[go: up one dir, main page]

WO2023179745A1 - Trusted verification method and apparatus - Google Patents

Trusted verification method and apparatus Download PDF

Info

Publication number
WO2023179745A1
WO2023179745A1 PCT/CN2023/083577 CN2023083577W WO2023179745A1 WO 2023179745 A1 WO2023179745 A1 WO 2023179745A1 CN 2023083577 W CN2023083577 W CN 2023083577W WO 2023179745 A1 WO2023179745 A1 WO 2023179745A1
Authority
WO
WIPO (PCT)
Prior art keywords
measured object
tcm
control module
measurement value
trusted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2023/083577
Other languages
French (fr)
Chinese (zh)
Inventor
王正鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2023179745A1 publication Critical patent/WO2023179745A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • the present invention relates to the field of information security technology, and in particular to a trustworthy verification method and device.
  • the trusted platform control module is a protective component integrated in the device and consists of hardware, software and firmware. TPCM is connected in parallel with the hardware, software and firmware of the device's computing system and is a basic core module used to establish and ensure the source of trust. And TPCM provides active measurement, active control, trusted verification, encryption protection, trusted reporting, password calling and other functions for the software and firmware in the device.
  • This application discloses a trusted verification method and related devices, which can realize active measurement of software and/or firmware in the device based on TPCM, and improve the security protection of data.
  • this application provides a trusted verification method, which is applied to a trusted verification system.
  • the trusted verification system includes a trusted platform control module TPCM and a trusted cryptographic module TCM.
  • the aforementioned TPCM includes a main control module. module;
  • the aforementioned method includes performing the following operations through the aforementioned main control module:
  • the aforementioned TCM to calculate the first measurement value of the first measured object;
  • the aforementioned first measured object includes one or more objects in the software and firmware in the device where the aforementioned trusted verification system is located;
  • Policy control is performed on the first measured object based on the matching result between the first metric value and the reference metric value.
  • the embodiment of the present application provides a trusted verification solution that actively measures the integrity of the software and/or firmware in the device based on TPCM.
  • the benchmark measurement value of the measured object is stored in the non-volatile memory of the TCM. Since the non-volatile memory of the TCM is a protected storage area and can only be accessed after authorization, it can improve the accuracy of the benchmark. Security protection of metric values. This ensures the reliability of integrity measurement, reduces the risk of tampering of measured objects, and improves the security protection of system data.
  • the method before calling the TCM to calculate the first measurement value of the first measured object, the method further includes:
  • the second measurement value is written into the non-volatile memory of the TCM as the reference measurement value of the first measured object based on the first identification.
  • This solution combines a one-time programmable memory to quickly determine whether the benchmark measurement value of the first measured object has been stored. Compared with the existing solution that requires one-by-one comparison in the memory to determine, this solution can improve the reliability Measure efficiency. In addition, for measurement objects that do not have a baseline value stored, the current measurement value is stored as the baseline value, which solves the problem of writing the baseline value offline when there is no baseline value.
  • the method before writing the second measurement value as the reference measurement value of the first measured object to the non-volatile memory of the TCM based on the first identification, the method further includes:
  • the memory in the TCM can only be accessed after authorization, ensuring that the protected storage area in the TCM will not be maliciously tampered with, and improving the security protection of the baseline value.
  • the method further includes:
  • the aforementioned first identification corresponding to the aforementioned first measured object in the aforementioned one-time programmable memory is changed to a second identification, and the aforementioned second identification indicates that the reference measurement value of the aforementioned first measured object has been stored in the non-transitory part of the aforementioned TCM Loss of memory.
  • the corresponding identifier in the one-time programmable memory can be changed, so that it can be quickly learned that the corresponding one-time programmable memory has been stored based on the changed identifier. Reference value.
  • the aforementioned method further includes: reading, through the aforementioned main control module, the second identification corresponding to the aforementioned first measured object in the aforementioned one-time programmable memory;
  • the aforementioned reading of the aforementioned reference measurement value of the aforementioned first measured object from the aforementioned non-volatile memory of the TCM includes:
  • the reference measurement value of the first measured object is read from the non-volatile memory of the TCM based on the second identification.
  • the corresponding benchmark value can be quickly read from the non-volatile storage based on the identifier in the one-time programmable memory corresponding to the first measured object, without further comparison to determine whether the benchmark value has been stored, improving credibility. Measure efficiency.
  • the foregoing method further includes performing the following operations through the foregoing main control module:
  • the reference measurement value of the first measured object in the non-volatile memory of the TCM is updated to the reference measurement value of the second measured object.
  • This solution interacts with the remote trusted management center to obtain the baseline metric value of the updated software/firmware and updates the local baseline value, which solves the problem that the baseline value needs to be re-programmed offline after the software/firmware is updated, otherwise it cannot be started.
  • the policy control module of the aforementioned TPCM includes configuration information of the control policy of the measured object
  • the aforementioned method also includes performing the following operations through the aforementioned main control module:
  • the configuration information of the control policy of the first measured object in the policy control module of the TPCM is updated to the configuration information of the target control policy.
  • This solution can achieve timely control policy updates by interacting with the remote trusted management center, and avoids the problem of abnormal policy control of the measured object during the trusted verification process.
  • the foregoing method further includes performing the following operations through the foregoing main control module:
  • This solution stores this information in the platform configuration memory so that it can be used for remote certification later.
  • the aforementioned trusted verification system is a management system implemented based on a baseboard management controller (BMC).
  • BMC baseboard management controller
  • this application provides a trusted verification device, which includes a trusted verification system.
  • the trusted verification system includes a trusted platform control module TPCM and a trusted cryptographic module TCM.
  • the aforementioned TPCM includes a main control module. ;
  • the aforementioned main control module is used for:
  • the aforementioned TCM to calculate the first measurement value of the first measured object;
  • the aforementioned first measured object includes one or more objects in the software and firmware in the device where the aforementioned trusted verification system is located;
  • Policy control is performed on the first measured object based on the matching result between the first metric value and the reference metric value.
  • the aforementioned main control module is also used for:
  • the second measurement value is written into the non-volatile memory of the TCM as the reference measurement value of the first measured object based on the first identification.
  • the aforementioned main control module is also used for:
  • the aforementioned main control module is also used for:
  • the aforementioned second measurement value is written into the aforementioned non-volatile memory of the aforementioned TCM as the aforementioned reference measurement value of the aforementioned first measured object based on the aforementioned first identification
  • the aforementioned first measured object in the aforementioned one-time programmable memory is written into the non-volatile memory of the aforementioned TCM.
  • the corresponding first identification is changed to a second identification, and the second identification indicates that the reference measurement value of the first measured object has been stored in the non-volatile memory of the TCM.
  • the main control module is further configured to: read the second identification corresponding to the first measured object in the one-time programmable memory;
  • the aforementioned reading of the aforementioned reference measurement value of the aforementioned first measured object from the aforementioned non-volatile memory of the TCM includes:
  • the reference measurement value of the first measured object is read from the non-volatile memory of the TCM based on the second identification.
  • the aforementioned main control module is also used for:
  • the reference measurement value of the first measured object in the non-volatile memory of the TCM is updated to the reference measurement value of the second measured object.
  • the policy control module of the TPCM includes configuration information of the control strategy of the measured object; the main control module is also used to:
  • the configuration information of the control policy of the first measured object in the policy control module of the TPCM is updated to the configuration information of the target control policy.
  • the aforementioned main control module is also used for:
  • the aforementioned trusted verification system is a management system implemented based on a baseboard management controller (BMC).
  • BMC baseboard management controller
  • this application provides a trusted verification device, including a processor and a memory, for implementing the method described in the above first aspect and its possible implementations.
  • the memory is coupled to a processor.
  • the processor executes a computer program stored in the memory (the computer program can be the main control module of the TPCM in the above-mentioned trusted verification system), the device can realize the above-mentioned first aspect or any of the first aspects.
  • One possible implementation is the method described.
  • the device may also include a communication interface for the device to communicate with other devices.
  • the communication interface may be a transceiver, a circuit, a bus, a module or other types of communication interfaces.
  • the communication interface includes a receiving interface and a sending interface. The receiving interface is used for receiving messages, and the sending interface is used for sending messages.
  • the device may include:
  • Memory used to store the main control module of TPCM in the above-mentioned trusted verification system
  • the TCM to calculate the first measurement value of the first measured object;
  • the first measured object includes one or more objects in the software and firmware in the device where the trusted verification system is located;
  • Policy control is performed on the first measured object based on a matching result between the first metric value and the base metric value.
  • the computer program in the memory can be stored in advance or can be downloaded from the Internet and stored when using the device.
  • This application does not specifically limit the source of the computer program in the memory.
  • the coupling in the embodiment of this application is an indirect coupling or connection between devices, units or modules, which may be in electrical, mechanical or other forms, and is used for information interaction between devices, units or modules.
  • the present application provides a computer-readable storage medium that stores a computer program.
  • the computer program is executed by a processor, any one of the above-mentioned first aspect and its possible implementations is implemented. the method described.
  • the present application provides a computer program product, which includes a computer program.
  • the computer program When the computer program is executed by a processor, the computer performs the method described in any one of the above first aspects.
  • the devices described in the second and third aspects, the computer storage medium described in the fourth aspect, and the computer program product described in the fifth aspect provided above are all used to execute any one of the first aspects. methods provided. Therefore, the beneficial effects it can achieve can be referred to the beneficial effects in the corresponding methods, and will not be described again here.
  • Figure 1 shows a schematic diagram of the system architecture provided by an embodiment of the present application
  • Figure 2 shows a schematic flow chart of the trustworthy verification method provided by the embodiment of the present application
  • Figure 3 shows a schematic structural diagram of a device provided by an embodiment of the present application
  • Figure 4 shows another structural schematic diagram of the device provided by the embodiment of the present application.
  • TCM Trusted platform control module
  • TPCM is a protective component component integrated in the equipment, consisting of hardware, software and firmware.
  • TPCM is connected in parallel with the hardware, software and firmware of the device's computing system and is a basic core module used to establish and ensure the source of trust.
  • TPCM provides active measurement, active control, trusted verification, encryption protection, trusted reporting, password calling and other functions for the software and firmware in the device.
  • TCM Trusted crypto module
  • TCM is a module that has functions such as cryptographic operations required for trusted computing and provides protected storage space.
  • TCM needs to provide a protected storage space inside it during design and manufacturing.
  • This storage space has non-volatile characteristics, that is, the data will not be lost even if the power is turned off.
  • the storage space in TCM is protected and cannot be accessed by the outside world at will. Access requires specific authorization operations through the TCM interface.
  • TCM is a collection of hardware and firmware that builds a secure computing environment. Its core functional system is the function of building trusted computing based on independent cryptographic algorithms from three dimensions. The three dimensions include: integrity measurement and verification, which can Identification and authentication, and data protection.
  • NVM Non-volatile memory
  • Non-volatile memory refers to memory that does not lose data when the computer is turned off or shut down suddenly or unexpectedly.
  • BMC Base-board management controller
  • BMC is an out-of-band management subsystem widely used in server computer processors. Its functions include virtual keyboard, mouse, monitor, power management control and remote operation and maintenance, etc. It also includes power supply voltage, temperature, fan status of servers and other computers. , monitoring of logistics information such as chassis status. Its hardware is the first power-on component of the motherboard and the out-of-band management system.
  • the scope of the trusted root includes the root of trust for measurement (RTM), the root of trust for storage (RTS), and the root of trust for reporting (RTR).
  • RTM root of trust for measurement
  • RTS root of trust for storage
  • RTR root of trust for reporting
  • CRTM is the first piece of code or the first piece of computer program executed after the computer is powered on and started, and is the core program code for establishing a root of trust.
  • BIOS Basic input output system
  • BIOS is a set of programs that are solidified on a memory chip on the motherboard. It stores the computer's most important basic input and output programs, post-boot self-test programs, and system self-startup programs. It can be obtained from complementary metal oxide semiconductors. Read and write detailed information about system settings in complementary metal oxide semiconductor (CMOS).
  • CMOS complementary metal oxide semiconductor
  • Firmware can be a kind of software that is written into the chip, so it is "hardened”.
  • the firmware code itself can be stored in read-only memory (ROM). It can also be stored in memory such as programmable read-only memory (PROM) or electrically erasable programmable read-only memory (EEPROM).
  • ROM read-only memory
  • PROM programmable read-only memory
  • EEPROM electrically erasable programmable read-only memory
  • Trusted verification refers to the process of active integrity measurement and verification of measured objects. It can also include the process of implementing policy control on measured objects based on the results of measurement and verification.
  • Mirroring is a form of file storage. Files are produced and stored in a certain format. A file is exactly the same as its own mirror file, except that the storage location is different. It can also be said that the mirror file is the original file. backup or copy.
  • Figure 1 is a schematic diagram of a system architecture provided by an embodiment of the present application.
  • the trusted verification system 11 includes a trusted platform control module 110 and a trusted cryptographic module 112.
  • the trusted platform control module 110 and the trusted cryptographic module 112 can communicate with each other.
  • the above-mentioned trusted platform control module 110 includes a main control module 1101, a policy control module 1102, a one-time programmable memory 1103 and an update interface 1104.
  • the above-mentioned main control module 1101 is the core of the entire trusted verification system 11 and is also the trusted root of trust CRTM of the trusted platform control module 110 .
  • the main control module 1101 is the first module to be started and executed after the device where it is located is powered on.
  • the main control module 1101 is responsible for obtaining the measured object 12 and performing active measurement and trustworthy verification on the measured object 12 .
  • the measured object 12 is one or more objects in the software and/or firmware in the device where the trusted verification system 11 is located.
  • the measured object may include the logical configuration file of the complex programmable logic device (CPLD), the boot program image file of the BMC, the BIOS configuration file, the binary image file of the BIOS segmented function code, and the BIOS driver.
  • the binary image file of the module, the binary image file of the BIOS peripheral function module, the binary image file of the computer's operating system boot loader (operation system loader, OS loader), the binary image file of the computer's operating system, the binary image file of the BMC operating system One or more of the following: image files and binary image files of BMC application software.
  • the above main control module 1101 may also be called a TPCM engine.
  • the main control module 1101 may be deployed in the device in the form of software or firmware, and called and executed by the processor in the device.
  • This processor also belongs to the above-mentioned trusted verification system 11 and is not shown in Figure 1 .
  • the above-mentioned policy control module 1102 mainly contains configuration information of policy control corresponding to each measured object. For example, it includes the configuration information of the policy to be executed after each measured object successfully passes the integrity measurement, and the configuration information of the policy to be executed after each measured object fails to measure the integrity, and so on.
  • the policy control module 1102 may be deployed in the device in the form of software or firmware.
  • the one-time programmable memory 1103 can store multiple bits of data.
  • the initial value of multiple bits of data in the one-time programmable memory 1103 may be "1".
  • the data in the one bit can change the stored value to "0" through one-time programming.
  • This programming can be accomplished by fusing the one This is achieved by using the fuse corresponding to the bit. Because the fusing operation is irreversible, this bit has one and only one opportunity to program, so it is a one-time programming. The same applies to other bits in the plurality of bits, so it is called a one-time programmable memory.
  • the one-time programmable memory 1103 mentioned above may be a memory implemented based on efuse.
  • the determination of whether the benchmark measurement value of the measured object already exists can be implemented through the one-time programmable memory 1103, which will be introduced later and will not be described in detail here.
  • the above-mentioned update interface 1104 is mainly responsible for communicating with the remote trusted management center 13 and is used to import updated information into the trusted platform control module 110 .
  • the remote trusted management center 13 includes a baseline and policy management module.
  • the measured object is often updated or the corresponding control strategy is often updated after the measured object is measured.
  • the benchmark and policy management module can measure the updated measured object to obtain a new benchmark metric value, and then send the new benchmark metric value to the trusted platform control module 110 through the update interface 1104 .
  • the baseline and policy management module can also send the updated control policy to the trusted platform control module 110 through the update interface 1104. This allows the trusted platform control module 110 to update the corresponding baseline metric values and control strategies in a timely manner.
  • the remote trusted management center 13 can also complete remote trustworthy certification of trustworthy verification results, etc. This application does not limit the specific functions of the remote trusted management center 13.
  • the above-mentioned trusted cryptographic module 112 includes an algorithm module 1121, a non-volatile memory 1122 and a platform configuration register (platform configuration registers, PCR) 1123.
  • the above algorithm module 1121 can implement a cryptographic hash function algorithm.
  • the algorithm module 1121 can calculate the integrity measurement value of the measured object through a cryptographic hash function algorithm.
  • the cryptographic hash function algorithm can be, for example, the SM3 cryptographic hash algorithm issued by the State Cryptozoology Administration, or the like. This application does not place any restrictions on the specific cryptographic hash function algorithm used.
  • the above-mentioned non-volatile memory 1122 may be used to store the baseline measurement value of the measured object.
  • the above-mentioned platform configuration register 1123 can be used to further save the baseline measurement value of the measured object and the measurement value obtained by each measurement of the measured object.
  • the information saved in the platform configuration register 1123 can be used to provide trustworthy proof for the remote trusted management center 13 .
  • the main control module 1101, the policy control module 1102 and the update interface 1104 in the trusted platform control module 110 may be deployed in the device in the form of software or firmware and controlled by the processor in the device. Call executions to implement their respective corresponding functions.
  • the above-mentioned trusted cryptographic module 112 may be implemented in the form of hardware to provide underlying hardware basic guarantee for trusted verification.
  • the trusted cryptographic module 112 is the trusted root of the above-mentioned trusted verification system 11 .
  • the above-mentioned trusted platform control module 110 and trusted cryptographic module 112 can be deployed in the BMC management system of the device.
  • the processor in the BMC management system calls the trusted platform control module 110 to implement trusted verification.
  • the devices on which the above-mentioned trusted verification system 11 resides may include, but are not limited to, servers, workstations, high-performance computers, personal home computers, portable computers, and any electronic product based on an intelligent operating system.
  • a trusted verification method In order to implement active measurement of software and/or firmware in the device based on TPCM, embodiments of the present application provide a trusted verification method. Illustratively, this method can be applied to the trusted verification system shown in Figure 1 above. This method can be implemented through the main control module of TPCM in the trusted verification system. Referring to Figure 2, the method may include but is not limited to the following step:
  • the main control module of the TPCM in the trusted verification system calls the TCM in the trusted verification system to calculate the first measurement value of the first measured object; the first measured object includes the location where the trusted verification system is located.
  • One or more objects in the software and firmware in a device are included in the TCM in the trusted verification system.
  • the TPCM in the trusted verification system is first powered on and started to run.
  • the integrity measurement of the software and/or firmware in the device is completed through the main control module of TPCM. That is, the main control module is the first program module to be run after the device where it is located is powered on.
  • the TPCM After the above-mentioned TPCM is powered on and started, the TPCM completes self-test on the internally solidified read-only memory (ROM) and verifies the external secure boot code (ESBC) firmware, thereby completing its own secure boot.
  • ROM read-only memory
  • ESBC external secure boot code
  • the above-mentioned main control module is first started and run, and the integrity measurement of the software and/or firmware in the device is implemented through the main control module.
  • the above-mentioned first measured object can be read directly or indirectly through the main control module.
  • the first measured object includes one or more objects in the software and firmware in the device.
  • the above-mentioned first measured object can be directly read through the hardware physical bus.
  • the first measured object is a BIOS binary image file, it can be read directly through the serial peripheral interface (SPI) bus.
  • SPI serial peripheral interface
  • the above-mentioned first measured object can be obtained indirectly through a measurement agent.
  • the measurement agent can access and obtain the first measured object, and then send the obtained first measured object to the above-mentioned main control module for integrity measurement.
  • the first measured object is a binary image file of the computer operating system in the device, it can be obtained indirectly through the measurement agent.
  • the main control module may send the first measured object to the TCM.
  • the TCM calls a cryptographic hash function algorithm to calculate the metric value of the first measured object (ie, the above-mentioned first metric value).
  • the measurement value of the first measured object can be calculated through an algorithm module in the TCM.
  • the algorithm module in the TCM you can rationally refer to the relevant description of the algorithm module 1121 shown in Figure 1, and will not be described again here.
  • the TCM After calculating the measurement value of the first measured object, the TCM sends the calculated measurement value to the above-mentioned main control module.
  • S202 Read the reference measurement value of the first measured object from the non-volatile memory of the TCM through the above-mentioned main control module.
  • the above-mentioned reference measurement value of the first measured object is stored in the non-volatile memory in the TCM.
  • This non-volatile memory is protected so that only authorized parties can access it.
  • the reference measurement value of the first measured object may be a non-volatile memory written into the TCM through the main control module. Then, the main control module can complete identity authentication in the TCM before writing to obtain authorization to access the non-volatile memory in the TCM.
  • the main control module can send a preconfigured secret key to the TCM, and the TCM matches the received secret key with its own preset secret key. If the match is successful, the identity authentication of the main control module is passed. Then, the TCM can send an indication that the identity authentication is passed to the main control module, thereby authorizing the main control module to access the non-volatile memory in the TCM. After the main control module obtains the authorization to access the non-volatile memory in the TCM, it can write the above-mentioned baseline measurement value of the first measured object into the non-volatile memory of the TCM.
  • the main control module has been authorized to access the non-volatile memory in the TCM.
  • the main control module can access the non-volatile memory in the TCM without performing identity authentication again. memory, and read the baseline measurement value of the above-mentioned first measured object from it.
  • the above-mentioned reference measurement value of the first measured object may be obtained through other control modules or may be written into a non-volatile memory in the TCM by a user.
  • the above-mentioned main control module before accessing the non-volatile memory in the TCM, the above-mentioned main control module first performs identity authentication and obtains access authorization, and then can read the baseline measurement value of the above-mentioned first measured object from it.
  • S203 Use the main control module to perform policy control on the first measured object based on the matching result between the first metric value and the benchmark metric value.
  • the reference measurement value can be compared with the calculated first measurement value.
  • the main control module can control the first measured object to start running.
  • the main control module can perform abnormal control on the first measured object. For example, the first measured object may be prevented from starting to run, or the version of the first measured object may be rolled back or restored, and so on. This application does not limit this specific policy control.
  • the main control module may find the corresponding control policy in the policy control module based on the comparison result to control the first measured object.
  • the description of the policy control module can be exemplarily referred to the corresponding description in Figure 1 above, and will not be described again here.
  • the optional main control module can store the first measurement value of the first measured object in the platform configuration register of the TCM to provide data for subsequent remote certification.
  • the above-mentioned main control module may generate a corresponding event log based on the above-mentioned trusted verification operation on the first measured object.
  • the event log may record information such as the trustworthy verification of the first measured object.
  • the main control module can store one or more of the event log and the above matching results into the platform configuration register of the TCM.
  • the main control module can store one or more of the event log and the matching results in other memories in the trusted verification system. This application does not limit the specific storage memory.
  • embodiments of the present application provide a trusted verification solution that actively measures the integrity of software and/or firmware in a device based on TPCM.
  • the baseline measurement value of the measured object is stored in the non-volatile memory of the TCM. Since the non-volatile memory of the TCM belongs to a protected storage area and can only be accessed after authorization, it can improve Securing baseline metric values.
  • the process of writing the above-mentioned benchmark measurement value of the first measured object into the non-volatile memory in the TCM through the above-mentioned main control module is as follows:
  • the main control module of the TPCM in the trusted verification system calls the TCM in the trusted verification system to calculate the first measurement value of the first measured object
  • the main control module will first calculate the first measurement value.
  • the benchmark of the object being measured measurement value and writes it to the non-volatile memory in the TCM mentioned above.
  • the main control module After the main control module starts running, the first measured object is obtained. Similarly, the first measured object is sent to the TCM to calculate the measurement value of the first measured object, and the measurement value may be referred to as the second measurement value for short. Then, the main control module reads the bit-stored identifier corresponding to the first measured object from the one-time programmable memory. And based on the read identification, it is determined whether the reference measurement value of the first measured object is stored in the non-volatile memory of the TCM.
  • the one-time programmable memory can be set in the TPCM. And the one-time programmable memory can store multiple bits of data. Then, in the embodiment of the present application, each measured object can be configured to uniquely correspond to one of the plurality of bits, and the reference metric of each measured object is indicated by the identifier in the corresponding bit. Whether the value is already stored in the TCM's non-volatile memory. For example, since the initial value stored in multiple bits in the one-time programmable memory is "1", when the bit is programmed once (that is, the fuse corresponding to the bit is blown), the bit is stored The value becomes "0".
  • the main control module can write the second measured value calculated above into the non-volatile memory of the TCM as the base measured value of the first measured object.
  • the main control module can complete identity authentication in the TCM and obtain the authorization to access the non-volatile memory of the TCM before writing the second measurement value as the baseline measurement value of the first measured object. TCM non-volatile memory. The specific implementation of this identity authentication can be found in the previous description and will not be repeated here.
  • the main control module After the above-mentioned main control module writes the benchmark measurement value of the first measured object into the non-volatile memory of the TCM, it can blow the fuse of the bit corresponding to the first measured object in the one-time memory to complete the bit
  • a one-time programming of a bit changes the value stored in that bit to "0". That is, the first identifier originally stored in the bit is changed to the second identifier.
  • the first flag is, for example, "1”, indicating that the reference measurement value of the first measured object is not stored in the non-volatile memory of the TCM.
  • the second identification is, for example, "0", which indicates that the reference measurement value of the first measured object has been stored in the non-volatile memory of the TCM.
  • the main control module can store the event log and the baseline measurement value of the first measured object into the platform configuration register of the TCM to provide data for subsequent remote certification.
  • the optional main control module can store the baseline measurement value of the first measured object in the platform configuration register of the TCM to provide data for subsequent remote certification.
  • the main control module can also generate a corresponding event log.
  • the event log may record information such as writing the baseline measurement value of the first measured object into the non-volatile memory of the TCM.
  • the main control module can store the event log into the platform configuration register of the TCM.
  • the main control module can store the event log in other memories in the above-mentioned trusted verification system. This application does not limit the specific storage memory.
  • the main control module before the main control module reads the reference measurement value of the first measured object from the non-volatile memory of the TCM in step S202, the main control module Also from the above time The identifier stored in the bit corresponding to the first measured object is read from the programmable memory. The read identification indicates that the baseline measurement value of the first measured object has been stored in the non-volatile memory of the TCM. Then, the main control module can read the reference measurement value of the first measured object from the non-volatile memory of the TCM based on the read identification.
  • a one-time programmable memory is combined to quickly determine whether the benchmark measurement value of the first measured object has been stored. Compared with the existing solution that requires one-to-one comparison in the memory to determine, this solution can improve the reliability. The efficiency of confidence measurement.
  • the current measurement value is stored as the baseline value, which solves the problem of writing the baseline value offline when there is no baseline value.
  • the measured object is often upgraded and updated, and the baseline measurement value of the measured object after the upgrade and update will also change accordingly, so the baseline measurement value stored in the non-volatile memory of the TCM will also change accordingly. Update, otherwise the integrity measurement of the measured object will not pass successfully, causing the measured object to fail to start and run normally.
  • the following takes the above-mentioned first measured object as an example to introduce the process of updating the baseline measurement value stored in the non-volatile memory of the TCM.
  • the remote trusted management center can sense the upgraded update of the first measured object. Then, the remote trusted management center obtains the upgraded and updated first measured object (referred to as the second measured object for short), and calls the benchmark and policy management module in the remote trusted management center to calculate the second measured object.
  • the algorithm for calculating metric values is the same as the algorithm for calculating metric values in TCM.
  • the above-mentioned TPCM establishes communication with the remote trusted management center through the update interface. See Figure 1 for an example. Then, after obtaining the measurement value of the second measured object, the remote trusted management center sends the measurement value of the second measured object to the TPCM through the update interface. Then, the main control module of the TPCM receives the measurement value of the second measured object through the update interface. And access the non-volatile memory of the TCM, and update the original benchmark measurement value of the first measured object in the non-volatile memory to the measurement value of the second measured object.
  • the main control module can complete identity authentication in the TCM and obtain the authorization to access the non-volatile memory of the TCM before writing the measurement value of the second measured object into the non-volatile memory of the TCM. memory.
  • identity authentication can be found in the previous description and will not be repeated here.
  • This solution interacts with the remote trusted management center to obtain the updated baseline measurement value of the measured object and updates the local baseline value, which solves the problem that after the measured object is updated, the baseline value needs to be re-programmed offline or it cannot be started. At the same time, it also avoids the problem that the integrity measurement of the measured object cannot pass successfully, causing the measured object to fail to start and run normally.
  • control policy of the measured object is often upgraded and updated, so the configuration in the policy control module of TPCM must also be updated accordingly, otherwise the policy control of the measured object will be abnormal.
  • the following takes the above-mentioned first measured object as an example to introduce the process of updating the policy configuration in the policy control module of TPCM.
  • the remote trusted management center can sense the update of the control policy of the first measured object. Then, the benchmark and policy management module of the remote trusted management center obtains the updated control policy of the first measured object. Similarly, the above-mentioned TPCM establishes communication with the remote trusted management center through the update interface. See Figure 1 for example. Then, after obtaining the updated control policy of the first measured object, the remote trusted management center sends the updated control policy of the first measured object to the TPCM through the update interface. Then, the main control module of the TPCM receives the updated control policy of the first measured object through the update interface. Then, the main control module updates the policy configuration of the first measured object in the policy control module based on the received control policy.
  • control policy can also be upgraded and updated for the updated first measured object, that is, the above-mentioned second measured object.
  • the control policy can also be upgraded and updated for the updated first measured object, that is, the above-mentioned second measured object.
  • This solution can achieve timely control policy updates by interacting with the remote trusted management center, avoiding the need for trusted verification.
  • each device includes a corresponding hardware structure and/or software module to perform each function.
  • the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a function is performed by hardware or computer software driving the hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each specific application, but such implementations should not be considered beyond the scope of this application.
  • Embodiments of the present application can divide the device into functional modules according to the above method examples.
  • each functional module can be divided corresponding to each function, or two or more functions can be integrated into one module.
  • the above integrated modules can be implemented in the form of hardware or software function modules. It should be noted that the division of modules in the embodiment of the present application is schematic and is only a logical function division. In actual implementation, there may be other division methods.
  • FIG. 3 shows a specific logical structure diagram of the device, which may be the device where the above-mentioned trusted verification system is located.
  • the device 300 includes a trusted platform control module 301 and a trusted cryptographic module 302.
  • the trusted platform control module 301 includes a main control module 3011. in:
  • the main control module 3011 is used for:
  • the trusted cryptographic module 302 to calculate the first metric value of the first measured object;
  • the first measured object includes one or more objects in the software and firmware in the device where the trusted verification system is located;
  • Policy control is performed on the first measured object based on a matching result between the first metric value and the base metric value.
  • the main control module 3011 is also used to:
  • the trusted cryptographic module 302 Before calling the trusted cryptographic module 302 to calculate the first metric value of the first measured object, call the trusted cryptographic module 302 to calculate the second metric value of the first measured object;
  • the first identification indicates that the non-volatile memory of the trusted cryptographic module 302 does not store the reference measurement of the first measured object. value;
  • the second metric value is written into the non-volatile memory of the trusted cryptographic module 302 as the reference metric value of the first measured object.
  • the main control module 3011 is also used to:
  • the main control module 3011 Identity authentication is completed in the cryptographic module 302 and authorization to access the non-volatile memory of the trusted cryptographic module 302 is obtained.
  • the main control module 3011 is also used to:
  • the third metric value in the one-time programmable memory is written.
  • the first identification corresponding to a measured object is changed to a second identification, and the second identification indicates that the reference measurement value of the first measured object has been stored in the non-volatile memory of the trusted cryptographic module 302 .
  • the main control module 3011 is also configured to: read the second identification corresponding to the first measured object in the one-time programmable memory;
  • Reading the reference measurement value of the first measured object from the non-volatile memory of the trusted cryptographic module 302 includes:
  • the reference measurement value of the first measured object is read from the non-volatile memory of the trusted cryptographic module 302 based on the second identification.
  • the main control module 3011 is also used to:
  • the reference metric value of the first measured object in the non-volatile memory of the trusted cryptographic module 302 is updated to the reference metric value of the second measured object.
  • the policy control module of the trusted platform control module 301 includes configuration information of the control policy of the measured object; the main control module 3011 is also used to:
  • the configuration information of the control policy of the first measured object in the policy control module of the trusted platform control module 301 is updated to the configuration information of the target control policy.
  • the main control module 3011 is also used to:
  • the trusted verification system is a management system implemented based on a baseboard management controller (BMC).
  • BMC baseboard management controller
  • FIG. 4 shows a specific hardware structure schematic diagram of the device provided by this application.
  • the device may be the device where the trusted verification system described in the above embodiment is located.
  • the device 400 includes: a processor 401, a memory 402 and a communication interface 403.
  • the processor 401, the communication interface 403, and the memory 402 may be connected to each other or to each other via a bus 404.
  • the memory 402 is used to store computer programs and data of the device 400.
  • the memory 402 may include, but is not limited to, random access memory (RAM), read-only memory (ROM), Erasable programmable read only memory (EPROM) or portable read-only memory (compact disc read-only memory, CD-ROM), etc.
  • RAM random access memory
  • ROM read-only memory
  • EPROM Erasable programmable read only memory
  • CD-ROM compact disc read-only memory
  • the memory 402 can be used to store computer programs for one or more of the main control module, the policy control module and the update interface in the above-mentioned trusted verification system.
  • the communication interface 403 includes a sending interface and a receiving interface.
  • the number of the communication interface 403 may be multiple, and is used to support the device 400 to communicate, such as receiving or sending data or messages.
  • the processor 401 may be a central processing unit, a general-purpose processor, a digital signal processor, an application-specific integrated circuit, a field-programmable gate array or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof.
  • the processor can also be a combination that implements computing functions, such as a combination of one or more microprocessors, a combination of a digital signal processor and a microprocessor, and so on.
  • the processor 401 can be used to read the program stored in the memory 402, so that the device 400 executes the trusted verification method as described in the above-mentioned Figure 2 and its specific embodiments.
  • the processor 401 can be used to read the program stored in the memory 402 and perform the following operations: call the TCM to calculate the first measurement value of the first measured object; Including one or more objects in the software and firmware in the device where the trusted verification system is located; reading the baseline measurement value of the first measured object from the non-volatile memory of the TCM; based on the first degree The result of matching the measure value to the base measure value is the A measured object is subject to policy control.
  • Embodiments of the present application also provide a computer-readable storage medium.
  • the computer-readable storage medium stores a computer program.
  • the computer program is executed by a processor to implement any one of the above-mentioned Figure 2 and its specific method embodiments. method described.
  • An embodiment of the present application also provides a computer program product.
  • the computer program product is read and executed by a computer, the method described in any one of the above-mentioned Figure 2 and its specific method embodiments can be performed.
  • embodiments of the present application provide a trusted verification solution that actively measures the integrity of software and/or firmware in a device based on TPCM.
  • the benchmark measurement value of the measured object is stored in the non-volatile memory of the TCM. Since the non-volatile memory of the TCM is a protected storage area and can only be accessed after authorization, it can improve the accuracy of the benchmark. Security protection of metric values. This ensures the reliability of integrity measurement, reduces the risk of tampering of measured objects, and improves system security.
  • first, second, etc. are used to distinguish the same or similar items with basically the same functions and functions. It should be understood that the terms “first”, “second” and “nth” There is no logical or sequential dependency, and there is no limit on the number or execution order. It should also be understood that, although the following description uses the terms first, second, etc. to describe various elements, these elements should not be limited by the terms. These terms are only used to distinguish one element from another.
  • the size of the sequence number of each process does not mean the order of execution.
  • the execution order of each process should be determined by its function and internal logic, and should not be determined by the execution order of the embodiments of the present application.
  • the implementation process constitutes no limitation.
  • references throughout this specification to "one embodiment,” “an embodiment,” and “a possible implementation” mean that specific features, structures, or characteristics related to the embodiment or implementation are included herein. In at least one embodiment of the application. Therefore, “in one embodiment” or “in an embodiment” or “a possible implementation” appearing in various places throughout this specification do not necessarily refer to the same embodiment. Furthermore, the particular features, structures or characteristics may be combined in any suitable manner in one or more embodiments.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The present application provides a trusted verification method and apparatus. The method is applied to a trusted verification system. The trusted verification system comprises a trusted platform control module (TPCM) and a trusted cryptography module (TCM). The TPCM comprises a main control module. The method comprises executing, by means of a main control module, the following operations: invoking a TCM to calculate a first metric value of a first measured object, the first measured object comprising one or more objects in software and firmware in a device where a trusted verification system is located; reading a reference metric value of the first measured object from a non-volatile memory of the TCM; and performing policy control on the first measured object on the basis of a matching result of the first metric value and the reference metric value. The present application can realize the active measurement of the software and/or the firmware in the device on the basis of the TPCM, and improve the security protection of data.

