), and the target file comprises a key file required by the starting of the BIOS;
the TPCM measures the target file;
if the measurement of the target file fails, the TPCM outputs a warning;
if the target file is measured successfully, the BIOS is in a trusted state, the BIOS is started first, and the TPCM powers on the BIOS.
2. The method of claim 1, wherein the TPCM performs metrics on the target file, comprising:
the TPCM carries out Hash operation on the target file to obtain a first Hash value;
the TPCM judges whether the first hash value is consistent with a second hash value, wherein the second hash value is obtained by carrying out hash operation on the target file when the system is in a credible state;
and if the first hash value is inconsistent with the second hash value, the TPCM determines that the measurement of the target file fails.
3. The method of claim 2, further comprising:
if the TPCM fails to measure the target file, prompting to input a password;
and starting the system by the TPCM under the condition that the input password is consistent with a preset password.
4. A method according to claim 3, wherein the TPCM includes a non-volatile storage NV space, and wherein the target data and/or the second hash value and/or the preset password are stored in the NV space.
5. The method of claim 2, wherein the TPCM contains Platform Configuration Register (PCR), the method further comprising:
if the first hash value is not consistent with the second hash value, the TPCM stores the first hash value in the PCR.
6. A trusted platform control device, TPCM, comprising:
the system comprises an acquisition unit, a storage unit and a processing unit, wherein the acquisition unit is used for acquiring target data when a system starting signal is received, the target data is used for indicating the storage position of a target file, the system comprises a Basic Input Output System (BIOS), and the target file comprises a key file required by the BIOS during starting;
the measurement unit is used for measuring the target file;
an output unit for outputting a warning when the measurement of the target file fails;
and the starting unit is used for starting the BIOS first when the measurement of the target file is successful and the BIOS is in a trusted state, and the TPCM powers on the BIOS.
7. A terminal, characterized in that the terminal comprises a trusted platform control means TPCM and a system,
the TPCM is used for acquiring target data when receiving a system starting signal, wherein the target data is used for indicating the storage position of a target file, the system comprises a Basic Input Output System (BIOS), the target file comprises a key file required by the BIOS during starting, the target file is measured, and when the measurement of the target file fails, a warning is output;
the system is used for starting the BIOS when the TPCM successfully measures the target file and the BIOS is in a trusted state, and the TPCM powers on the BIOS.
8. A computer-readable storage medium having stored therein instructions for a system process, which when executed on a computer, cause the computer to perform the system process method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811034733.1A CN109117643B (en) | 2018-09-05 | 2018-09-05 | System processing method and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811034733.1A CN109117643B (en) | 2018-09-05 | 2018-09-05 | System processing method and related equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109117643A CN109117643A (en) | 2019-01-01 |
| CN109117643B true CN109117643B (en) | 2021-05-07 |
Family
ID=64858620
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811034733.1A Active CN109117643B (en) | 2018-09-05 | 2018-09-05 | System processing method and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109117643B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111506897B (en) * | 2019-01-30 | 2023-05-02 | 阿里巴巴集团控股有限公司 | Data processing method and device |
| CN111177752B (en) * | 2019-12-20 | 2023-02-10 | 全球能源互联网研究院有限公司 | Credible file storage method, device and equipment based on static measurement |
| CN113486353B (en) * | 2021-06-24 | 2023-08-01 | 邦彦技术股份有限公司 | Trusted measurement method, system, equipment and storage medium |
| CN113468615B (en) * | 2021-06-24 | 2023-08-01 | 邦彦技术股份有限公司 | Trusted measurement method, trusted chip, logic controller and trusted measurement system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106127057A (en) * | 2016-06-23 | 2016-11-16 | 浪潮电子信息产业股份有限公司 | Method for constructing trusted boot control based on TPM |
| EP3125149A1 (en) * | 2005-01-07 | 2017-02-01 | Microsoft Technology Licensing, LLC | Systems and methods for securely booting a computer with a trusted processing module |
| CN107346393A (en) * | 2017-06-30 | 2017-11-14 | 浪潮(北京)电子信息产业有限公司 | A kind of system start method and system based on TCM |
| CN207731274U (en) * | 2018-01-29 | 2018-08-14 | 北京可信华泰信息技术有限公司 | A kind of credible platform control device |
-
2018
- 2018-09-05 CN CN201811034733.1A patent/CN109117643B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3125149A1 (en) * | 2005-01-07 | 2017-02-01 | Microsoft Technology Licensing, LLC | Systems and methods for securely booting a computer with a trusted processing module |
| CN106127057A (en) * | 2016-06-23 | 2016-11-16 | 浪潮电子信息产业股份有限公司 | Method for constructing trusted boot control based on TPM |
| CN107346393A (en) * | 2017-06-30 | 2017-11-14 | 浪潮(北京)电子信息产业有限公司 | A kind of system start method and system based on TCM |
| CN207731274U (en) * | 2018-01-29 | 2018-08-14 | 北京可信华泰信息技术有限公司 | A kind of credible platform control device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109117643A (en) | 2019-01-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109117643B (en) | System processing method and related equipment | |
| US10659237B2 (en) | System and method for verifying integrity of an electronic device | |
| US8161285B2 (en) | Protocol-Independent remote attestation and sealing | |
| EP3033710B1 (en) | Secure os boot as per reference platform manifest and data sealing | |
| US20100082987A1 (en) | Transparent trust validation of an unknown platform | |
| CN111666564B (en) | Application program safe starting method and device, computer equipment and storage medium | |
| US9270467B1 (en) | Systems and methods for trust propagation of signed files across devices | |
| CN107133520B (en) | Credibility measuring method and device for cloud computing platform | |
| CN110245495B (en) | BIOS checking method, configuration method, device and system | |
| Böck et al. | Towards more trustable log files for digital forensics by means of “trusted computing” | |
| CN112434306A (en) | Credibility measuring method, device, system, electronic equipment and storage medium | |
| CN106465076B (en) | Method and terminal for controlling short message reading | |
| CN110875819B (en) | Password operation processing method, device and system | |
| US11232209B2 (en) | Trojan detection in cryptographic hardware adapters | |
| CN106203100A (en) | A kind of integrity checking method and device | |
| US20210067520A1 (en) | Cross-attestation of electronic devices | |
| CN111858114B (en) | Device starting exception handling and device starting control method, device and system | |
| CN112825093A (en) | Security baseline checking method, host, server, electronic device and storage medium | |
| CN108259471B (en) | Encryption method, decryption method and device for proprietary information and processing equipment | |
| JP2017045308A (en) | Software alteration detection system and network security system | |
| KR101893504B1 (en) | A file integrity test in linux environment device and method | |
| CN114584314B (en) | Registration method, device, equipment and medium | |
| JP6063317B2 (en) | Terminal device and determination method | |
| CN118260774B (en) | Server starting method and device, storage medium and electronic equipment | |
| CN116305130B (en) | Dual-system intelligent switching method, system and medium based on system environment recognition |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |