For building and keeping the TPCM systems and correlation method of credible running environmentTechnical field
Present invention relates in general to information security field, is used to building and keeping credible operation ring in particular to one kindTPCM (the Trusted Platform Control Module credible platforms control module) systems in border and a kind of corresponding sideMethod.
Background technology
Credible platform module (Trusted Platform Module, TPM) is a kind of hardware device, and it is with calculating ownerPlate is connected, for verifying identity and handling the variable used by computer in trusted computation environment.TPM and it is stored thereinData generally separate with all other component of computer.
Credible platform module of the prior art is a separate modular by the domination of mainboard, therefore it can not ensure to leadThe integrality of the startup code (such as bios code) of plate in itself.And become increasingly susceptible to attack and distort in mainboard startup codeToday, traditional TPM cannot be guaranteed the credibility of computer platform.The energy of the credible monitoring of dynamical system can not be providedPower, the credibility of real-time guard computer running environment.
In addition, credible platform module of the prior art due to not possessing to such as bios code, Android key generation mostlyCode etc startup code level safety verification and the important portion to such as USB interface, hard disk, internal memory etc can not be prevented wellPart distorts replacement.It can not prevent that credible running environment or dynamic realtime are built using the hardware device having been tampered with is led toThe modification of Installed System Memory is crossed, this will bring larger threat to the reliability of hardware and the security of system.
In addition, in the prior art, it is general to monitor that running environment is pacified using the software application of such as antivirus software etcEntirely, monitor malicious is invaded, but is needed to take a large amount of cpu resources in software view monitoring and be scanned comparison, just because of rightCPU and Installed System Memory dependence, the virus injection of hardware platform aspect can not ought be prevented at all.Even if ignoring disadvantage mentioned above, byIn lacking the support of bottom credible base, securing software is susceptible to virus attack in itself and malice is distorted, therefore such operationEnvironmental monitoring means still unsatisfactorily ensure safe running environment.
The content of the invention
From prior art, task of the invention is to design three based on three stages of generalized computing machine startup optimizationBar physical channel metric module, referred to as the tunnel scheme of three rank three, that is to say, that, there is provided one kind is used to building and keeping credible operation ringThe TPCM systems in border and a kind of correlation method, using the TPCM systems or this method, can with low installation cost and hardware intoLocal mode is established and monitors its credible platform operation conditions in real time, prevents bottom from starting the malice of code chip store code and usurpingChange, the chain-of-trust provided for system since first cpu instruction is established, and prevents use through usurping in system starting processThe hardware changed builds credible running environment, and believable secure operating environment can be dynamically protected in system operation.
In the first aspect of the present invention, the task passes through a kind of TPCM systems for being used to building and keeping credible running environmentTo solve, the TPCM systems include:
Power control unit, it is connected with power supply, wherein from power supply to the power control unit provide standby power withAs the operating voltage of TPCM systems, and power control unit is configured as receiving electricity from startup code metric moduleIndicate power supply to electric on the power module of computer motherboard during signal;
Start code metric module, it is connected by the startup code flash memory of master bus and computer motherboard and controls instituteState and start the power supply of code flash memory, the startup code metric module is configured as after TPCM system electrifications dodging from startup codeMiddle read is deposited to start code and generate the first hashed value of the startup code and hash the first hashed value and the first referenceValue compares and sent in the case where the first hashed value is consistent with the first reference Hash values to the power control unitElectric signal;
Platform environment metric module, it is connected by low speed subordinate bus with system for computer, platform environment measurementModule is configured as:
On the power module of computer motherboard by trusted boot code collecting platform information and institute is generated after electricityState the second hashed value of platform information;
Second hashed value is compared with the second reference Hash values and in the second hashed value and the second reference Hash values oneRead operation system loads code in the case of cause;
Generate the 3rd hashed value of operating system loading code and by the 3rd hashed value compared with the 3rd reference Hash valuesCompared with and the 3rd hashed value it is consistent with the 3rd reference Hash values in the case of run operating system loading code;And
Read operation system kernel and generate the 4th hashed value of operating system nucleus and by the 4th hashed value and theFour reference Hash values compare and run operating system in the case that the 4th hashed value is consistent with the 4th reference Hash valuesAnd computer is set to enter credible mode of operation;And
Dynamic measurement module, it is connected by high speed master bus with dynamic memory, the dynamic measurement module by withIt is set to:
Actively dynamically read from dynamic memory and instruct storage region content, for example, operating system nucleus code andGenerate the 5th hashed value of operating system nucleus;And
5th hashed value is compared with the 5th reference Hash values and in the 5th hashed value and the 5th reference Hash values oneComputer is maintained in credible mode of operation in the case of cause.
By the TPCM systems for being used to build and keep credible running environment according to the present invention, can at least realize followingAdvantage:(1) individually powered via corresponding controlling bus interface, control flash memory by the startup code metric module by TPCM, canTo allow TPCM prior to starting electricity on code flash memory, and due to only to start code flash memory, such as BIOS flash memory individually power supply andBe not to it is whole start labeling scheme, such as BIOS circuits are powered, can effectively prevent because electric energy pours in down a chimney from labeling scheme is startedElectricity in the mistake of other insincere hardware devices is caused to other hardware devices, so as to improve the reliability for realizing credible platform;(2) in the present invention, monitored by using the running environment of hardware-level, the operation ring of safety can be ensured from hardware viewBorder, therefore because compared with software, hardware is more difficult to tamper, system safety higher compared with software supervision means can be achievedProperty;(3) in the present invention, TPCM Drams module is carried out actively using the master control function of bus to Installed System Memory data contentDirectly read, and transferred without system CPU, prevent the reading to internal memory via CPU, unloading, make present in transmission processDisadvantage forges risk;(4) active Dram (module) monitoring process substantially performs unrelated with CPU, is entirely one autonomous anti-Imperial behavior, this greatly reduces the occupancy of the consumption particularly cpu resource of system resource;(5) in the present invention, TPCM is usingCross the equipment that last stage trust is examined and the trusted operating system kernel or trusted software base program of real-time guard collect computerPhysical features carry out dynamic monitoring in real time, there is any extraction or not clear beyond expected abnormal behaviour, such as specific USB deviceThe access of USB device, TPCM will be reported according to Preservation tactics, cut off its physical interface, or even be shut down by force, real-time guardThe credible performing environment of system.
It should be noted here that the term " computer " in the application should broadly understand, it covers server, desk-topComputer, laptop computer, personal digital assistant, tablet PC, intelligent terminal etc. electronic equipment.It is for example, of the inventionTechnical scheme can apply the various computing devices of x86 frameworks, PowerPC frameworks, MIPS frameworks and ARM frameworks, Qi TasheStandby is also what is be contemplated that.
Provided in the expansion scheme of the present invention, the startup code includes:BIOS generations in the case of x86 frameworksThe startup code started in the case of code, MIPS frameworks or ARM frameworks in the case of code, PowerPC frameworks.Pass through the extensionScheme, it is possible to achieve the believable running environment of component in various different framework computing devices.For example, PowerPC framework situationsUnder startup code and ARM frameworks in the case of startup code be stored in start in code flash memory or firmware and be used for hardwareThe startup code of the bottom function such as electricity.
Provided in the expansion scheme of the present invention, the platform information includes one or more of the following:CPU hardware information, dynamic memory hardware information, hard disk hardware information, north and south bridge chip hardware information, sound card hardware information,Video card hardware information, network interface card hardware information, USB device hardware information and the guidance information of hard disk boot section.Pass through the extensionScheme, it can prevent from starting code chip to the important hardware device of computer and distorting and preventing using for boot sectionThe important hardware device that is tampered and boot section build credible running environment.
Being provided in another expansion scheme of the present invention, the platform information can bind different users, such as underOne or more of row items:CPU hardware information, dynamic memory hardware information, hard disk hardware information, north and south bridge chip are hardPart information, sound card hardware information, video card hardware information, network interface card hardware information, USB device hardware information and hard disk boot sectionGuidance information.By the expansion scheme, can strictly control the binding relationship between hardware device and user, build towardsRunning environment that different user is credible.
The present invention another expansion scheme in provide, start code metric module be additionally configured to the first hashed value withComputer is set to enter untrusted mode of operation or make electricity under computer or restart in the case that first reference Hash values are inconsistent;And/or
Platform environment metric module is additionally configured in the case where the second hashed value and the second reference Hash values are inconsistentAnd/or dissipated in the case where the 3rd hashed value and the 3rd reference Hash values are inconsistent and/or in the 4th hashed value and the 4th referenceComputer is set to enter untrusted mode of operation or make electricity under computer or restart in the case that train value is inconsistent;And/or
Dynamic measurement module is additionally configured to make meter in the case where the 5th hashed value and the 5th reference Hash values are inconsistentCalculation machine enters untrusted mode of operation or makes electricity under computer or restart.
Pass through the expansion scheme, it is possible to achieve abnormality processing flow, wherein keeper or user can select as neededProcessing operation to abnormal conditions, such as computer is entered non-possible op pattern or is made electricity under computer or restart.
Provided in the another expansion scheme of the present invention, the code that starts is the x86 BIOS generations in the case of ATX frameworksCode, and the power control unit is additionally configured to:
ATX power supply of the ATX power supplys to computer motherboard is indicated when receiving power on signal from startup code metric moduleModule provides standby voltage (5VSB) and releases the locking to PW-OK signals, and
After PS-ON signals are received from the ATX power modules, PS-ON signals are sent to ATX power supplys so as to calculateMainboard enters running status.
By the expansion scheme, upper electricity that can easily by controlling the clock signal of ATX power supplys to realize to mainboardControl, without being modified to mainboard.Provided in the preferred scheme of the present invention, in labeling scheme is started is to openDiode is provided with the connection of dynamic code flash memory power supply for unidirectionally being powered to starting code flash memory.It is preferred by thisScheme, it can be dodged with being realized with a low cost the unidirectional power supply to starting code flash memory so as to be better protected from electric energy from code is startedDeposit and pour in down a chimney to other hardware devices.
The present invention another expansion scheme in provide, actively measured for server system control method it is similar, it is necessary toIncrease measurement control before being performed to BMC (Baseboard Management Controller baseboard management controllers) upper electricity,Measurement confirmation is carried out using the foregoing method that control is measured to starting to having BMC and starting the two panels flash chip of codeAfterwards, electrifying control circuit (such as CPLD) is notified to carry out power supply.By that analogy, the method can be used to polylith flash memory corePiece carries out measurement control.It can be measurement and power supply that be concurrent or having priority continuous relationship to measure control processProcess.
Provided in another preferred scheme of the present invention, dynamic measurement module is additionally configured to:
Instruction is assigned by trusted software base and requires that TPCM dynamic measurement modules obtain application program from system storageKey code or critical data and the 6th hashed value for generating the key code;And
6th hashed value is compared with the 6th reference Hash values and in the 6th hashed value and the 6th reference Hash values notPrompting is issued the user with the case of consistent or computer is entered untrusted mode of operation.
By the preferred scheme, it can additionally ensure the reliability of each software run in credible running environment, fromAnd better ensure that the security of running environment.Here, trusted software base for example can be a kind of basic management software program, itsEffect is to extract the key code of each application program, and carries out monitoring control to software and system according to management strategy.OtherIn embodiment, software base can be implemented as the independent management software by the credible protection of TPCM modules.In further embodiments,Can to load and run trusted software base, (i.e. the CPU core be exclusively used in loading and run using the separate CPU core in multi-core CPUTrusted software base), thus independently (i.e. with other software and hardwares of system isolator) implement the dynamic of trusted computation environmentMonitoring.Operating system and application software kernel ensure that its is credible and secure by the trusted software base.In some other embodiments,Also trusted software base and operating system nucleus binding can be turned into trusted operating system, application software and trusted context is carried out realWhen monitoring management.
Provided in the expansion scheme of the present invention, platform environment metric module is by low speed slave unit bus with calculatingMachine system connects.By the expansion scheme, it can simply realize that necessity between platform metrics module and each hardware communicates.It is lowFast slave unit bus for example can be spi bus, I2C buses, serial ports, or even GPIO etc..
Provided in another expansion scheme of the present invention, dynamic measurement module is connected by high-speed bus with system.Pass throughThe expansion scheme, it can simply realize that necessity between dynamic measurement module and dynamic memory communicates.The high-speed bus exampleIt such as can be usb bus.
Provided in the preferred scheme of the present invention, dynamic measurement module is connected by high speed master bus and dynamic memoryConnect.Pass through the expansion scheme, it is possible to achieve dynamic measurement module carries out active access to dynamic memory.The high speed master busSuch as can be PCIe buses etc..
Provided in the preferred scheme of the present invention, startup code metric module is additionally configured to the authority according to userInformation configures access rights of the user to physical port., can be reliably by being used as trusted root by the preferred schemeTPCM systems set access claim of the user to physical port, so as to by starting code system, operating system or softPart etc. these can not information source set access privilege to compare, realize higher safety and reliability.
Provided in another preferred scheme of the present invention, platform environment module is additionally configured to hard by the way that user is boundPart configuration information compared with collected platform information relatively come judge the user whether Internet access this computer platform eitherIt is no to have the right into the credible mode of operation of this computer platform.By the preferred scheme, user's access right can be reliably achievedItem management.
In the second aspect of the present invention, foregoing task is used for by TPCM system constructings by one kind and keeps credible operationThe method of environment solves, wherein the TPCM systems are connected simultaneously by the startup code flash memory of master bus and computer motherboardTo the startup code flash memory power supply, wherein this method comprises the following steps:
The operating voltage of TPCM systems is provided by power supply;
Controlled after TPCM system electrifications by TPCM systems and start the power supply of code flash memory and from code flash memory is startedRead the first hashed value for starting code and generating the startup code;
First hashed value is compared with the first reference Hash values and in the first hashed value and the first reference Hash values oneMake in the case of cause electric on the power module of computer motherboard;
Collecting platform information and the second hashed value for generating the platform information;
Second hashed value is compared with the second reference Hash values and in the second hashed value and the second reference Hash values oneRead operation system loads code in the case of cause;
Generate the 3rd hashed value of operating system loading code and by the 3rd hashed value compared with the 3rd reference Hash valuesCompared with and the 3rd hashed value it is consistent with the 3rd reference Hash values in the case of run operating system loading code;
Read operation system kernel and generate the 4th hashed value of operating system nucleus and by the 4th hashed value and theFour reference Hash values compare and run operating system in the case that the 4th hashed value is consistent with the 4th reference Hash valuesAnd computer is set to enter credible mode of operation;
Dynamically read operation system kernel and the 5th hashed value of operating system nucleus is generated from dynamic memory;And
5th hashed value is compared with the 5th reference Hash values and in the 5th hashed value and the 5th reference Hash values oneComputer is set to be maintained in credible mode of operation in the case of cause.
By method according to the invention it is possible to realize the advantages of identical with the TPCM systems according to the present invention, Neng GoutiHeight establishes the reliability of credible platform, reduces installation cost and hardware cost, while preventing that starting code chip distorts firmlyPart simultaneously prevents from building credible running environment using tampered hardware, and can dynamically ensure safe running environment.
Provided in the expansion scheme of the present invention, the startup code includes:BIOS generations in the case of x86 frameworksAll computer starting codes of code, PowerPC frameworks or ARM frameworks, MIPS frameworks etc.., can be with by the expansion schemeRealize the believable running environment of component in various different framework computing devices.For example, the startup generation in the case of PowerPC frameworksCode and the startup code in the case of ARM frameworks, which are stored in startup code flash memory or firmware, is used for the bottom such as electricity on hardwareThe startup code of function.