Description

可信验证方法及装置Trusted verification method and device

本申请要求于2022年3月24日提交中国专利局、申请号为202210297166.9、发明名称为“可信验证方法及装置”的中国专利申请的优先权,所述专利申请的全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application filed with the China Patent Office on March 24, 2022, with the application number 202210297166.9 and the invention title "Trusted Verification Method and Device". The entire content of the patent application is incorporated by reference in in this application.

技术领域Technical field

本发明涉及信息安全技术领域,尤其涉及一种可信验证方法及装置。The present invention relates to the field of information security technology, and in particular to a trustworthy verification method and device.

背景技术Background technique

可信平台控制模块(trusted platform control module,TPCM)是集成在设备中的防护部件组件,由硬件、软件及固件组成。TPCM与设备的计算系统的硬件、软件及固件并行连接,是用于建立和保障信任源点的一种基础核心模块。并且TPCM为设备中的软件和固件提供主动度量、主动控制、可信验证、加密保护、可信报告、密码调用等功能。The trusted platform control module (TPCM) is a protective component integrated in the device and consists of hardware, software and firmware. TPCM is connected in parallel with the hardware, software and firmware of the device's computing system and is a basic core module used to establish and ensure the source of trust. And TPCM provides active measurement, active control, trusted verification, encryption protection, trusted reporting, password calling and other functions for the software and firmware in the device.

GB/T40650-2021信息安全技术可信计算规范中已正式发布TPCM的标准。并且,法律规定网络安全等级保护测评等将可信计算纳入测评项目,各厂商都将逐步推出支持TPCM的产品。但是如何基于TPCM实现设备中的软件和/或固件的主动度量,并进一步提高数据的安全防护是急需解决的技术问题。The standard for TPCM has been officially released in GB/T40650-2021 Information Security Technology Trusted Computing Specification. In addition, the law stipulates that network security level protection assessment and other assessments include trusted computing into assessment items, and all manufacturers will gradually launch products that support TPCM. However, how to implement active measurement of software and/or firmware in devices based on TPCM and further improve data security protection is a technical issue that urgently needs to be solved.

发明内容Contents of the invention

本申请公开了一种可信验证方法及相关装置,能够基于TPCM实现设备中的软件和/或固件的主动度量,并提高数据的安全防护。This application discloses a trusted verification method and related devices, which can realize active measurement of software and/or firmware in the device based on TPCM, and improve the security protection of data.

第一方面,本申请提供了一种可信验证方法,该方法应用于可信验证系统,前述可信验证系统中包括可信平台控制模块TPCM和可信密码模块TCM,前述TPCM中包括主控模块;In the first aspect, this application provides a trusted verification method, which is applied to a trusted verification system. The trusted verification system includes a trusted platform control module TPCM and a trusted cryptographic module TCM. The aforementioned TPCM includes a main control module. module;

前述方法包括通过前述主控模块执行如下操作:The aforementioned method includes performing the following operations through the aforementioned main control module:

调用前述TCM计算第一被度量对象的第一度量值;前述第一被度量对象包括前述可信验证系统所在的设备中的软件和固件中的一个或多个对象;Call the aforementioned TCM to calculate the first measurement value of the first measured object; the aforementioned first measured object includes one or more objects in the software and firmware in the device where the aforementioned trusted verification system is located;

从前述TCM的非易失性存储器中读取前述第一被度量对象的基准度量值;Read the reference measurement value of the aforementioned first measured object from the non-volatile memory of the aforementioned TCM;

基于前述第一度量值与前述基准度量值的匹配结果对前述第一被度量对象进行策略控制。Policy control is performed on the first measured object based on the matching result between the first metric value and the reference metric value.

本申请实施例提供了一种基于TPCM对设备中的软件和/或固件的完整性进行主动度量的可信验证方案。另外,本申请中,被度量对象的基准度量值存储在TCM的非易失性存储器中,由于TCM的非易失性存储器属于受保护的存储区域,只有授权后才能访问,因此能够提高对基准度量值的安全防护。进而保证了完整性度量的可靠性,降低被度量对象被篡改的风险,提高系统数据的安全防护。The embodiment of the present application provides a trusted verification solution that actively measures the integrity of the software and/or firmware in the device based on TPCM. In addition, in this application, the benchmark measurement value of the measured object is stored in the non-volatile memory of the TCM. Since the non-volatile memory of the TCM is a protected storage area and can only be accessed after authorization, it can improve the accuracy of the benchmark. Security protection of metric values. This ensures the reliability of integrity measurement, reduces the risk of tampering of measured objects, and improves the security protection of system data.

一种可能的实施方式中,前述调用前述TCM计算第一被度量对象的第一度量值之前,还包括:In a possible implementation, before calling the TCM to calculate the first measurement value of the first measured object, the method further includes:

调用前述TCM计算前述第一被度量对象的第二度量值;Call the aforementioned TCM to calculate the second measurement value of the aforementioned first measured object;

读取一次性可编程存储器中前述第一被度量对象对应的第一标识,前述第一标识指示前述TCM的非易失性存储器中未存储有前述第一被度量对象的基准度量值; Reading the first identification corresponding to the aforementioned first measured object in the one-time programmable memory, the aforementioned first identification indicating that the reference measurement value of the aforementioned first measured object is not stored in the non-volatile memory of the aforementioned TCM;

基于前述第一标识将前述第二度量值作为前述第一被度量对象的基准度量值写入前述TCM的非易失性存储器。The second measurement value is written into the non-volatile memory of the TCM as the reference measurement value of the first measured object based on the first identification.

本方案中结合一次性可编程存储器来快速判断是否已经存储有第一被度量对象的基准度量值,相比于现有方案中需要到存储器中逐一比较来判断的方案,本方案可以提高可信度量的效率。另外,对于未存储有基准值的度量对象,将当前的度量值作为基准值存储,解决了无基准值时需要离线写入基准值的问题。This solution combines a one-time programmable memory to quickly determine whether the benchmark measurement value of the first measured object has been stored. Compared with the existing solution that requires one-by-one comparison in the memory to determine, this solution can improve the reliability Measure efficiency. In addition, for measurement objects that do not have a baseline value stored, the current measurement value is stored as the baseline value, which solves the problem of writing the baseline value offline when there is no baseline value.

一种可能的实施方式中,前述基于前述第一标识将前述第二度量值作为前述第一被度量对象的基准度量值写入前述TCM的非易失性存储器之前,还包括:In a possible implementation, before writing the second measurement value as the reference measurement value of the first measured object to the non-volatile memory of the TCM based on the first identification, the method further includes:

通过前述主控模块在前述TCM中完成身份认证,并获得访问前述TCM的非易失性存储器的授权。Complete identity authentication in the aforementioned TCM through the aforementioned main control module, and obtain authorization to access the non-volatile memory of the aforementioned TCM.

本方案中TCM中的存储器授权后才能访问,确保TCM中受保护的存储区域不会被恶意篡改,提高了基准值的安全防护。In this solution, the memory in the TCM can only be accessed after authorization, ensuring that the protected storage area in the TCM will not be maliciously tampered with, and improving the security protection of the baseline value.

一种可能的实施方式中,前述基于前述第一标识将前述第二度量值作为前述第一被度量对象的基准度量值写入前述TCM的非易失性存储器之后,还包括:In a possible implementation, after writing the second measurement value as the reference measurement value of the first measured object into the non-volatile memory of the TCM based on the first identification, the method further includes:

将前述一次性可编程存储器中前述第一被度量对象对应的前述第一标识更改为第二标识,前述第二标识指示前述第一被度量对象的基准度量值已经被存储到前述TCM的非易失性存储器。The aforementioned first identification corresponding to the aforementioned first measured object in the aforementioned one-time programmable memory is changed to a second identification, and the aforementioned second identification indicates that the reference measurement value of the aforementioned first measured object has been stored in the non-transitory part of the aforementioned TCM Loss of memory.

本方案中在第一被度量对象的基准值存储到非易失性存储器后,可以更改对应的一次性可编程存储器中的标识,以便于后续可以基于更改后的标识快速获知已存储有对应的基准值。In this solution, after the benchmark value of the first measured object is stored in the non-volatile memory, the corresponding identifier in the one-time programmable memory can be changed, so that it can be quickly learned that the corresponding one-time programmable memory has been stored based on the changed identifier. Reference value.

一种可能的实施方式中,前述方法还包括:通过前述主控模块读取前述一次性可编程存储器中前述第一被度量对象对应的第二标识;In a possible implementation, the aforementioned method further includes: reading, through the aforementioned main control module, the second identification corresponding to the aforementioned first measured object in the aforementioned one-time programmable memory;

前述从前述TCM的非易失性存储器中读取前述第一被度量对象的基准度量值,包括:The aforementioned reading of the aforementioned reference measurement value of the aforementioned first measured object from the aforementioned non-volatile memory of the TCM includes:

基于前述第二标识从前述TCM的非易失性存储器中读取前述第一被度量对象的基准度量值。The reference measurement value of the first measured object is read from the non-volatile memory of the TCM based on the second identification.

本方案中可以基于第一被度量对象对应的一次性可编程存储器中的标识快速到非易失性存储中读取对应的基准值,无需进一步比较来判断是否已经存储有基准值,提高可信度量的效率。In this solution, the corresponding benchmark value can be quickly read from the non-volatile storage based on the identifier in the one-time programmable memory corresponding to the first measured object, without further comparison to determine whether the benchmark value has been stored, improving credibility. Measure efficiency.

一种可能的实施方式中,前述方法还包括通过前述主控模块执行如下操作:In a possible implementation, the foregoing method further includes performing the following operations through the foregoing main control module:

接收来自远程可信管理中心的第二被度量对象的基准度量值,前述第二被度量对象为前述第一被度量对象更新后的对象;Receive the baseline measurement value of the second measured object from the remote trusted management center, where the aforementioned second measured object is an updated object of the aforementioned first measured object;

将前述TCM的非易失性存储器中前述第一被度量对象的基准度量值更新为前述第二被度量对象的基准度量值。The reference measurement value of the first measured object in the non-volatile memory of the TCM is updated to the reference measurement value of the second measured object.

本方案通过与远程可信管理中心交互获取更新后的软件/固件的基准度量值并更新本地的基准值,解决了软件/固件更新后需要重新离线烧写基准值否则无法启动的问题。This solution interacts with the remote trusted management center to obtain the baseline metric value of the updated software/firmware and updates the local baseline value, which solves the problem that the baseline value needs to be re-programmed offline after the software/firmware is updated, otherwise it cannot be started.

一种可能的实施方式中,前述TPCM的策略控制模块中包括被度量对象的控制策略的配置信息;In a possible implementation, the policy control module of the aforementioned TPCM includes configuration information of the control policy of the measured object;

前述方法还包括通过前述主控模块执行如下操作:The aforementioned method also includes performing the following operations through the aforementioned main control module:

接收来自远程可信管理中心的前述第一被度量对象的目标控制策略,前述目标控制策略为前述第一被度量对象的控制策略更新后的策略;Receive the target control policy of the first measured object from the remote trusted management center, where the target control policy is an updated policy of the control policy of the first measured object;

将前述TPCM的策略控制模块中前述第一被度量对象的控制策略的配置信息更新为前述目标控制策略的配置信息。 The configuration information of the control policy of the first measured object in the policy control module of the TPCM is updated to the configuration information of the target control policy.

本方案通过与远程可信管理中心交互可以实现及时的控制策略更新,避免了可信验证过程中被度量对象的策略控制异常的问题。This solution can achieve timely control policy updates by interacting with the remote trusted management center, and avoids the problem of abnormal policy control of the measured object during the trusted verification process.

一种可能的实施方式中,前述方法还包括通过前述主控模块执行如下操作:In a possible implementation, the foregoing method further includes performing the following operations through the foregoing main control module:

基于对前述第一被度量对象的可信验证的过程生成事件日志;Generate an event log based on the process of credible verification of the aforementioned first measured object;

将前述第一被度量对象的基准度量值、前述匹配结果和前述事件日志三者中的一项或多项存储到前述TCM的平台配置存储器中。Store one or more of the baseline measurement value of the first measured object, the matching result and the event log in the platform configuration memory of the TCM.

本方案将这些信息存到平台配置存储器中,以便于后续可以用这些信息进行远程证明。This solution stores this information in the platform configuration memory so that it can be used for remote certification later.

一种可能的实施方式中,前述可信验证系统为基于基板管理控制器BMC实现的管理系统。In a possible implementation, the aforementioned trusted verification system is a management system implemented based on a baseboard management controller (BMC).

第二方面,本申请提供了一种可信验证装置,该装置包括可信验证系统,前述可信验证系统中包括可信平台控制模块TPCM和可信密码模块TCM,前述TPCM中包括主控模块;In the second aspect, this application provides a trusted verification device, which includes a trusted verification system. The trusted verification system includes a trusted platform control module TPCM and a trusted cryptographic module TCM. The aforementioned TPCM includes a main control module. ;

前述主控模块用于:The aforementioned main control module is used for:

调用前述TCM计算第一被度量对象的第一度量值;前述第一被度量对象包括前述可信验证系统所在的设备中的软件和固件中的一个或多个对象;Call the aforementioned TCM to calculate the first measurement value of the first measured object; the aforementioned first measured object includes one or more objects in the software and firmware in the device where the aforementioned trusted verification system is located;

从前述TCM的非易失性存储器中读取前述第一被度量对象的基准度量值;Read the reference measurement value of the aforementioned first measured object from the non-volatile memory of the aforementioned TCM;

基于前述第一度量值与前述基准度量值的匹配结果对前述第一被度量对象进行策略控制。Policy control is performed on the first measured object based on the matching result between the first metric value and the reference metric value.

一种可能的实施方式中,前述主控模块还用于:In a possible implementation, the aforementioned main control module is also used for:

在前述调用前述TCM计算第一被度量对象的第一度量值之前,调用前述TCM计算前述第一被度量对象的第二度量值;Before the aforementioned calling the aforementioned TCM to calculate the first measurement value of the first measured object, calling the aforementioned TCM to calculate the aforementioned second measurement value of the aforementioned first measured object;

读取一次性可编程存储器中前述第一被度量对象对应的第一标识,前述第一标识指示前述TCM的非易失性存储器中未存储有前述第一被度量对象的基准度量值;Reading the first identification corresponding to the aforementioned first measured object in the one-time programmable memory, the aforementioned first identification indicating that the reference measurement value of the aforementioned first measured object is not stored in the non-volatile memory of the aforementioned TCM;

基于前述第一标识将前述第二度量值作为前述第一被度量对象的基准度量值写入前述TCM的非易失性存储器。The second measurement value is written into the non-volatile memory of the TCM as the reference measurement value of the first measured object based on the first identification.

一种可能的实施方式中,前述主控模块还用于:In a possible implementation, the aforementioned main control module is also used for:

在前述基于前述第一标识将前述第二度量值作为前述第一被度量对象的基准度量值写入前述TCM的非易失性存储器之前,通过前述主控模块在前述TCM中完成身份认证,并获得访问前述TCM的非易失性存储器的授权。Before writing the second measurement value as the baseline measurement value of the first measured object into the non-volatile memory of the TCM based on the first identification, identity authentication is completed in the TCM through the main control module, and Obtain authorization to access the non-volatile memory of the aforementioned TCM.

一种可能的实施方式中,前述主控模块还用于:In a possible implementation, the aforementioned main control module is also used for:

在前述基于前述第一标识将前述第二度量值作为前述第一被度量对象的基准度量值写入前述TCM的非易失性存储器之后,将前述一次性可编程存储器中前述第一被度量对象对应的前述第一标识更改为第二标识,前述第二标识指示前述第一被度量对象的基准度量值已经被存储到前述TCM的非易失性存储器。After the aforementioned second measurement value is written into the aforementioned non-volatile memory of the aforementioned TCM as the aforementioned reference measurement value of the aforementioned first measured object based on the aforementioned first identification, the aforementioned first measured object in the aforementioned one-time programmable memory is written into the non-volatile memory of the aforementioned TCM. The corresponding first identification is changed to a second identification, and the second identification indicates that the reference measurement value of the first measured object has been stored in the non-volatile memory of the TCM.

一种可能的实施方式中,前述主控模块还用于:读取前述一次性可编程存储器中前述第一被度量对象对应的第二标识;In a possible implementation, the main control module is further configured to: read the second identification corresponding to the first measured object in the one-time programmable memory;

前述从前述TCM的非易失性存储器中读取前述第一被度量对象的基准度量值,包括:The aforementioned reading of the aforementioned reference measurement value of the aforementioned first measured object from the aforementioned non-volatile memory of the TCM includes:

基于前述第二标识从前述TCM的非易失性存储器中读取前述第一被度量对象的基准度量值。The reference measurement value of the first measured object is read from the non-volatile memory of the TCM based on the second identification.

一种可能的实施方式中,前述主控模块还用于:In a possible implementation, the aforementioned main control module is also used for:

接收来自远程可信管理中心的第二被度量对象的基准度量值,前述第二被度量对象为前述第一被度量对象更新后的对象; Receive the baseline measurement value of the second measured object from the remote trusted management center, where the aforementioned second measured object is an updated object of the aforementioned first measured object;

将前述TCM的非易失性存储器中前述第一被度量对象的基准度量值更新为前述第二被度量对象的基准度量值。The reference measurement value of the first measured object in the non-volatile memory of the TCM is updated to the reference measurement value of the second measured object.

一种可能的实施方式中,前述TPCM的策略控制模块中包括被度量对象的控制策略的配置信息;前述主控模块还用于:In a possible implementation, the policy control module of the TPCM includes configuration information of the control strategy of the measured object; the main control module is also used to:

接收来自远程可信管理中心的前述第一被度量对象的目标控制策略,前述目标控制策略为前述第一被度量对象的控制策略更新后的策略;Receive the target control policy of the first measured object from the remote trusted management center, where the target control policy is an updated policy of the control policy of the first measured object;

将前述TPCM的策略控制模块中前述第一被度量对象的控制策略的配置信息更新为前述目标控制策略的配置信息。The configuration information of the control policy of the first measured object in the policy control module of the TPCM is updated to the configuration information of the target control policy.

一种可能的实施方式中,前述主控模块还用于:In a possible implementation, the aforementioned main control module is also used for:

基于对前述第一被度量对象的可信验证的过程生成事件日志;Generate an event log based on the process of credible verification of the aforementioned first measured object;

将前述第一被度量对象的基准度量值、前述匹配结果和前述事件日志三者中的一项或多项存储到前述TCM的平台配置存储器中。Store one or more of the baseline measurement value of the first measured object, the matching result and the event log in the platform configuration memory of the TCM.

一种可能的实施方式中,前述可信验证系统为基于基板管理控制器BMC实现的管理系统。In a possible implementation, the aforementioned trusted verification system is a management system implemented based on a baseboard management controller (BMC).

第三方面,本申请提供一种可信验证装置,包括处理器和存储器,用于实现上述第一方面及其可能的实施方式描述的方法。该存储器与处理器耦合,处理器执行存储器中存储的计算机程序(该计算机程序可以为上述可信验证系统中TPCM的主控模块)时,可以使得该装置实现上述第一方面或第一方面任一种可能的实现方式所述的方法。In a third aspect, this application provides a trusted verification device, including a processor and a memory, for implementing the method described in the above first aspect and its possible implementations. The memory is coupled to a processor. When the processor executes a computer program stored in the memory (the computer program can be the main control module of the TPCM in the above-mentioned trusted verification system), the device can realize the above-mentioned first aspect or any of the first aspects. One possible implementation is the method described.

该装置还可以包括通信接口,通信接口用于该装置与其它装置进行通信,示例性的,通信接口可以是收发器、电路、总线、模块或其它类型的通信接口。该通信接口包括接收接口和发送接口,该接收接口用于接收消息,该发送接口用于发送消息。The device may also include a communication interface for the device to communicate with other devices. For example, the communication interface may be a transceiver, a circuit, a bus, a module or other types of communication interfaces. The communication interface includes a receiving interface and a sending interface. The receiving interface is used for receiving messages, and the sending interface is used for sending messages.

在一种可能的实现中,该装置可以包括:In one possible implementation, the device may include:

存储器,用于存储上述可信验证系统中TPCM的主控模块;Memory, used to store the main control module of TPCM in the above-mentioned trusted verification system;

处理器,用于通过该主控模块执行如下操作:Processor, used to perform the following operations through the main control module:

调用该TCM计算第一被度量对象的第一度量值;该第一被度量对象包括该可信验证系统所在的设备中的软件和固件中的一个或多个对象;Call the TCM to calculate the first measurement value of the first measured object; the first measured object includes one or more objects in the software and firmware in the device where the trusted verification system is located;

从该TCM的非易失性存储器中读取该第一被度量对象的基准度量值;Read the baseline measurement value of the first measured object from the non-volatile memory of the TCM;

基于该第一度量值与该基准度量值的匹配结果对该第一被度量对象进行策略控制。Policy control is performed on the first measured object based on a matching result between the first metric value and the base metric value.

需要说明的是,本申请中存储器中的计算机程序可以预先存储也可以使用该装置时从互联网下载后存储,本申请对于存储器中计算机程序的来源不进行具体限定。本申请实施例中的耦合是装置、单元或模块之间的间接耦合或连接,其可以是电性,机械或其它的形式,用于装置、单元或模块之间的信息交互。It should be noted that in this application, the computer program in the memory can be stored in advance or can be downloaded from the Internet and stored when using the device. This application does not specifically limit the source of the computer program in the memory. The coupling in the embodiment of this application is an indirect coupling or connection between devices, units or modules, which may be in electrical, mechanical or other forms, and is used for information interaction between devices, units or modules.

第四方面,本申请提供一种计算机可读存储介质,该计算机可读存储介质存储有计算机程序,该计算机程序被处理器执行时,实现上述第一方面及其可能的实施方式中任意一项所述的方法。In a fourth aspect, the present application provides a computer-readable storage medium that stores a computer program. When the computer program is executed by a processor, any one of the above-mentioned first aspect and its possible implementations is implemented. the method described.

第五方面,本申请提供一种计算机程序产品,包括计算机程序,当该计算机程序被处理器执行时,使得该计算机执行如上述第一方面任意一项所述的方法。In a fifth aspect, the present application provides a computer program product, which includes a computer program. When the computer program is executed by a processor, the computer performs the method described in any one of the above first aspects.

可以理解地,上述提供的第二方面和第三方面所述的装置、第四方面所述的计算机存储介质以及第五方面所述的计算机程序产品均用于执行上述第一方面中任一项所提供的方法。因此,其所能达到的有益效果可参考对应方法中的有益效果,此处不再赘述。 It can be understood that the devices described in the second and third aspects, the computer storage medium described in the fourth aspect, and the computer program product described in the fifth aspect provided above are all used to execute any one of the first aspects. methods provided. Therefore, the beneficial effects it can achieve can be referred to the beneficial effects in the corresponding methods, and will not be described again here.

附图说明Description of the drawings

下面将对本申请实施例中所需要使用的附图作介绍。The drawings needed to be used in the embodiments of this application will be introduced below.

图1所示为本申请实施例提供的系统架构示意图;Figure 1 shows a schematic diagram of the system architecture provided by an embodiment of the present application;

图2所示为本申请实施例提供的可信验证方法的流程示意图;Figure 2 shows a schematic flow chart of the trustworthy verification method provided by the embodiment of the present application;

图3所示为本申请实施例提供的装置的一种结构示意图;Figure 3 shows a schematic structural diagram of a device provided by an embodiment of the present application;

图4所示为本申请实施例提供的装置的另一种结构示意图。Figure 4 shows another structural schematic diagram of the device provided by the embodiment of the present application.

具体实施方式Detailed ways

下面将对本申请实施例中所需要使用的附图作介绍。The drawings needed to be used in the embodiments of this application will be introduced below.

下面结合附图对本申请实施例中的技术方案进行描述。The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings.

首先,对本申请中的部分用语进行解释说明,以便于本领域技术人员理解。First, some terms used in this application are explained to facilitate understanding by those skilled in the art.

1、可信平台控制模块(trusted platform control module,TPCM)。1. Trusted platform control module (TPCM).

TPCM是集成在设备中的防护部件组件,由硬件、软件及固件组成。TPCM与设备的计算系统的硬件、软件及固件并行连接,是用于建立和保障信任源点的一种基础核心模块。并且TPCM为设备中的软件和固件提供主动度量、主动控制、可信验证、加密保护、可信报告、密码调用等功能。TPCM is a protective component component integrated in the equipment, consisting of hardware, software and firmware. TPCM is connected in parallel with the hardware, software and firmware of the device's computing system and is a basic core module used to establish and ensure the source of trust. And TPCM provides active measurement, active control, trusted verification, encryption protection, trusted reporting, password calling and other functions for the software and firmware in the device.

2、可信密码模块(trusted crypto module,TCM)。2. Trusted crypto module (TCM).

TCM是具有可信计算所需的密码运算等功能,并提供受保护的存储空间的一种模块。TCM is a module that has functions such as cryptographic operations required for trusted computing and provides protected storage space.

按照国家标准规范,TCM在设计和制造时需要在其内部提共受保护的存储空间,该存储空间具备非易失特性,即断电数据也不丢失的特性。另外,TCM中的存储空间受保护,外界无法随意访问,需要通过TCM的接口进行特定授权操作才能访问。According to national standards and regulations, TCM needs to provide a protected storage space inside it during design and manufacturing. This storage space has non-volatile characteristics, that is, the data will not be lost even if the power is turned off. In addition, the storage space in TCM is protected and cannot be accessed by the outside world at will. Access requires specific authorization operations through the TCM interface.

示例性地,TCM是构建安全运算环境的硬件和固件的集合,其核心功能体系是从三个维度基于自主密码算法构建可信计算的功能,该三个维度包括:完整性度量与验证,可信身份标识与鉴别,和数据保护。For example, TCM is a collection of hardware and firmware that builds a secure computing environment. Its core functional system is the function of building trusted computing based on independent cryptographic algorithms from three dimensions. The three dimensions include: integrity measurement and verification, which can Identification and authentication, and data protection.

3、非易失性存储器(non-volatile memory,NVM)。3. Non-volatile memory (NVM).

非易失性存储器是指在关闭计算机或者突然性、意外性关闭计算机的时候数据不会丢失的存储器。Non-volatile memory refers to memory that does not lose data when the computer is turned off or shut down suddenly or unexpectedly.

4、基板管理控制器(base-board management controller,BMC)。4. Base-board management controller (BMC).

BMC是广泛应用于服务器类计算机处理器的带外管理子系统,其功能包括虚拟键盘、鼠标、显示器、电源管理控制和远程运维等,也包括对服务器等计算机的电源电压、温度、风扇状态、机箱状态等物流信息的监视。其硬件是主板第一个上电启动的部件和带外管理系统。BMC is an out-of-band management subsystem widely used in server computer processors. Its functions include virtual keyboard, mouse, monitor, power management control and remote operation and maintenance, etc. It also includes power supply voltage, temperature, fan status of servers and other computers. , monitoring of logistics information such as chassis status. Its hardware is the first power-on component of the motherboard and the out-of-band management system.

5、可信根(root of trust,RoT)。5. Root of trust (RoT).

可信根的范围包括可信度量根(root of trust for measurement,RTM)、可信存储根(root of trust for storage,RTS)和可信报告根(root of trust for reporting,RTR)。可信根是可信度量中的信任源点,是一个必然被信任的组件。The scope of the trusted root includes the root of trust for measurement (RTM), the root of trust for storage (RTS), and the root of trust for reporting (RTR). The root of trust is the source of trust in trustworthiness and is a component that must be trusted.

6、可信度量根核心(core root of trust for measurement,CRTM)。6. Core root of trust for measurement (CRTM).

在本申请中,CRTM是计算机上电启动后执行的第一段代码或者说第一段计算机程序,是建立可信根的核心程序代码。In this application, CRTM is the first piece of code or the first piece of computer program executed after the computer is powered on and started, and is the core program code for establishing a root of trust.

7、基本输入输出系统(basic input output system,BIOS)。7. Basic input output system (BIOS).

BIOS是一组固化到主板上一个存储器芯片上的程序,它保存着计算机最重要的基本输入输出的程序、开机后自检程序和系统自启动程序,它可从互补金属氧化物半导体 (complementary metal oxide semiconductor,CMOS)中读写系统设置的具体信息。BIOS is a set of programs that are solidified on a memory chip on the motherboard. It stores the computer's most important basic input and output programs, post-boot self-test programs, and system self-startup programs. It can be obtained from complementary metal oxide semiconductors. Read and write detailed information about system settings in complementary metal oxide semiconductor (CMOS).

8、固件(firmware)。8. Firmware.

固件可以是一种软件,这种软件被写入芯片,所以是“固化”的。固件代码本身可以保存在只读存储器(read-only memory,ROM)中。也可保存在可编程只读存储器(programmable read-only memory,PROM)或者电可擦除只读存储器(electrically erasable programmable read-only memory,EEPROM)等存储器中。Firmware can be a kind of software that is written into the chip, so it is "hardened". The firmware code itself can be stored in read-only memory (ROM). It can also be stored in memory such as programmable read-only memory (PROM) or electrically erasable programmable read-only memory (EEPROM).

9、可信验证。9. Trustworthy verification.

可信验证是指对被度量的对象进行主动的完整性度量和验证的过程。还可以包括基于度量和验证的结果对被度量对象进行策略控制的过程。Trusted verification refers to the process of active integrity measurement and verification of measured objects. It can also include the process of implementing policy control on measured objects based on the results of measurement and verification.

10、镜像文件。10. Image file.

镜像(Mirroring)是一种文件存储形式,文件以一定的格式制作成和存储,一个文件和其自身的镜像文件是完全相同的,只是存储的位置不相同,也可以说镜像文件是原来的文件的备份或副本。Mirroring is a form of file storage. Files are produced and stored in a certain format. A file is exactly the same as its own mirror file, except that the storage location is different. It can also be said that the mirror file is the original file. backup or copy.

为了更好的理解本申请实施例提供的一种可信验证方法,下面对本申请实施例适用的场景进行示例性地描述。参阅图1,图1是本申请实施例提供的一种系统构架示意图。In order to better understand the trusted verification method provided by the embodiment of the present application, the following is an exemplary description of the applicable scenarios of the embodiment of the present application. Refer to Figure 1, which is a schematic diagram of a system architecture provided by an embodiment of the present application.

如图1所示,可信验证系统11包括可信平台控制模块110和可信密码模块112。该可信平台控制模块110和可信密码模块112之间可以通信。As shown in Figure 1, the trusted verification system 11 includes a trusted platform control module 110 and a trusted cryptographic module 112. The trusted platform control module 110 and the trusted cryptographic module 112 can communicate with each other.

上述可信平台控制模块110中包括主控模块1101、策略控制模块1102、一次性可编程存储器1103和更新接口1104。The above-mentioned trusted platform control module 110 includes a main control module 1101, a policy control module 1102, a one-time programmable memory 1103 and an update interface 1104.

上述主控模块1101是整个可信验证系统11的核心,也是可信平台控制模块110的可信度量根核心CRTM。该主控模块1101是其所在设备上电后最先启动和执行的模块。该主控模块1101负责获取被度量对象12,并对被度量对象12进行主动度量和可信验证。The above-mentioned main control module 1101 is the core of the entire trusted verification system 11 and is also the trusted root of trust CRTM of the trusted platform control module 110 . The main control module 1101 is the first module to be started and executed after the device where it is located is powered on. The main control module 1101 is responsible for obtaining the measured object 12 and performing active measurement and trustworthy verification on the measured object 12 .

示例性地,被度量对象12是可信验证系统11所在设备中的软件和/或固件中的一个或多个对象。例如,该被度量对象可以包括复杂可编程逻辑器件(complex programmable logic device,CPLD)的逻辑配置文件,BMC的启动引导程序镜像文件,BIOS配置文件,BIOS分段功能代码的二进制镜像文件,BIOS驱动模块的二进制镜像文件,BIOS外设功能模块的二进制镜像文件,计算机的操作系统启动加载器(operation system loader,OS loader)的二进制镜像文件,计算机的操作系统的二进制镜像文件,BMC操作系统的二进制镜像文件和BMC应用软件的二进制镜像文件等文件中的一项或多项。这些被度量对象可以直接或间接地被可信平台控制模块110访问获取。For example, the measured object 12 is one or more objects in the software and/or firmware in the device where the trusted verification system 11 is located. For example, the measured object may include the logical configuration file of the complex programmable logic device (CPLD), the boot program image file of the BMC, the BIOS configuration file, the binary image file of the BIOS segmented function code, and the BIOS driver. The binary image file of the module, the binary image file of the BIOS peripheral function module, the binary image file of the computer's operating system boot loader (operation system loader, OS loader), the binary image file of the computer's operating system, the binary image file of the BMC operating system One or more of the following: image files and binary image files of BMC application software. These measured objects can be directly or indirectly accessed and obtained by the trusted platform control module 110 .

一种可能的实现中,上述主控模块1101也可以称为TPCM引擎。示例性地,该主控模块1101可以是以软件或固件的形式部署在设备中,并由该设备中的处理器调用执行。该处理器也属于上述可信验证系统11,图1中没有示出该处理器。In a possible implementation, the above main control module 1101 may also be called a TPCM engine. For example, the main control module 1101 may be deployed in the device in the form of software or firmware, and called and executed by the processor in the device. This processor also belongs to the above-mentioned trusted verification system 11 and is not shown in Figure 1 .