Provided in the expansion scheme of the present invention, the platform information includes one or more of the following:CPU hardware information, dynamic memory hardware information, hard disk hardware information, north and south bridge chip hardware information, sound card hardware information,Video card hardware information, network interface card hardware information, USB device hardware information and the guidance information of hard disk boot section.Pass through the extensionScheme, it can prevent from starting code chip to the important hardware device of computer and distorting and preventing using for boot sectionThe important hardware device that is tampered and boot section build credible running environment.
At least one provided in another expansion scheme of the present invention, this method also comprises the following steps:
Computer is set to enter untrusted mode of operation in the case where the first hashed value and the first reference Hash values are inconsistentOr make electricity under computer or restart;
In the case where the second hashed value and the second reference Hash values are inconsistent and/or in the 3rd hashed value and the 3rd referenceEnter computer in the case that hashed value is inconsistent and/or in the case where the 4th hashed value and the 4th reference Hash values are inconsistentEnter untrusted mode of operation or make electricity under computer or restart;And
Computer is set to enter untrusted mode of operation in the case where the 5th hashed value and the 5th reference Hash values are inconsistentOr make electricity under computer or restart.
Pass through the expansion scheme, it is possible to achieve abnormality processing flow, wherein keeper or user can select as neededProcessing operation to abnormal conditions, such as computer is entered non-possible op pattern or is made electricity under computer or restart.
Provided in the preferred scheme of the present invention, this method also comprises the following steps:
The key code of application program is obtained from dynamic memory by trusted software base and generates the crucial generation6th hashed value of code;And
6th hashed value is compared with the 6th reference Hash values and in the 6th hashed value and the 6th reference Hash values notPrompting is issued the user with the case of consistent or computer is entered untrusted mode of operation.
By the preferred scheme, it can additionally ensure the reliability of each software run in credible running environment, fromAnd better ensure that the security of running environment.Here, trusted software base for example can be a kind of software program, its effect is to carryThe key code of each application program is taken, and monitoring control is carried out to software and system according to management strategy.In other embodiments,Software base can be implemented as basic software, firmware or specialized hardware.In some embodiments, it is also possible to using in multi-core CPUSeparate CPU core loads and run trusted software base, thus independently (i.e. with the other software and hardwares of system isolator) realApply the dynamic monitoring of trusted computation environment.
Brief description of the drawings
The present invention is expanded on further with reference to specific embodiment below in conjunction with the accompanying drawings.
Fig. 1 shows the block diagram of the system environments of the TPCM systems according to the present invention;And
Fig. 2 shows the flow chart of the method according to the invention.
Embodiment
Fig. 1 shows the block diagram of the system environments of the TPCM systems 100 according to the present invention.System environments in Fig. 1 includesPower network 104, ATX power supplys 103, computer motherboard 106 and TPCM systems 100.Herein, it is noted that although the implementation of the present inventionExample is with x86 frameworks, that is, includes the computer of BIOS flash memory and exemplify, but the invention is not restricted to this, but can be withApplied to the computer based on other frameworks such as PowerPC frameworks, ARM frameworks, MIPS.It should also be noted that in the diagram, it isOther parts are eliminated for the sake of simple.
Power network 104 is used to power to power supply 103, and power supply 103 is, for example, ATX power supplys, and power network 104 is, for example, 220V alternating currentsNet.It should be pointed out that although system environments includes power network herein, in other embodiments, system environments can also include other confessionsElectric equipment, such as battery.
Power supply 103 is used to obtain electric energy from power network 104 and be supplied into TPCM modules 100 and computer motherboard 106, mustElectric energy is changed when wanting, such as AC-DC conversion or curtage conversion.Power supply 103 can include SECOCircuit 105, it is configured as sending and receiving for upper electric clock signal.
Computer motherboard 106 includes power module 107, flash memory 108, dynamic memory 113 and hard disk 114.It should be pointed out thatSome parts are illustrate only herein, and other parts are omitted.Power module 107 is configured as connecing from sequential control circuit 105Time receiving sequential signal to computer motherboard 106 to carry out upper electricity.Start code flash memory 108 and be stored with startup code, such as BIOS generationsThe code of code or other hardware controls for the bottom.In the embodiment based on other frameworks, store and be used in flash memory 108The startup code of the bottom function such as electricity on hardware.
Power control unit 101 is included according to the TPCM systems 100 of the present invention, starts code metric module 102, platform degreeMeasure module 111 and dynamic measurement module 112.
Power control unit 101 is connected with power supply 103, is treated wherein being provided from power supply 103 to the power control unit 101Electromechanics presses (such as 5VSB) 110 using the operating voltage as TPCM systems 100.Standby voltage 110 is, for example, 5V DC voltages.It is describedPower control unit 101 is configured as indicating power supply 103 to meter when receiving power on signal from startup code metric module 102Calculate electricity on the power module 107 of mainboard 106.For example, power control unit 101 can be with the sequential control circuit of power supply 103105 connections and obtain standby voltage 110 from sequential control circuit 105, and power module 107 is from sequential control circuit 105Receive the power on signal.
Start code metric module 102 to be connected with startup code flash memory 108 by master bus 109, such as spi bus and onlyOnly powered to startup code flash memory 108, the supply voltage is, for example, 3.3V DC voltages.In one embodiment, can openDiode is set in the connection for flash memory power supply in dynamic labeling scheme for unidirectionally being supplied starting code flash memory 108Electricity, wherein by the unidirectional power supply, electric energy can be better protected from and poured in down a chimney from flash memory 108 to other hardware devices, such as hardDisk 114 and dynamic memory 113 (such as internal memory, including SDRAM, DDR etc.).So, it is possible to prevent from entirely starting generationDistorting for hardware device is caused due to the startup code of malice after electricity on code chip.The startup code metric module 102It is configured as in TPCM systems 100 after electricity reading from flash memory 108 and starts code and generate the of the startup codeOne hashed value simultaneously compares the first hashed value and in the first hashed value and the first reference Hash values with the first reference Hash valuesIn the case of consistent power on signal is sent to the power control unit 101.Here, wherein described startup code is optionally and depositedStore up key code in startup code in BIOS flash memory, for example for controlling startup code electric on each hardware, butComplete startup code can be measured.Of course, it is also contemplated that other startup generations for starting code, being for example related to security of systemCode.It alternatively can be additionally configured to perform abnormality processing flow, hashed first in addition, starting code metric module 102Make in the case that value and the first reference Hash values are inconsistent computer enter untrusted mode of operation or make under computer electricity orRestart.Under untrusted mode of operation, limit the operation of application and the access rights of user and using other safety measures come pairResisting can not information source.
It can be additionally configured to configure user couple according to the authority information of user in addition, starting code metric module 102The access rights of physical port.For example, start code metric module 102 optionally right after code is measured to startingRespective physical port is powered.So as to prevent from having no right to access from root.
Platform metrics module 111 (is herein hard disk by low speed slave unit bus (being herein I2C buses) and hardware device114) connect.Herein, it is noted that platform metrics module 111 can also be total by other low speed slave unit buses, such as SPILine is connected with other hardware devices, such as CPU, internal memory, hard disk, north and south bridge chip, sound card, video card, network interface card, USB device etc.To obtain the hardware information of these hardware devices.