上述策略控制模块1102中主要包含了各个被度量对象对应的策略控制的配置信息。例如,包括各个被度量对象在完整性度量成功通过之后对应执行的策略的配置信息,以及包括各个被度量对象在完整性度量失败之后对应执行的策略的配置信息等等。示例性地,该策略控制模块1102可以是以软件或固件的形式部署在设备中。The above-mentioned policy control module 1102 mainly contains configuration information of policy control corresponding to each measured object. For example, it includes the configuration information of the policy to be executed after each measured object successfully passes the integrity measurement, and the configuration information of the policy to be executed after each measured object fails to measure the integrity, and so on. For example, the policy control module 1102 may be deployed in the device in the form of software or firmware.

上述一次性可编程存储器1103中可存储多个比特(bit)的数据。示例性地,该一次性可编程存储器1103中多个比特的数据的初始值可以是“1”。以该多个比特中的一个比特为例,该一个比特中的数据可以通过一次性编程将存储的值变为“0”。该编程可以是通过熔断该一个 比特对应的熔丝来实现,因为该熔断操作不可逆,该一个比特有且仅有一次编程的机会,因此是一次性编程。该多个比特中的其它比特也同理,因此称为一次性可编程存储器。The one-time programmable memory 1103 can store multiple bits of data. For example, the initial value of multiple bits of data in the one-time programmable memory 1103 may be "1". Taking one bit among the plurality of bits as an example, the data in the one bit can change the stored value to "0" through one-time programming. This programming can be accomplished by fusing the one This is achieved by using the fuse corresponding to the bit. Because the fusing operation is irreversible, this bit has one and only one opportunity to program, so it is a one-time programming. The same applies to other bits in the plurality of bits, so it is called a one-time programmable memory.

示例性地,上述一次性可编程存储器1103可以是基于efuse实现的存储器。For example, the one-time programmable memory 1103 mentioned above may be a memory implemented based on efuse.

本申请实施例中可以通过上述一次性可编程存储器1103来实现被度量对象的基准度量值是否已存在的判断,后面会介绍,此处不详述。In the embodiment of the present application, the determination of whether the benchmark measurement value of the measured object already exists can be implemented through the one-time programmable memory 1103, which will be introduced later and will not be described in detail here.

上述更新接口1104主要负责和远程远程可信管理中心13通信,用于将更新的信息导入可信平台控制模块110。The above-mentioned update interface 1104 is mainly responsible for communicating with the remote trusted management center 13 and is used to import updated information into the trusted platform control module 110 .

该远程可信管理中心13中包括基准及策略管理模块。具体实现中,被度量对象时常有更新或者被度量对象被度量之后对应的控制策略时常有更新。那么,该基准及策略管理模块可以对更新后的被度量对象进行度量获得新的基准度量值,然后通过更新接口1104将该新的基准度量值发送到可信平台控制模块110。另外,该基准及策略管理模块还可以通过更新接口1104将更新后的控制策略发送到可信平台控制模块110。以使得可信平台控制模块110可以及时更新对应的基准度量值和控制策略。The remote trusted management center 13 includes a baseline and policy management module. In the specific implementation, the measured object is often updated or the corresponding control strategy is often updated after the measured object is measured. Then, the benchmark and policy management module can measure the updated measured object to obtain a new benchmark metric value, and then send the new benchmark metric value to the trusted platform control module 110 through the update interface 1104 . In addition, the baseline and policy management module can also send the updated control policy to the trusted platform control module 110 through the update interface 1104. This allows the trusted platform control module 110 to update the corresponding baseline metric values and control strategies in a timely manner.

另外,示例性地,远程可信管理中心13还可以完成可信验证结果的远程可信证明等。本申请对远程可信管理中心13的具体功能不做限制。In addition, for example, the remote trusted management center 13 can also complete remote trustworthy certification of trustworthy verification results, etc. This application does not limit the specific functions of the remote trusted management center 13.

上述可信密码模块112中包括算法模块1121、非易失性存储器1122和平台配置寄存器(platformconfigurationregisters,PCR)1123。The above-mentioned trusted cryptographic module 112 includes an algorithm module 1121, a non-volatile memory 1122 and a platform configuration register (platform configuration registers, PCR) 1123.

上述算法模块1121可以实现密码散列函数算法。在本申请实施例中,该算法模块1121可以通过密码散列函数算法计算被度量对象的完整性度量值。示例性地,该密码散列函数算法例如可以是国家密码管理局发布的SM3密码杂凑算法等等。本申请对具体使用的密码散列函数算法不做限制。The above algorithm module 1121 can implement a cryptographic hash function algorithm. In this embodiment of the present application, the algorithm module 1121 can calculate the integrity measurement value of the measured object through a cryptographic hash function algorithm. For example, the cryptographic hash function algorithm can be, for example, the SM3 cryptographic hash algorithm issued by the State Cryptozoology Administration, or the like. This application does not place any restrictions on the specific cryptographic hash function algorithm used.

上述非易失性存储器1122可以用于存储被度量对象的基准度量值。The above-mentioned non-volatile memory 1122 may be used to store the baseline measurement value of the measured object.

上述平台配置寄存器1123可以用于进一步保存被度量对象的基准度量值和被度量对象每次度量得到的度量值。平台配置寄存器1123中保存的信息可以用于为远程远程可信管理中心13提供可信证明。The above-mentioned platform configuration register 1123 can be used to further save the baseline measurement value of the measured object and the measurement value obtained by each measurement of the measured object. The information saved in the platform configuration register 1123 can be used to provide trustworthy proof for the remote trusted management center 13 .

一种可能的实施方式中,上述可信平台控制模块110中的主控模块1101、策略控制模块1102和更新接口1104可以是以软件或固件的形式部署在设备中,并由设备中的处理器调用执行以实现其各自对应的功能。上述可信密码模块112可以是以硬件的形式实现,为可信验证提供底层硬件基础保障。该可信密码模块112为上述可信验证系统11的可信根。In a possible implementation, the main control module 1101, the policy control module 1102 and the update interface 1104 in the trusted platform control module 110 may be deployed in the device in the form of software or firmware and controlled by the processor in the device. Call executions to implement their respective corresponding functions. The above-mentioned trusted cryptographic module 112 may be implemented in the form of hardware to provide underlying hardware basic guarantee for trusted verification. The trusted cryptographic module 112 is the trusted root of the above-mentioned trusted verification system 11 .

一种可能的实施方式中,上述可信平台控制模块110和可信密码模块112可以部署在设备的BMC管理系统中。由BMC管理系统中的处理器来调用可信平台控制模块110来实现可信验证。In a possible implementation, the above-mentioned trusted platform control module 110 and trusted cryptographic module 112 can be deployed in the BMC management system of the device. The processor in the BMC management system calls the trusted platform control module 110 to implement trusted verification.

示例性的,上述可信验证系统11所在的设备可以包括但不限于服务器、工作站、高性能计算机、个人家用计算机、便携式计算机和任何一种基于智能操作系统的电子产品等。By way of example, the devices on which the above-mentioned trusted verification system 11 resides may include, but are not limited to, servers, workstations, high-performance computers, personal home computers, portable computers, and any electronic product based on an intelligent operating system.

需要说明的是,上述如图1所示系统架构仅为一个示例,本申请实施例提供的系统构架不限于上述的描述,只要是应用到本申请实施例提供的可信验证方法的场景,都是本申请实施例适用的场景,此处不再赘述。It should be noted that the above system architecture shown in Figure 1 is only an example. The system architecture provided by the embodiments of this application is not limited to the above description. As long as it is applied to the scenario of the trusted verification method provided by the embodiments of this application, This is the applicable scenario for the embodiments of this application and will not be described again here.

为了能够基于TPCM实现设备中的软件和/或固件的主动度量,本申请实施例提供了一种可信验证方法。示例性地,该方法可以应用于上述图1所示的可信验证系统。该方法可以通过可信验证系统中TPCM的主控模块来实现。可以参见图2,该方法可以包括但不限于如下 步骤:In order to implement active measurement of software and/or firmware in the device based on TPCM, embodiments of the present application provide a trusted verification method. Illustratively, this method can be applied to the trusted verification system shown in Figure 1 above. This method can be implemented through the main control module of TPCM in the trusted verification system. Referring to Figure 2, the method may include but is not limited to the following step:

S201、通过可信验证系统中的TPCM的主控模块调用该可信验证系统中的TCM计算第一被度量对象的第一度量值;该第一被度量对象包括该可信验证系统所在的设备中的软件和固件中的一个或多个对象。S201. The main control module of the TPCM in the trusted verification system calls the TCM in the trusted verification system to calculate the first measurement value of the first measured object; the first measured object includes the location where the trusted verification system is located. One or more objects in the software and firmware in a device.

在具体实现中,上述可信验证系统所在的设备上电后,首先上电启动运行该可信验证系统中TPCM。通过TPCM的主控模块完成对该设备中的软件和/或固件的完整性度量。即该主控模块是其所在设备上电后最先运行的程序模块。In a specific implementation, after the device where the above-mentioned trusted verification system is located is powered on, the TPCM in the trusted verification system is first powered on and started to run. The integrity measurement of the software and/or firmware in the device is completed through the main control module of TPCM. That is, the main control module is the first program module to be run after the device where it is located is powered on.

上述TPCM上电启动后,TPCM对内部固化的只读存储器(read-only memory,ROM)完成自检,并验证外部安全启动代码(external secure boot code,ESBC)固件,从而完成自身的安全启动。在TPCM安全启动后,首先启动运行上述主控模块,通过该主控模块实现对设备中的软件和/或固件的完整性度量。After the above-mentioned TPCM is powered on and started, the TPCM completes self-test on the internally solidified read-only memory (ROM) and verifies the external secure boot code (ESBC) firmware, thereby completing its own secure boot. After the TPCM securely starts, the above-mentioned main control module is first started and run, and the integrity measurement of the software and/or firmware in the device is implemented through the main control module.

具体的,通过该主控模块可以直接或间接地读取上述第一被度量对象。该第一被度量对象包括上述设备中的软件和固件中的一个或多个对象。示例性地,关于该第一被度量对象,具体可以参考上述图1中所示的被度量对象12的相关描述,此处不再赘述。Specifically, the above-mentioned first measured object can be read directly or indirectly through the main control module. The first measured object includes one or more objects in the software and firmware in the device. For example, regarding the first measured object, reference may be made to the relevant description of the measured object 12 shown in FIG. 1 , which will not be described again here.

一种可能的实施方式中,可以通过硬件物理总线直接读取上述第一被度量对象。例如,若该第一被度量对象为BIOS的二进制镜像文件,那么,可以通过串行外围设备接口(serial peripheral interface,SPI)总线直接读取。In a possible implementation, the above-mentioned first measured object can be directly read through the hardware physical bus. For example, if the first measured object is a BIOS binary image file, it can be read directly through the serial peripheral interface (SPI) bus.

另一种可能的实施方式中,可以通过度量代理间接获取上述第一被度量对象。该度量代理可以访问获取该第一被度量对象,然后,将该获取的第一被度量对象发送给上述主控模块以进行完整性度量。例如,若上述第一被度量对象为设备中计算机操作系统的二进制镜像文件,那么,可以通过度量代理来间接获取。In another possible implementation, the above-mentioned first measured object can be obtained indirectly through a measurement agent. The measurement agent can access and obtain the first measured object, and then send the obtained first measured object to the above-mentioned main control module for integrity measurement. For example, if the first measured object is a binary image file of the computer operating system in the device, it can be obtained indirectly through the measurement agent.

上述主控模块获取到上述第一被度量对象后,可以将该第一被度量对象发送给上述TCM。由该TCM调用密码散列函数算法来计算该第一被度量对象的度量值(即上述第一度量值)。示例性地,可以通过该TCM中的算法模块来计算该第一被度量对象的度量值。关于该TCM中的算法模块可以使理性地参见上述图1中所示的算法模块1121的相关描述,此处不再赘述。After acquiring the first measured object, the main control module may send the first measured object to the TCM. The TCM calls a cryptographic hash function algorithm to calculate the metric value of the first measured object (ie, the above-mentioned first metric value). For example, the measurement value of the first measured object can be calculated through an algorithm module in the TCM. Regarding the algorithm module in the TCM, you can rationally refer to the relevant description of the algorithm module 1121 shown in Figure 1, and will not be described again here.

该TCM计算得到该第一被度量对象的度量值之后,将计算得到的度量值发送给上述主控模块。After calculating the measurement value of the first measured object, the TCM sends the calculated measurement value to the above-mentioned main control module.

S202、通过上述主控模块从该TCM的非易失性存储器中读取该第一被度量对象的基准度量值。S202: Read the reference measurement value of the first measured object from the non-volatile memory of the TCM through the above-mentioned main control module.

在具体实现中,上述第一被度量对象的基准度量值存储在TCM中的非易失性存储器中。该非易失性存储器存在保护机制,只有获得授权的主体才可以访问。In a specific implementation, the above-mentioned reference measurement value of the first measured object is stored in the non-volatile memory in the TCM. This non-volatile memory is protected so that only authorized parties can access it.

一种可能的实现方式中,上述第一被度量对象的基准度量值可以是通过上述主控模块写入该TCM中的非易失性存储器。那么,在写入之前主控模块可以在TCM中完成身份认证,以获得访问TCM中的非易失性存储器的授权。In a possible implementation, the reference measurement value of the first measured object may be a non-volatile memory written into the TCM through the main control module. Then, the main control module can complete identity authentication in the TCM before writing to obtain authorization to access the non-volatile memory in the TCM.

示例性地,主控模块可以将预先配置的秘钥发送给TCM,由TCM将接收到的秘钥与自身预设的秘钥进行匹配。若匹配成功则主控模块的身份认证通过。然后,TCM可以向主控模块发送身份认证通过的指示,以此授权主控模块可以访问TCM中的非易失性存储器。主控模块获得访问TCM中的非易失性存储器的授权之后,可以将上述第一被度量对象的基准度量值写入到该TCM的非易失性存储器中。该描述主控模块在TCM中进行身份认证以获得访问授权的过程仅为一个示例,不构成对本申请实施例的限制。另外,主控模块获取该第一被 度量对象的基准度量值的过程可以参见后面的描述,此处不详述。For example, the main control module can send a preconfigured secret key to the TCM, and the TCM matches the received secret key with its own preset secret key. If the match is successful, the identity authentication of the main control module is passed. Then, the TCM can send an indication that the identity authentication is passed to the main control module, thereby authorizing the main control module to access the non-volatile memory in the TCM. After the main control module obtains the authorization to access the non-volatile memory in the TCM, it can write the above-mentioned baseline measurement value of the first measured object into the non-volatile memory of the TCM. This description of the process in which the main control module performs identity authentication in TCM to obtain access authorization is only an example and does not constitute a limitation on the embodiments of the present application. In addition, the main control module obtains the first The process of measuring the baseline metric value of an object can be found in the later description and will not be described in detail here.

基于上述的描述,主控模块已经获得访问TCM中的非易失性存储器的授权,那么后续为了提高可信验证的效率,主控模块可以不用再次进行身份认证即可访问TCM中的非易失性存储器,并从中读取上述第一被度量对象的基准度量值。Based on the above description, the main control module has been authorized to access the non-volatile memory in the TCM. In order to improve the efficiency of trusted verification, the main control module can access the non-volatile memory in the TCM without performing identity authentication again. memory, and read the baseline measurement value of the above-mentioned first measured object from it.

或者,示例性地,为了加强对被度量对象的基准度量值的安全防护,即使上述主控模块已经获得访问TCM中的非易失性存储器的授权,后续访问TCM中的非易失性存储器之前,仍需先进行身份认证再次获得访问授权后,才可以从中读取第一被度量对象的基准度量值。Or, for example, in order to strengthen the security protection of the baseline measurement value of the measured object, even if the above main control module has obtained authorization to access the non-volatile memory in the TCM, before subsequent access to the non-volatile memory in the TCM , it is still necessary to perform identity authentication and obtain access authorization again before the baseline measurement value of the first measured object can be read from it.

另一种可能的实施方式中,上述第一被度量对象的基准度量值可以是通过其它控制模块或者可以是通过用户写入该TCM中的非易失性存储器。这种情况下,上述主控模块在访问TCM中的非易失性存储器之前,先进行身份认证获得访问授权后,才可以从中读取上述第一被度量对象的基准度量值。In another possible implementation, the above-mentioned reference measurement value of the first measured object may be obtained through other control modules or may be written into a non-volatile memory in the TCM by a user. In this case, before accessing the non-volatile memory in the TCM, the above-mentioned main control module first performs identity authentication and obtains access authorization, and then can read the baseline measurement value of the above-mentioned first measured object from it.

S203、通过上述主控模块基于该第一度量值与该基准度量值的匹配结果对该第一被度量对象进行策略控制。S203: Use the main control module to perform policy control on the first measured object based on the matching result between the first metric value and the benchmark metric value.

上述主控模块获得上述第一被度量对象的基准度量值之后,可以将该基准度量值与上述计算得到的第一度量值进行比较。After the main control module obtains the reference measurement value of the first measured object, the reference measurement value can be compared with the calculated first measurement value.

若该第一度量值与该基准度量值相同,则表明该第一被度量对象的完整性度量通过,即表明该第一被度量对象没有被篡改,是安全的。那么,基于该比较结果,主控模块可以控制该第一被度量对象启动运行。If the first metric value is the same as the reference metric value, it indicates that the integrity metric of the first measured object passes, that is, it indicates that the first measured object has not been tampered with and is safe. Then, based on the comparison result, the main control module can control the first measured object to start running.

若第一度量值与该基准度量值不同,则表明该待度量对象的完整性度量不通过,即表明该第一被度量对象可能被篡改,存在安全威胁。那么,基于该比较结果,主控模块可以对该第一被度量对象进行异常控制。例如,可以阻止该第一被度量对象启动运行,或者回退或恢复该第一被度量对象的版本等。本申请对该具体的策略控制不做限制。If the first metric value is different from the baseline metric value, it indicates that the integrity metric of the object to be measured fails, which indicates that the first object to be measured may have been tampered with, and there is a security threat. Then, based on the comparison result, the main control module can perform abnormal control on the first measured object. For example, the first measured object may be prevented from starting to run, or the version of the first measured object may be rolled back or restored, and so on. This application does not limit this specific policy control.

示例性地,上述主控模块可以基于上述比较结果在策略控制模块中找到对应的控制策略来对第一被度量对象进行控制。该策略控制模块的描述可以示例性参见上述图1中对应的描述,此处不再赘述。For example, the main control module may find the corresponding control policy in the policy control module based on the comparison result to control the first measured object. The description of the policy control module can be exemplarily referred to the corresponding description in Figure 1 above, and will not be described again here.

可选的,可选的上述主控模块可以将上述第一被度量对象的第一度量值存储到TCM的平台配置寄存器中,为后续远程证明提供数据。另外,上述主控模块可以基于上述对第一被度量对象的可信验证的操作生成对应的事件日志。示例性地,该事件日志可以记录对第一被度量对象的可信验证的情况等信息。然后,主控模块可以将该事件日志和上述匹配结果这两者中的一项或多项存储到TCM的平台配置寄存器中。或者,主控模块可以将该事件日志和上述匹配结果这两者中的一项或多项存储到上述可信验证系统中的其它存储器中,本申请对具体存储的存储器不做限制。Optionally, the optional main control module can store the first measurement value of the first measured object in the platform configuration register of the TCM to provide data for subsequent remote certification. In addition, the above-mentioned main control module may generate a corresponding event log based on the above-mentioned trusted verification operation on the first measured object. For example, the event log may record information such as the trustworthy verification of the first measured object. Then, the main control module can store one or more of the event log and the above matching results into the platform configuration register of the TCM. Alternatively, the main control module can store one or more of the event log and the matching results in other memories in the trusted verification system. This application does not limit the specific storage memory.

综上所述,本申请实施例提供了一种基于TPCM对设备中的软件和/或固件的完整性进行主动度量的可信验证方案。另外,本申请实施例中,被度量对象的基准度量值存储在TCM的非易失性存储器中,由于TCM的非易失性存储器属于受保护的存储区域,只有授权后才能访问,因此能够提高对基准度量值的安全防护。In summary, embodiments of the present application provide a trusted verification solution that actively measures the integrity of software and/or firmware in a device based on TPCM. In addition, in the embodiment of the present application, the baseline measurement value of the measured object is stored in the non-volatile memory of the TCM. Since the non-volatile memory of the TCM belongs to a protected storage area and can only be accessed after authorization, it can improve Securing baseline metric values.

一种可能的实现方式中,上述第一被度量对象的基准度量值通过上述主控模块写入该TCM中的非易失性存储器的过程如下:In a possible implementation, the process of writing the above-mentioned benchmark measurement value of the first measured object into the non-volatile memory in the TCM through the above-mentioned main control module is as follows:

具体实现中,上述通过可信验证系统中的TPCM的主控模块调用该可信验证系统中的TCM计算第一被度量对象的第一度量值之前,该主控模块会先计算该第一被度量对象的基准 度量值,并将其写入上述TCM中的非易失性存储器。In specific implementation, before the main control module of the TPCM in the trusted verification system calls the TCM in the trusted verification system to calculate the first measurement value of the first measured object, the main control module will first calculate the first measurement value. The benchmark of the object being measured measurement value and writes it to the non-volatile memory in the TCM mentioned above.

具体的,该主控模块启动运行后,获取该第一被度量对象。同样地,将该第一被度量对象发送给TCM计算该第一被度量对象的度量值,该度量值可以简称为第二度量值。然后,该主控模块从一次性可编程存储器中读取该第一被度量对象对应的比特位存储的标识。并基于该读取的标识判断TCM的非易失性存储器中是否存储有该第一被度量对象的基准度量值。Specifically, after the main control module starts running, the first measured object is obtained. Similarly, the first measured object is sent to the TCM to calculate the measurement value of the first measured object, and the measurement value may be referred to as the second measurement value for short. Then, the main control module reads the bit-stored identifier corresponding to the first measured object from the one-time programmable memory. And based on the read identification, it is determined whether the reference measurement value of the first measured object is stored in the non-volatile memory of the TCM.

基于前面的描述可知,该一次性可编程存储器可以设置在TPCM中。并且该一次性可编程存储器可以存储多个比特位的数据。那么,在本申请实施例中,可以配置每一个被度量对象与该多个比特位中的一个比特位唯一对应,由该对应的比特位中的标识来指示该每一个被度量对象的基准度量值是否已经存储在TCM的非易失性存储器中。示例性地,由于该一次性可编程存储器中多个比特位存储的初始值为“1”,当对该比特位进行一次性编程(即熔断该比特位对应的熔丝),该比特位存储的值变为“0”。由于该一次性编程不可逆,当对一个比特位进行一次性编程之后,该比特位存储的值将一直是“0”,不可再更改。那么,对于上述第一被度量对象对应的比特位,当该比特位存储的值为“1”时,可以用“1”这个标识来表示TCM的非易失性存储器中未存储有该第一被度量对象的基准度量值。当将该第一被度量对象的基准度量值存储到TCM的非易失性存储器中之后,可以对该比特位进行一次性编程,使其存储的值变为“0”。即可以用“0”这个标识来表示TCM的非易失性存储器中已经存储有该第一被度量对象的基准度量值。Based on the previous description, it can be known that the one-time programmable memory can be set in the TPCM. And the one-time programmable memory can store multiple bits of data. Then, in the embodiment of the present application, each measured object can be configured to uniquely correspond to one of the plurality of bits, and the reference metric of each measured object is indicated by the identifier in the corresponding bit. Whether the value is already stored in the TCM's non-volatile memory. For example, since the initial value stored in multiple bits in the one-time programmable memory is "1", when the bit is programmed once (that is, the fuse corresponding to the bit is blown), the bit is stored The value becomes "0". Since this one-time programming is irreversible, when a bit is programmed once, the value stored in that bit will always be "0" and cannot be changed. Then, for the bit corresponding to the above-mentioned first measured object, when the value stored in the bit is "1", the flag "1" can be used to indicate that the first measured object is not stored in the non-volatile memory of the TCM. The base measurement value of the measured object. After the reference measurement value of the first measured object is stored in the non-volatile memory of the TCM, the bit can be programmed once so that its stored value becomes "0". That is, the flag "0" can be used to indicate that the reference measurement value of the first measured object has been stored in the non-volatile memory of the TCM.

基于上述的描述,上述主控模块从上述一次性可编程存储器中读取出第一被度量对象对应的比特位存储的标识后,若该标识指示TCM的非易失性存储器中未存储有该第一被度量对象的基准度量值,那么,主控模块可以将上述计算得到的第二度量值作为该第一被度量对象的基准度量值写入TCM的非易失性存储器。具体的,该主控模块可以在TCM中完成身份认证,获得访问该TCM的非易失性存储器的授权后,才可以将该第二度量值作为该第一被度量对象的基准度量值写入TCM的非易失性存储器。该身份认证的具体实现可以参见前面的描述,此处不再赘述。Based on the above description, after the above-mentioned main control module reads the identifier stored in the bit corresponding to the first measured object from the above-mentioned one-time programmable memory, if the identifier indicates that the non-volatile memory of the TCM does not store the identifier, If the base measurement value of the first measured object is the first measured object, then the main control module can write the second measured value calculated above into the non-volatile memory of the TCM as the base measured value of the first measured object. Specifically, the main control module can complete identity authentication in the TCM and obtain the authorization to access the non-volatile memory of the TCM before writing the second measurement value as the baseline measurement value of the first measured object. TCM non-volatile memory. The specific implementation of this identity authentication can be found in the previous description and will not be repeated here.

上述主控模块将第一被度量对象的基准度量值写入TCM的非易失性存储器之后,可以对一次性存储器中该第一被度量对象对应的比特位的熔丝进行熔断,完成该比特位的一次性编程,使得该比特位存储的值变为“0”。即将该比特位中原来存储的第一标识更改为第二标识。该第一标识例如为“1”,指示第一被度量对象的基准度量值未存储到TCM的非易失性存储器。该第二标识例如为“0”,指示第一被度量对象的基准度量值已经被存储到TCM的非易失性存储器的标识。After the above-mentioned main control module writes the benchmark measurement value of the first measured object into the non-volatile memory of the TCM, it can blow the fuse of the bit corresponding to the first measured object in the one-time memory to complete the bit A one-time programming of a bit changes the value stored in that bit to "0". That is, the first identifier originally stored in the bit is changed to the second identifier. The first flag is, for example, "1", indicating that the reference measurement value of the first measured object is not stored in the non-volatile memory of the TCM. The second identification is, for example, "0", which indicates that the reference measurement value of the first measured object has been stored in the non-volatile memory of the TCM.

然后,主控模块可以将该事件日志和该第一被度量对象的基准度量值存储到TCM的平台配置寄存器中,为后续远程证明提供数据。Then, the main control module can store the event log and the baseline measurement value of the first measured object into the platform configuration register of the TCM to provide data for subsequent remote certification.

可选的,可选的上述主控模块可以将上述第一被度量对象的基准度量值存储到TCM的平台配置寄存器中,为后续远程证明提供数据。另外,可选的,上述主控模块将第一被度量对象的基准度量值写入TCM的非易失性存储器之后,还可以生成对应的事件日志。示例性地,该事件日志可以记录将第一被度量对象的基准度量值写入TCM的非易失性存储器的情况等信息。然后,主控模块可以将该事件日志存储到TCM的平台配置寄存器中。或者,主控模块可以将该事件日志存储到上述可信验证系统中的其它存储器中,本申请对具体存储的存储器不做限制。Optionally, the optional main control module can store the baseline measurement value of the first measured object in the platform configuration register of the TCM to provide data for subsequent remote certification. In addition, optionally, after the above-mentioned main control module writes the baseline measurement value of the first measured object into the non-volatile memory of the TCM, it can also generate a corresponding event log. For example, the event log may record information such as writing the baseline measurement value of the first measured object into the non-volatile memory of the TCM. Then, the main control module can store the event log into the platform configuration register of the TCM. Alternatively, the main control module can store the event log in other memories in the above-mentioned trusted verification system. This application does not limit the specific storage memory.

一种可能的实现中,基于上述的描述,那么前述步骤S202中通过上述主控模块从该TCM的非易失性存储器中读取该第一被度量对象的基准度量值之前,上述主控模块还从上述一次 性可编程存储器中读取该第一被度量对象对应的比特位中存储的标识。该读取的标识指示第一被度量对象的基准度量值已经被存储到TCM的非易失性存储器中。那么,该主控模块可以基于该读取的标识从TCM的非易失性存储器中读取第一被度量对象的基准度量值。In a possible implementation, based on the above description, before the main control module reads the reference measurement value of the first measured object from the non-volatile memory of the TCM in step S202, the main control module Also from the above time The identifier stored in the bit corresponding to the first measured object is read from the programmable memory. The read identification indicates that the baseline measurement value of the first measured object has been stored in the non-volatile memory of the TCM. Then, the main control module can read the reference measurement value of the first measured object from the non-volatile memory of the TCM based on the read identification.

上述实施例中结合一次性可编程存储器来快速判断是否已经存储有第一被度量对象的基准度量值,相比于现有方案中需要到存储器中逐一比较来判断的方案,本方案可以提高可信度量的效率。另外,对于未存储有基准值的度量对象,将当前的度量值作为基准值存储,解决了无基准值时需要离线写入基准值的问题。In the above embodiment, a one-time programmable memory is combined to quickly determine whether the benchmark measurement value of the first measured object has been stored. Compared with the existing solution that requires one-to-one comparison in the memory to determine, this solution can improve the reliability. The efficiency of confidence measurement. In addition, for measurement objects that do not have a baseline value stored, the current measurement value is stored as the baseline value, which solves the problem of writing the baseline value offline when there is no baseline value.

一种可能的实施方式中,被度量对象时常有升级更新,升级更新后的被度量对象的基准度量值也会随之改变,那么TCM的非易失存储器中存储的基准度量值也得随之更新,否则会导致被度量对象的完整性度量无法成功通过,使得被度量对象无法正常启动运行。下面以上述第一被度量对象为例介绍更新TCM的非易失存储器中存储的基准度量值的过程。In a possible implementation, the measured object is often upgraded and updated, and the baseline measurement value of the measured object after the upgrade and update will also change accordingly, so the baseline measurement value stored in the non-volatile memory of the TCM will also change accordingly. Update, otherwise the integrity measurement of the measured object will not pass successfully, causing the measured object to fail to start and run normally. The following takes the above-mentioned first measured object as an example to introduce the process of updating the baseline measurement value stored in the non-volatile memory of the TCM.

当该第一被度量对象出现升级更新后,远程可信管理中心可以感知该第一被度量对象的升级更新。然后,该远程可信管理中心获取该升级更新后的第一被度量对象(简称为第二被度量对象),并调用该远程可信管理中心中的基准及策略管理模块计算该第二被度量对象的度量值。该计算度量值的算法与TCM中计算度量值的算法相同。When the first measured object is upgraded and updated, the remote trusted management center can sense the upgraded update of the first measured object. Then, the remote trusted management center obtains the upgraded and updated first measured object (referred to as the second measured object for short), and calls the benchmark and policy management module in the remote trusted management center to calculate the second measured object. The object's measure. The algorithm for calculating metric values is the same as the algorithm for calculating metric values in TCM.

上述TPCM通过更新接口与远程可信管理中心建立通信,可以示例性地参见图1。那么,获得该第二被度量对象的度量值之后,该远程可信管理中心通过该更新接口将该第二被度量对象的度量值发送给TPCM。然后,该TPCM的主控模块通过该更新接口接收到该第二被度量对象的度量值。并访问TCM的非易失性存储器,将该非易失性存储器中原来第一被度量对象的基准度量值更新为该第二被度量对象的度量值。可选的,该主控模块可以在TCM中完成身份认证,获得访问该TCM的非易失性存储器的授权后,才可以将该第二被度量对象的度量值写入TCM的非易失性存储器。该身份认证的具体实现可以参见前面的描述,此处不再赘述。The above-mentioned TPCM establishes communication with the remote trusted management center through the update interface. See Figure 1 for an example. Then, after obtaining the measurement value of the second measured object, the remote trusted management center sends the measurement value of the second measured object to the TPCM through the update interface. Then, the main control module of the TPCM receives the measurement value of the second measured object through the update interface. And access the non-volatile memory of the TCM, and update the original benchmark measurement value of the first measured object in the non-volatile memory to the measurement value of the second measured object. Optionally, the main control module can complete identity authentication in the TCM and obtain the authorization to access the non-volatile memory of the TCM before writing the measurement value of the second measured object into the non-volatile memory of the TCM. memory. The specific implementation of this identity authentication can be found in the previous description and will not be repeated here.

本方案通过与远程可信管理中心交互获取更新后的被度量对象的基准度量值并更新本地的基准值,解决了被度量对象更新后需要重新离线烧写基准值否则无法启动的问题。同时也避免了被度量对象的完整性度量无法成功通过,使得被度量对象无法正常启动运行的问题。This solution interacts with the remote trusted management center to obtain the updated baseline measurement value of the measured object and updates the local baseline value, which solves the problem that after the measured object is updated, the baseline value needs to be re-programmed offline or it cannot be started. At the same time, it also avoids the problem that the integrity measurement of the measured object cannot pass successfully, causing the measured object to fail to start and run normally.

一种可能的实施方式中,被度量对象的控制策略也时常有升级更新,那么TPCM的策略控制模块中的配置也得随之更新,否则会导致被度量对象的策略控制异常。下面以上述第一被度量对象为例介绍更新TPCM的策略控制模块中的策略配置的过程。In one possible implementation, the control policy of the measured object is often upgraded and updated, so the configuration in the policy control module of TPCM must also be updated accordingly, otherwise the policy control of the measured object will be abnormal. The following takes the above-mentioned first measured object as an example to introduce the process of updating the policy configuration in the policy control module of TPCM.

具体的,远程可信管理中心可以感知该第一被度量对象的控制策略的更新。然后,该远程可信管理中心的基准及策略管理模块获取该第一被度量对象更新后的控制策略。同样的,上述TPCM通过更新接口与远程可信管理中心建立通信,可以示例性地参见图1。那么,获得该第一被度量对象更新后的控制策略之后,该远程可信管理中心通过该更新接口将该第一被度量对象更新后的控制策略发送给TPCM。然后,该TPCM的主控模块通过该更新接口接收到该第一被度量对象更新后的控制策略。然后,该主控模块基于接收到的控制策略更新策略控制模块中该第一被度量对象的策略配置。Specifically, the remote trusted management center can sense the update of the control policy of the first measured object. Then, the benchmark and policy management module of the remote trusted management center obtains the updated control policy of the first measured object. Similarly, the above-mentioned TPCM establishes communication with the remote trusted management center through the update interface. See Figure 1 for example. Then, after obtaining the updated control policy of the first measured object, the remote trusted management center sends the updated control policy of the first measured object to the TPCM through the update interface. Then, the main control module of the TPCM receives the updated control policy of the first measured object through the update interface. Then, the main control module updates the policy configuration of the first measured object in the policy control module based on the received control policy.

可选的,对于升级更新后的第一被度量对象即上述第二被度量对象也可以进行控制策略的升级更新,具体升级更新的过程可以参见上述的描述,此处不赘述。Optionally, the control policy can also be upgraded and updated for the updated first measured object, that is, the above-mentioned second measured object. For the specific upgrade and update process, please refer to the above description and will not be repeated here.