Platform metrics module 111 is configured as performing following action:
(1) collecting platform information, such as the hardware of hard disk 114 after electricity on the power module 107 of computer motherboard 106Guidance information in information and its boot section, and the second hashed value of the platform information is generated, it should be noted here thatIn other embodiments, platform information can also be other information, such as CPU hardware information, dynamic memory (such as internal memory) hardwareInformation, hard disk hardware information, north and south bridge chip hardware information, sound card hardware information, video card hardware information, network interface card hardware information withAnd USB device hardware information;
(2) the second hashed value is compared with the second reference Hash values and in the second hashed value and the second reference Hash valuesRead operation system loads code in the case of consistent;
(3) the 3rd hashed value of operating system loading code is generated and by the 3rd hashed value and the 3rd reference Hash values phaseCompare and operating system loading code is run in the case where the 3rd hashed value is consistent with the 3rd reference Hash values, wherein passing throughMetric analysis is carried out to operating system loading code, can be prevented because performing the loading code of malice and loading error opening positionOperating system, and operating system at errors present is likely to by distorting;And
(4) read operation system kernel and generate the 4th hashed value of operating system nucleus and by the 4th hashed value with4th reference Hash values compare and the operation operation system in the case that the 4th hashed value is consistent with the 4th reference Hash valuesUnite and computer is entered credible mode of operation, wherein by carrying out metric analysis to operating system nucleus, can prevent from runningTampered operating system, so as to threaten system safe.
In addition, platform environment metric module 111 alternatively can be additionally configured to execution abnormality processing flow, i.e. secondIt is in the case that hashed value and the second reference Hash values are inconsistent and/or inconsistent in the 3rd hashed value and the 3rd reference Hash valuesIn the case of and/or the 4th hashed value and the 4th reference Hash values it is inconsistent in the case of computer is entered untrusted Working mouldFormula makes electricity under computer or restarted.
In addition, access privilege management can also be realized by platform environment metric module 111, i.e. by by user'sHardware configuration information compared with collected platform information relatively come judge the user whether can access this computer platform orWhether the credible mode of operation of this computer platform can be entered, such as:Party A-subscriber has CD-ROM drive but does not have USB interface, such asFruit platform environment metric module 111 is found after collected platform information is checked:This computer platform without CD-ROM drive orWith USB interface, then judge that party A-subscriber haves no right to access this platform or haves no right to access the credible mode of operation of this platform, so as to rightElectricity or entrance untrusted pattern under computer platform.
Dynamic measurement module 112 is connected to dynamic memory by high speed master bus (being herein PCIe buses) 116113.It should be pointed out that in other embodiments, other high speed master bus, such as PCIe buses etc. can also be used, in additionIf it is less demanding to security protection rank, and ignore in the case of dynamic monitoring influences to caused by system resource, can alsoComputer system, such as usb bus etc. are connected using non-master bus.
Dynamic measurement module 112 is configured as performing following action:
(1) dynamically read operation system kernel and the 5th of operating system nucleus is generated from dynamic memory 113Hashed value;And
(2) the 5th hashed value is compared with the 5th reference Hash values and in the 5th hashed value and the 5th reference Hash valuesComputer is maintained in credible mode of operation in the case of consistent.
Here, " dynamic is read " refers to read in real time when needed, such as regularly or according to request etc. readTake.
By dynamically metric analysis operating system nucleus, can verification operation system at any time integrality, to graspEven if perform processing after being tampered or destroying as system.
Dynamic measurement module 112 alternatively can be additionally configured to perform following action:
(3) key code of application program is obtained from dynamic memory by trusted software base and generates the key6th hashed value of code, wherein trusted software base for example can be a kind of software programs, and it is each application program of extraction that it, which is acted on,Key code, and monitoring control is carried out to software and system according to management strategy.In other embodiments, software base can be realSoftware, firmware or specialized hardware based on existing;And
(4) the 6th hashed value is compared with the 6th reference Hash values and in the 6th hashed value and the 6th reference Hash valuesPrompting is issued the user with the case of inconsistent or computer is entered untrusted mode of operation.
The key code applied by metric analysis, can additionally ensure each software run in credible running environmentReliability, so as to better ensure that the security of running environment.And because dynamic measurement module 112 is from hardware view pairWhat operating system nucleus and the key code of application program were measured, thus with purely system security monitoring implemented in softwareMode, which is compared, possesses higher reliability and security.In a preferred embodiment, dynamic measurement module 112 passes through at a high speedThe master control function of bus directly reads Installed System Memory, and is transferred without CPU.The reading via CPU to internal memory can so be preventedTake, thus prevent unloading, cheating present in transmission process from forging risk, while the consumption for being also greatly reduced system resource is specialIt is not the occupancy of cpu resource.Dram (module) monitoring process of dynamic measurement module 112 is substantially unrelated with CPU execution,It is entirely an Autonomous Defense behavior.