本方案通过与远程可信管理中心交互可以实现及时的控制策略更新,避免了可信验证过 程中被度量对象的策略控制异常的问题。This solution can achieve timely control policy updates by interacting with the remote trusted management center, avoiding the need for trusted verification. The problem of abnormal policy control of the measured object during the process.

上述对本申请实施例提供的可信验证方法进行了介绍。可以理解的是,各个设备为了实现上述对应的功能,其包含了执行各个功能相应的硬件结构和/或软件模块。结合本文中所公开的实施例描述的各示例的单元及步骤,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用使用不同方法来实现所描述的功能,但这种实现不应认为超出本申请的范围。The above has introduced the trustworthy verification method provided by the embodiment of the present application. It can be understood that, in order to implement the corresponding functions mentioned above, each device includes a corresponding hardware structure and/or software module to perform each function. In conjunction with the units and steps of each example described in the embodiments disclosed herein, the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a function is performed by hardware or computer software driving the hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each specific application, but such implementations should not be considered beyond the scope of this application.

本申请实施例可以根据上述方法示例对设备进行功能模块的划分,例如,可以对应各个功能划分各个功能模块,也可以将两个或两个以上的功能集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。需要说明的是,本申请实施例对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。Embodiments of the present application can divide the device into functional modules according to the above method examples. For example, each functional module can be divided corresponding to each function, or two or more functions can be integrated into one module. The above integrated modules can be implemented in the form of hardware or software function modules. It should be noted that the division of modules in the embodiment of the present application is schematic and is only a logical function division. In actual implementation, there may be other division methods.

在采用对应各个功能划分各个功能模块的情况下,图3示出了装置的一种具体的逻辑结构示意图,该装置可以是上述可信验证系统所在的装置。该装置300包括可信平台控制模块301和可信密码模块302,可信平台控制模块301中包括主控模块3011。其中:In the case where each functional module is divided according to each function, FIG. 3 shows a specific logical structure diagram of the device, which may be the device where the above-mentioned trusted verification system is located. The device 300 includes a trusted platform control module 301 and a trusted cryptographic module 302. The trusted platform control module 301 includes a main control module 3011. in:

该主控模块3011用于:The main control module 3011 is used for:

调用该可信密码模块302计算第一被度量对象的第一度量值;该第一被度量对象包括该可信验证系统所在的设备中的软件和固件中的一个或多个对象;Call the trusted cryptographic module 302 to calculate the first metric value of the first measured object; the first measured object includes one or more objects in the software and firmware in the device where the trusted verification system is located;

从该可信密码模块302的非易失性存储器中读取该第一被度量对象的基准度量值;Read the baseline measurement value of the first measured object from the non-volatile memory of the trusted cryptographic module 302;

基于该第一度量值与该基准度量值的匹配结果对该第一被度量对象进行策略控制。Policy control is performed on the first measured object based on a matching result between the first metric value and the base metric value.

一种可能的实施方式中,该主控模块3011还用于:In a possible implementation, the main control module 3011 is also used to:

在该调用该可信密码模块302计算第一被度量对象的第一度量值之前,调用该可信密码模块302计算该第一被度量对象的第二度量值;Before calling the trusted cryptographic module 302 to calculate the first metric value of the first measured object, call the trusted cryptographic module 302 to calculate the second metric value of the first measured object;

读取一次性可编程存储器中该第一被度量对象对应的第一标识,该第一标识指示该可信密码模块302的非易失性存储器中未存储有该第一被度量对象的基准度量值;Read the first identification corresponding to the first measured object in the one-time programmable memory. The first identification indicates that the non-volatile memory of the trusted cryptographic module 302 does not store the reference measurement of the first measured object. value;

基于该第一标识将该第二度量值作为该第一被度量对象的基准度量值写入该可信密码模块302的非易失性存储器。Based on the first identification, the second metric value is written into the non-volatile memory of the trusted cryptographic module 302 as the reference metric value of the first measured object.

一种可能的实施方式中,该主控模块3011还用于:In a possible implementation, the main control module 3011 is also used to:

在该基于该第一标识将该第二度量值作为该第一被度量对象的基准度量值写入该可信密码模块302的非易失性存储器之前,通过该主控模块3011在该可信密码模块302中完成身份认证,并获得访问该可信密码模块302的非易失性存储器的授权。Before writing the second metric value as the baseline metric value of the first measured object into the non-volatile memory of the trusted cryptographic module 302 based on the first identification, the main control module 3011 Identity authentication is completed in the cryptographic module 302 and authorization to access the non-volatile memory of the trusted cryptographic module 302 is obtained.

一种可能的实施方式中,该主控模块3011还用于:In a possible implementation, the main control module 3011 is also used to:

在该基于该第一标识将该第二度量值作为该第一被度量对象的基准度量值写入该可信密码模块302的非易失性存储器之后,将该一次性可编程存储器中该第一被度量对象对应的该第一标识更改为第二标识,该第二标识指示该第一被度量对象的基准度量值已经被存储到该可信密码模块302的非易失性存储器。After the second metric value is written into the non-volatile memory of the trusted cryptographic module 302 based on the first identification as the baseline metric value of the first measured object, the third metric value in the one-time programmable memory is written. The first identification corresponding to a measured object is changed to a second identification, and the second identification indicates that the reference measurement value of the first measured object has been stored in the non-volatile memory of the trusted cryptographic module 302 .

一种可能的实施方式中,该主控模块3011还用于:读取该一次性可编程存储器中该第一被度量对象对应的第二标识;In a possible implementation, the main control module 3011 is also configured to: read the second identification corresponding to the first measured object in the one-time programmable memory;

该从该可信密码模块302的非易失性存储器中读取该第一被度量对象的基准度量值,包括: Reading the reference measurement value of the first measured object from the non-volatile memory of the trusted cryptographic module 302 includes:

基于该第二标识从该可信密码模块302的非易失性存储器中读取该第一被度量对象的基准度量值。The reference measurement value of the first measured object is read from the non-volatile memory of the trusted cryptographic module 302 based on the second identification.

一种可能的实施方式中,该主控模块3011还用于:In a possible implementation, the main control module 3011 is also used to:

接收来自远程可信管理中心的第二被度量对象的基准度量值,该第二被度量对象为该第一被度量对象更新后的对象;Receive the baseline metric value of the second measured object from the remote trusted management center, where the second measured object is an updated object of the first measured object;

将该可信密码模块302的非易失性存储器中该第一被度量对象的基准度量值更新为该第二被度量对象的基准度量值。The reference metric value of the first measured object in the non-volatile memory of the trusted cryptographic module 302 is updated to the reference metric value of the second measured object.

一种可能的实施方式中,该可信平台控制模块301的策略控制模块中包括被度量对象的控制策略的配置信息;该主控模块3011还用于:In a possible implementation, the policy control module of the trusted platform control module 301 includes configuration information of the control policy of the measured object; the main control module 3011 is also used to:

接收来自远程可信管理中心的该第一被度量对象的目标控制策略,该目标控制策略为该第一被度量对象的控制策略更新后的策略;Receive the target control policy of the first measured object from the remote trusted management center, where the target control policy is an updated policy of the control policy of the first measured object;

将该可信平台控制模块301的策略控制模块中该第一被度量对象的控制策略的配置信息更新为该目标控制策略的配置信息。The configuration information of the control policy of the first measured object in the policy control module of the trusted platform control module 301 is updated to the configuration information of the target control policy.

一种可能的实施方式中,该主控模块3011还用于:In a possible implementation, the main control module 3011 is also used to:

基于对该第一被度量对象的可信验证的过程生成事件日志;Generate an event log based on a process of trusted verification of the first measured object;

将该第一被度量对象的基准度量值、该匹配结果和该事件日志三者中的一项或多项存储到该可信密码模块302的平台配置存储器中。Store one or more of the baseline metric value of the first measured object, the matching result, and the event log in the platform configuration memory of the trusted cryptographic module 302 .

一种可能的实施方式中,该可信验证系统为基于基板管理控制器BMC实现的管理系统。In a possible implementation, the trusted verification system is a management system implemented based on a baseboard management controller (BMC).

图3所示装置300中各个单元的具体操作以及有益效果可以参见上述图2及其具体的方法实施例中对应的描述,此处不再赘述。For the specific operations and beneficial effects of each unit in the device 300 shown in Figure 3, please refer to the corresponding descriptions in Figure 2 and its specific method embodiments, and will not be described again here.

图4所示为本申请提供的装置的一种具体的硬件结构示意图,该装置可以是上述实施例所述的可信验证系统所在的装置。该装置400包括:处理器401、存储器402和通信接口403。处理器401、通信接口403以及存储器402可以相互连接或者通过总线404相互连接。Figure 4 shows a specific hardware structure schematic diagram of the device provided by this application. The device may be the device where the trusted verification system described in the above embodiment is located. The device 400 includes: a processor 401, a memory 402 and a communication interface 403. The processor 401, the communication interface 403, and the memory 402 may be connected to each other or to each other via a bus 404.

示例性的,存储器402用于存储装置400的计算机程序和数据,存储器402可以包括但不限于是随机存储记忆体(random access memory,RAM)、只读存储器(read-only memory,ROM)、可擦除可编程只读存储器(erasable programmable read only memory,EPROM)或便携式只读存储器(compact disc read-only memory,CD-ROM)等。示例性地,该存储器402可以用于存储上述可信验证系统中的主控模块、策略控制模块和更新接口中的一项或多项的计算机程序。Exemplarily, the memory 402 is used to store computer programs and data of the device 400. The memory 402 may include, but is not limited to, random access memory (RAM), read-only memory (ROM), Erasable programmable read only memory (EPROM) or portable read-only memory (compact disc read-only memory, CD-ROM), etc. For example, the memory 402 can be used to store computer programs for one or more of the main control module, the policy control module and the update interface in the above-mentioned trusted verification system.

通信接口403包括发送接口和接收接口,通信接口403的个数可以为多个,用于支持装置400进行通信,例如接收或发送数据或消息等。The communication interface 403 includes a sending interface and a receiving interface. The number of the communication interface 403 may be multiple, and is used to support the device 400 to communicate, such as receiving or sending data or messages.

示例性的,处理器401可以是中央处理器单元、通用处理器、数字信号处理器、专用集成电路、现场可编程门阵列或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,数字信号处理器和微处理器的组合等等。处理器401可以用于读取上述存储器402中存储的程序,使得装置400执行如上述图2及其具体的实施例中所述的可信验证方法。For example, the processor 401 may be a central processing unit, a general-purpose processor, a digital signal processor, an application-specific integrated circuit, a field-programmable gate array or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. The processor can also be a combination that implements computing functions, such as a combination of one or more microprocessors, a combination of a digital signal processor and a microprocessor, and so on. The processor 401 can be used to read the program stored in the memory 402, so that the device 400 executes the trusted verification method as described in the above-mentioned Figure 2 and its specific embodiments.

一种具体的实施方式中,处理器401可以用于读取上述存储器402中存储的程序,执行如下操作:调用该TCM计算第一被度量对象的第一度量值;该第一被度量对象包括该可信验证系统所在的设备中的软件和固件中的一个或多个对象;从该TCM的非易失性存储器中读取该第一被度量对象的基准度量值;基于该第一度量值与该基准度量值的匹配结果对该第 一被度量对象进行策略控制。In a specific implementation, the processor 401 can be used to read the program stored in the memory 402 and perform the following operations: call the TCM to calculate the first measurement value of the first measured object; Including one or more objects in the software and firmware in the device where the trusted verification system is located; reading the baseline measurement value of the first measured object from the non-volatile memory of the TCM; based on the first degree The result of matching the measure value to the base measure value is the A measured object is subject to policy control.

图4所示装置400中各个单元的具体操作以及有益效果可以参见上述图2及其具体的方法实施例中对应的描述,此处不再赘述。For the specific operations and beneficial effects of each unit in the device 400 shown in Figure 4, please refer to the corresponding descriptions in Figure 2 and its specific method embodiments, and will not be described again here.

本申请实施例还提供一种计算机可读存储介质,该计算机可读存储介质存储有计算机程序,该计算机程序被处理器执行以实现上述图2及其具体的方法实施例中任一实施例所述的方法。Embodiments of the present application also provide a computer-readable storage medium. The computer-readable storage medium stores a computer program. The computer program is executed by a processor to implement any one of the above-mentioned Figure 2 and its specific method embodiments. method described.

本申请实施例还提供一种计算机程序产品,当该计算机程序产品被计算机读取并执行时,上述图2及其具体的方法实施例中任一实施例所述的方法。An embodiment of the present application also provides a computer program product. When the computer program product is read and executed by a computer, the method described in any one of the above-mentioned Figure 2 and its specific method embodiments can be performed.

综上所述,本申请实施例提供了一种基于TPCM对设备中的软件和/或固件的完整性进行主动度量的可信验证方案。另外,本申请中,被度量对象的基准度量值存储在TCM的非易失性存储器中,由于TCM的非易失性存储器属于受保护的存储区域,只有授权后才能访问,因此能够提高对基准度量值的安全防护。进而保证了完整性度量的可靠性,降低被度量对象被篡改的风险,提高系统的安全防护。In summary, embodiments of the present application provide a trusted verification solution that actively measures the integrity of software and/or firmware in a device based on TPCM. In addition, in this application, the benchmark measurement value of the measured object is stored in the non-volatile memory of the TCM. Since the non-volatile memory of the TCM is a protected storage area and can only be accessed after authorization, it can improve the accuracy of the benchmark. Security protection of metric values. This ensures the reliability of integrity measurement, reduces the risk of tampering of measured objects, and improves system security.

本申请中术语“第一”“第二”等字样用于对作用和功能基本相同的相同项或相似项进行区分,应理解,“第一”、“第二”、“第n”之间不具有逻辑或时序上的依赖关系,也不对数量和执行顺序进行限定。还应理解,尽管以下描述使用术语第一、第二等来描述各种元素,但这些元素不应受术语的限制。这些术语只是用于将一元素与另一元素区别分开。In this application, the terms "first", "second" and other words are used to distinguish the same or similar items with basically the same functions and functions. It should be understood that the terms "first", "second" and "nth" There is no logical or sequential dependency, and there is no limit on the number or execution order. It should also be understood that, although the following description uses the terms first, second, etc. to describe various elements, these elements should not be limited by the terms. These terms are only used to distinguish one element from another.

还应理解,在本申请的各个实施例中,各个过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。It should also be understood that in each embodiment of the present application, the size of the sequence number of each process does not mean the order of execution. The execution order of each process should be determined by its function and internal logic, and should not be determined by the execution order of the embodiments of the present application. The implementation process constitutes no limitation.

还应理解,术语“包括”(也称“includes”、“including”、“comprises”和/或“comprising”)当在本说明书中使用时指定存在所陈述的特征、整数、步骤、操作、元素、和/或部件,但是并不排除存在或添加一个或多个其他特征、整数、步骤、操作、元素、部件、和/或其分组。It will also be understood that the term "includes" (also "includes," "including," "comprises," and/or "comprising") when used in this specification specifies the presence of stated features, integers, steps, operations, elements , and/or components, but does not exclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groupings thereof.

还应理解,说明书通篇中提到的“一个实施例”、“一实施例”、“一种可能的实现方式”意味着与实施例或实现方式有关的特定特征、结构或特性包括在本申请的至少一个实施例中。因此,在整个说明书各处出现的“在一个实施例中”或“在一实施例中”、“一种可能的实现方式”未必一定指相同的实施例。此外,这些特定的特征、结构或特性可以任意适合的方式结合在一个或多个实施例中。It should also be understood that references throughout this specification to "one embodiment," "an embodiment," and "a possible implementation" mean that specific features, structures, or characteristics related to the embodiment or implementation are included herein. In at least one embodiment of the application. Therefore, “in one embodiment” or “in an embodiment” or “a possible implementation” appearing in various places throughout this specification do not necessarily refer to the same embodiment. Furthermore, the particular features, structures or characteristics may be combined in any suitable manner in one or more embodiments.

最后应说明的是:以上各实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述各实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的范围。 Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present application, but not to limit it; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: The technical solutions described in the foregoing embodiments can still be modified, or some or all of the technical features can be equivalently replaced; and these modifications or substitutions do not deviate from the essence of the corresponding technical solutions from the technical solutions of the embodiments of the present application. scope.

Claims (20)

一种可信验证方法,其特征在于,所述方法应用于可信验证系统,所述可信验证系统中包括可信平台控制模块TPCM和可信密码模块TCM,所述TPCM中包括主控模块;A trusted verification method, characterized in that the method is applied to a trusted verification system, the trusted verification system includes a trusted platform control module TPCM and a trusted cryptographic module TCM, and the TPCM includes a main control module ; 所述方法包括通过所述主控模块执行如下操作:The method includes performing the following operations through the main control module: 调用所述TCM计算第一被度量对象的第一度量值;所述第一被度量对象包括所述可信验证系统所在的设备中的软件和固件中的一个或多个对象;Call the TCM to calculate the first measurement value of the first measured object; the first measured object includes one or more objects in the software and firmware in the device where the trusted verification system is located; 从所述TCM的非易失性存储器中读取所述第一被度量对象的基准度量值;Read the baseline measurement value of the first measured object from the non-volatile memory of the TCM; 基于所述第一度量值与所述基准度量值的匹配结果对所述第一被度量对象进行策略控制。Policy control is performed on the first measured object based on a matching result between the first metric value and the baseline metric value. 根据权利要求1所述的方法,其特征在于,所述调用所述TCM计算第一被度量对象的第一度量值之前,还包括:The method according to claim 1, characterized in that before calling the TCM to calculate the first measurement value of the first measured object, it further includes: 调用所述TCM计算所述第一被度量对象的第二度量值;Call the TCM to calculate the second measurement value of the first measured object; 读取一次性可编程存储器中所述第一被度量对象对应的第一标识,所述第一标识指示所述TCM的非易失性存储器中未存储有所述第一被度量对象的基准度量值;Reading the first identification corresponding to the first measured object in the one-time programmable memory, the first identification indicating that the reference measurement of the first measured object is not stored in the non-volatile memory of the TCM value; 基于所述第一标识将所述第二度量值作为所述第一被度量对象的基准度量值写入所述TCM的非易失性存储器。The second metric value is written into the non-volatile memory of the TCM as the base metric value of the first measured object based on the first identification. 根据权利要求2所述的方法,其特征在于,所述基于所述第一标识将所述第二度量值作为所述第一被度量对象的基准度量值写入所述TCM的非易失性存储器之前,还包括:The method according to claim 2, characterized in that, based on the first identification, the second metric value is written into the non-volatile memory of the TCM as the baseline metric value of the first measured object. Before memory, also includes: 通过所述主控模块在所述TCM中完成身份认证,并获得访问所述TCM的非易失性存储器的授权。Complete identity authentication in the TCM through the main control module, and obtain authorization to access the non-volatile memory of the TCM. 根据权利要求2或3所述的方法,其特征在于,所述基于所述第一标识将所述第二度量值作为所述第一被度量对象的基准度量值写入所述TCM的非易失性存储器之后,还包括:The method according to claim 2 or 3, characterized in that, based on the first identification, the second metric value is written into the non-transformable TCM as the baseline metric value of the first measured object. After lossy memory, there are also: 将所述一次性可编程存储器中所述第一被度量对象对应的所述第一标识更改为第二标识,所述第二标识指示所述第一被度量对象的基准度量值已经被存储到所述TCM的非易失性存储器。The first identification corresponding to the first measured object in the one-time programmable memory is changed to a second identification, the second identification indicating that the baseline measurement value of the first measured object has been stored in The TCM's non-volatile memory. 根据权利要求4所述的方法,其特征在于,所述方法还包括:通过所述主控模块读取所述一次性可编程存储器中所述第一被度量对象对应的第二标识;The method according to claim 4, characterized in that the method further includes: reading the second identification corresponding to the first measured object in the one-time programmable memory through the main control module; 所述从所述TCM的非易失性存储器中读取所述第一被度量对象的基准度量值,包括:Reading the baseline measurement value of the first measured object from the non-volatile memory of the TCM includes: 基于所述第二标识从所述TCM的非易失性存储器中读取所述第一被度量对象的基准度量值。The reference measurement value of the first measured object is read from the non-volatile memory of the TCM based on the second identification. 根据权利要求1-5任一项所述的方法,其特征在于,所述方法还包括通过所述主控模块执行如下操作:The method according to any one of claims 1-5, characterized in that the method further includes performing the following operations through the main control module: 接收来自远程可信管理中心的第二被度量对象的基准度量值,所述第二被度量对象为所述第一被度量对象更新后的对象;Receive the baseline measurement value of the second measured object from the remote trusted management center, where the second measured object is an updated object of the first measured object; 将所述TCM的非易失性存储器中所述第一被度量对象的基准度量值更新为所述第二被度量对象的基准度量值。 Update the baseline measurement value of the first measured object in the non-volatile memory of the TCM to the baseline measurement value of the second measured object. 根据权利要求1-6任一项所述的方法,其特征在于,所述TPCM的策略控制模块中包括被度量对象的控制策略的配置信息;The method according to any one of claims 1 to 6, characterized in that the policy control module of the TPCM includes configuration information of the control policy of the measured object; 所述方法还包括通过所述主控模块执行如下操作:The method also includes performing the following operations through the main control module: 接收来自远程可信管理中心的所述第一被度量对象的目标控制策略,所述目标控制策略为所述第一被度量对象的控制策略更新后的策略;Receive the target control policy of the first measured object from a remote trusted management center, where the target control policy is an updated policy of the control policy of the first measured object; 将所述TPCM的策略控制模块中所述第一被度量对象的控制策略的配置信息更新为所述目标控制策略的配置信息。Update the configuration information of the control policy of the first measured object in the policy control module of the TPCM to the configuration information of the target control policy. 根据权利要求1-7任一项所述的方法,其特征在于,所述方法还包括通过所述主控模块执行如下操作:The method according to any one of claims 1-7, characterized in that the method further includes performing the following operations through the main control module: 基于对所述第一被度量对象的可信验证的过程生成事件日志;Generate an event log based on a process of trusted verification of the first measured object; 将所述第一被度量对象的基准度量值、所述匹配结果和所述事件日志三者中的一项或多项存储到所述TCM的平台配置存储器中。Store one or more of the baseline measurement value of the first measured object, the matching result and the event log in the platform configuration memory of the TCM. 根据权利要求1-8任一项所述的方法,其特征在于,所述可信验证系统为基于基板管理控制器BMC实现的管理系统。The method according to any one of claims 1 to 8, characterized in that the trusted verification system is a management system implemented based on a baseboard management controller (BMC). 一种可信验证装置,其特征在于,所述装置包括可信验证系统,所述可信验证系统中包括可信平台控制模块TPCM和可信密码模块TCM,所述TPCM中包括主控模块;A trusted verification device, characterized in that the device includes a trusted verification system, the trusted verification system includes a trusted platform control module TPCM and a trusted cryptographic module TCM, and the TPCM includes a main control module; 所述主控模块用于:The main control module is used for: 调用所述TCM计算第一被度量对象的第一度量值;所述第一被度量对象包括所述可信验证系统所在的设备中的软件和固件中的一个或多个对象;Call the TCM to calculate the first measurement value of the first measured object; the first measured object includes one or more objects in the software and firmware in the device where the trusted verification system is located; 从所述TCM的非易失性存储器中读取所述第一被度量对象的基准度量值;Read the baseline measurement value of the first measured object from the non-volatile memory of the TCM; 基于所述第一度量值与所述基准度量值的匹配结果对所述第一被度量对象进行策略控制。Policy control is performed on the first measured object based on a matching result between the first metric value and the baseline metric value. 根据权利要求10所述的装置,其特征在于,所述主控模块还用于:The device according to claim 10, characterized in that the main control module is also used for: 在所述调用所述TCM计算第一被度量对象的第一度量值之前,调用所述TCM计算所述第一被度量对象的第二度量值;Before calling the TCM to calculate the first measurement value of the first measured object, calling the TCM to calculate the second measurement value of the first measured object; 读取一次性可编程存储器中所述第一被度量对象对应的第一标识,所述第一标识指示所述TCM的非易失性存储器中未存储有所述第一被度量对象的基准度量值;Reading the first identification corresponding to the first measured object in the one-time programmable memory, the first identification indicating that the reference measurement of the first measured object is not stored in the non-volatile memory of the TCM value; 基于所述第一标识将所述第二度量值作为所述第一被度量对象的基准度量值写入所述TCM的非易失性存储器。The second metric value is written into the non-volatile memory of the TCM as the base metric value of the first measured object based on the first identification. 根据权利要求11所述的装置,其特征在于,所述主控模块还用于:The device according to claim 11, characterized in that the main control module is also used for: 在所述基于所述第一标识将所述第二度量值作为所述第一被度量对象的基准度量值写入所述TCM的非易失性存储器之前,通过所述主控模块在所述TCM中完成身份认证,并获得访问所述TCM的非易失性存储器的授权。Before writing the second metric value as the baseline metric value of the first measured object into the non-volatile memory of the TCM based on the first identification, the main control module Complete identity authentication in the TCM and obtain authorization to access the TCM's non-volatile memory. 根据权利要求11或12所述的装置,其特征在于,所述主控模块还用于: The device according to claim 11 or 12, characterized in that the main control module is also used for: 在所述基于所述第一标识将所述第二度量值作为所述第一被度量对象的基准度量值写入所述TCM的非易失性存储器之后,将所述一次性可编程存储器中所述第一被度量对象对应的所述第一标识更改为第二标识,所述第二标识指示所述第一被度量对象的基准度量值已经被存储到所述TCM的非易失性存储器。After writing the second metric value as the baseline metric value of the first measured object into the non-volatile memory of the TCM based on the first identification, write the one-time programmable memory into the non-volatile memory of the TCM. The first identification corresponding to the first measured object is changed to a second identification, and the second identification indicates that the baseline measurement value of the first measured object has been stored in the non-volatile memory of the TCM . 根据权利要求13所述的装置,其特征在于,所述主控模块还用于:读取所述一次性可编程存储器中所述第一被度量对象对应的第二标识;The device according to claim 13, wherein the main control module is further configured to: read the second identification corresponding to the first measured object in the one-time programmable memory; 所述从所述TCM的非易失性存储器中读取所述第一被度量对象的基准度量值,包括:Reading the baseline measurement value of the first measured object from the non-volatile memory of the TCM includes: 基于所述第二标识从所述TCM的非易失性存储器中读取所述第一被度量对象的基准度量值。The reference measurement value of the first measured object is read from the non-volatile memory of the TCM based on the second identification. 根据权利要求10-14任一项所述的装置,其特征在于,所述主控模块还用于:The device according to any one of claims 10-14, characterized in that the main control module is also used for: 接收来自远程可信管理中心的第二被度量对象的基准度量值,所述第二被度量对象为所述第一被度量对象更新后的对象;Receive the baseline measurement value of the second measured object from the remote trusted management center, where the second measured object is an updated object of the first measured object; 将所述TCM的非易失性存储器中所述第一被度量对象的基准度量值更新为所述第二被度量对象的基准度量值。Update the baseline measurement value of the first measured object in the non-volatile memory of the TCM to the baseline measurement value of the second measured object. 根据权利要求10-15任一项所述的装置,其特征在于,所述TPCM的策略控制模块中包括被度量对象的控制策略的配置信息;所述主控模块还用于:The device according to any one of claims 10 to 15, characterized in that the policy control module of the TPCM includes configuration information of the control policy of the measured object; the main control module is also used to: 接收来自远程可信管理中心的所述第一被度量对象的目标控制策略,所述目标控制策略为所述第一被度量对象的控制策略更新后的策略;Receive the target control policy of the first measured object from a remote trusted management center, where the target control policy is an updated policy of the control policy of the first measured object; 将所述TPCM的策略控制模块中所述第一被度量对象的控制策略的配置信息更新为所述目标控制策略的配置信息。Update the configuration information of the control policy of the first measured object in the policy control module of the TPCM to the configuration information of the target control policy. 根据权利要求10-16任一项所述的装置,其特征在于,所述主控模块还用于:The device according to any one of claims 10-16, characterized in that the main control module is also used for: 基于对所述第一被度量对象的可信验证的过程生成事件日志;Generate an event log based on a process of trusted verification of the first measured object; 将所述第一被度量对象的基准度量值、所述匹配结果和所述事件日志三者中的一项或多项存储到所述TCM的平台配置存储器中。Store one or more of the baseline measurement value of the first measured object, the matching result and the event log in the platform configuration memory of the TCM. 根据权利要求10-17任一项所述的装置,其特征在于,所述可信验证系统为基于基板管理控制器BMC实现的管理系统。The device according to any one of claims 10 to 17, characterized in that the trusted verification system is a management system implemented based on a baseboard management controller (BMC). 一种可信验证装置,其特征在于,所述装置包括处理器和存储器,其中,所述存储器用于存储计算机程序,所述处理器用于执行所述存储器中存储的计算机程序,使得所述装置执行如权利要求1至9任一项所述的方法。A trusted verification device, characterized in that the device includes a processor and a memory, wherein the memory is used to store a computer program, and the processor is used to execute the computer program stored in the memory, so that the device The method according to any one of claims 1 to 9 is carried out. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行以实现权利要求1至9任意一项所述的方法。 A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program, and the computer program is executed by a processor to implement the method described in any one of claims 1 to 9.
PCT/CN2023/083577 2022-03-24 2023-03-24 Trusted verification method and apparatus Ceased WO2023179745A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210297166.9A CN116842517A (en) 2022-03-24 2022-03-24 Trusted verification method and device
CN202210297166.9 2022-03-24

Publications (1)

Publication Number Publication Date
WO2023179745A1 true WO2023179745A1 (en) 2023-09-28

Family

ID=88100078

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/083577 Ceased WO2023179745A1 (en) 2022-03-24 2023-03-24 Trusted verification method and apparatus

Country Status (2)

Country Link
CN (1) CN116842517A (en)
WO (1) WO2023179745A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117806777A (en) * 2024-02-29 2024-04-02 苏州元脑智能科技有限公司 Virtual environment starting integrity verification method, device, system, equipment and medium
CN119299144A (en) * 2024-09-29 2025-01-10 中国电信股份有限公司技术创新中心 Network element verification method, device, computer equipment and storage medium
CN119718960A (en) * 2025-02-10 2025-03-28 西安热工研究院有限公司 Dynamic trusted verification function test method and related device for trusted DCS controller

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115657542B (en) * 2022-10-24 2024-08-27 中国电子信息产业集团有限公司第六研究所 Domestic information security processing system and processing method based on trusted technology
CN119577849A (en) * 2024-10-17 2025-03-07 北京智芯微电子科技有限公司 Device trusted startup verification system, method, device and chip

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104933358A (en) * 2015-07-10 2015-09-23 沈军 Computer immune system design method and realization
CN105205401A (en) * 2015-09-30 2015-12-30 中国人民解放军信息工程大学 Trusted computer system based on safe password chip and trusted guiding method thereof
CN109992973A (en) * 2019-04-10 2019-07-09 北京可信华泰信息技术有限公司 A kind of starting measure and device using OPROM mechanism
CN110334522A (en) * 2019-07-08 2019-10-15 北京可信华泰信息技术有限公司 Start the method and device of measurement
CN111310193A (en) * 2020-02-12 2020-06-19 北京可信华泰信息技术有限公司 Data processing method, device, storage medium and processor
CN111651769A (en) * 2019-03-04 2020-09-11 阿里巴巴集团控股有限公司 Method and device for obtaining measurement of secure boot
US20220067165A1 (en) * 2020-08-27 2022-03-03 Inventec (Pudong) Technology Corporation Security measurement method and security measurement device for startup of server system, and server

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104933358A (en) * 2015-07-10 2015-09-23 沈军 Computer immune system design method and realization
CN105205401A (en) * 2015-09-30 2015-12-30 中国人民解放军信息工程大学 Trusted computer system based on safe password chip and trusted guiding method thereof
CN111651769A (en) * 2019-03-04 2020-09-11 阿里巴巴集团控股有限公司 Method and device for obtaining measurement of secure boot
CN109992973A (en) * 2019-04-10 2019-07-09 北京可信华泰信息技术有限公司 A kind of starting measure and device using OPROM mechanism
CN110334522A (en) * 2019-07-08 2019-10-15 北京可信华泰信息技术有限公司 Start the method and device of measurement
CN111310193A (en) * 2020-02-12 2020-06-19 北京可信华泰信息技术有限公司 Data processing method, device, storage medium and processor
US20220067165A1 (en) * 2020-08-27 2022-03-03 Inventec (Pudong) Technology Corporation Security measurement method and security measurement device for startup of server system, and server

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117806777A (en) * 2024-02-29 2024-04-02 苏州元脑智能科技有限公司 Virtual environment starting integrity verification method, device, system, equipment and medium
CN117806777B (en) * 2024-02-29 2024-05-10 苏州元脑智能科技有限公司 Virtual environment starting integrity verification method, device, system, equipment and medium
CN119299144A (en) * 2024-09-29 2025-01-10 中国电信股份有限公司技术创新中心 Network element verification method, device, computer equipment and storage medium
CN119718960A (en) * 2025-02-10 2025-03-28 西安热工研究院有限公司 Dynamic trusted verification function test method and related device for trusted DCS controller

Also Published As

Publication number Publication date
CN116842517A (en) 2023-10-03

Similar Documents

Publication Publication Date Title
US20230237155A1 (en) Securing communications with security processors using platform keys
US7921286B2 (en) Computer initialization for secure kernel
WO2023179745A1 (en) Trusted verification method and apparatus
JP4855679B2 (en) Encapsulation of reliable platform module functions by TCPA inside server management coprocessor subsystem
CN103080904B (en) Multistage lock-step integrity report mechanism is provided
US11909882B2 (en) Systems and methods to cryptographically verify an identity of an information handling system
US11068599B2 (en) Secure initialization using embedded controller (EC) root of trust
US11809567B2 (en) System and method of authenticating firmware for an information handling system
TWI745629B (en) Computer system and method for initializing computer system
US12488111B2 (en) Computer system, trusted function component, and running method
WO2008039536A2 (en) Persistent security system and method
US11960737B2 (en) Self-deploying encrypted hard disk, deployment method thereof, self-deploying encrypted hard disk system and boot method thereof
US11347858B2 (en) System and method to inhibit firmware downgrade
US12271480B2 (en) Information handling systems and related methods to prevent tampering and verify the integrity of non-volatile data stored within non-volatile memory
US12067121B2 (en) Trusted boot method and apparatus, electronic device, and readable storage medium
WO2025139716A1 (en) Firmware execution method, device and system, storage medium, and electronic device
Dhobi et al. Secure firmware update over the air using trustzone
US11580225B2 (en) Determine whether to perform action on computing device based on analysis of endorsement information of a security co-processor
CN114692160A (en) Processing method and device for safe and trusted starting of computer
US20250307435A1 (en) Detecting unexpected changes to managed nodes based on remotely-generated verification values derived from node-provided integrity measurements
US12019752B2 (en) Security dominion of computing device
US20240037216A1 (en) Systems And Methods For Creating Trustworthy Orchestration Instructions Within A Containerized Computing Environment For Validation Within An Alternate Computing Environment
TWI726406B (en) Authentication method
CN115878122B (en) Method, system and storage medium for corruption determination of data items
US20250358110A1 (en) Extending firmware verification to other components within system as part of chain of trust

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23773990

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 23773990

Country of ref document: EP

Kind code of ref document: A1