It should be pointed out that power control unit 101, startup code metric module 102, platform metrics module 111 and Dynamic DegreeAmount module 112 both can also use field programmable gate array by being programmed to processor or microcontroller to realize(FPGA) or the hardware such as application specific integrated circuit (ASIC) is realized.
By the TPCM systems for being used to build and keep credible running environment according to the present invention, can at least realize followingAdvantage:(1) individually powered via corresponding controlling bus interface, control flash memory by the startup code metric module by TPCM, canTo allow TPCM prior to starting electricity on code flash memory, and due to only to start code flash memory, such as BIOS flash memory individually power supply andBe not to it is whole start labeling scheme, such as BIOS circuits are powered, can effectively prevent because electric energy pours in down a chimney from labeling scheme is startedElectricity in the mistake of other insincere hardware devices is caused to other hardware devices, so as to improve the reliability for realizing credible platform;(2) in the present invention, monitored by using the running environment of hardware-level, the operation ring of safety can be ensured from hardware viewBorder, therefore because compared with software, hardware is more difficult to tamper, system safety higher compared with software supervision means can be achievedProperty;(3) in preferred scheme of the present invention, TPCM Drams module is using the master control function of bus to Installed System Memory data contentActively directly read, and transferred without system CPU.Prevent the reading to internal memory via CPU, unloading, in transmission processRisk is forged in existing cheating;(4) Dram (module) monitoring process substantially with CPU perform it is unrelated, be entirely one fromThe main act of defense.This greatly reduces the occupancy of the consumption particularly cpu resource of system resource;(5) in the present invention, TPCM is utilizedThe trusted operating system kernel or trusted software base program for having been subjected to last stage trust inspection and real-time guard collect computerEquipment physical features carry out dynamic monitoring in real time, have it is any beyond expected abnormal behaviour, such as specific USB device extraction orThe access of not clear USB device, TPCM will be reported according to Preservation tactics, even shut off its physical interface, real-time guard systemCredible performing environment.
Fig. 2 shows the flow chart 200 of the method according to the invention.
In step 202, the operating voltage (such as 5VSB) of TPCM systems 100 is provided by power supply 103.The operating voltage is for exampleFor 5V DC voltages.
In step 204, powered after TPCM system electrifications by TPCM systems 100 to flash memory 108 and from flash memory 108Read the first hashed value for starting code and generating the startup code.
In step 206, the first hashed value is compared with the first reference Hash values and in the first hashed value and the first ginsengExamine hashed value it is consistent in the case of make electricity on the power module 107 of computer motherboard 106.
In step 208, collecting platform information and the second hashed value for generating the platform information.The platform information exampleOne or more of the following can such as be included:CPU hardware information, dynamic memory (such as internal memory) hardware information, hard diskHardware information, north and south bridge chip hardware information, sound card hardware information, video card hardware information, network interface card hardware information, USB device are hardPart information and the guidance information of hard disk boot section.
In step 210, the second hashed value is compared with the second reference Hash values and in the second hashed value and the second ginsengExamine hashed value it is consistent in the case of read operation system loads code.
In step 212, generate the 3rd hashed value of operating system loading code and refer to the 3rd hashed value and the 3rdHashed value compares and the operation operating system loading code in the case where the 3rd hashed value is consistent with the 3rd reference Hash values.
In step 214, read operation system kernel and the 4th hashed value of operating system nucleus is generated and by the 4thHashed value is transported compared with the 4th reference Hash values and in the case that the 4th hashed value is consistent with the 4th reference Hash valuesRow operating system simultaneously makes computer enter credible mode of operation.So far, the credible working environment of computer has been set up.
In step 216, operating system nucleus is dynamically obtained from dynamic memory (such as internal memory) and generates operation system5th hashed value of system kernel.
In step 218, the 5th hashed value is compared with the 5th reference Hash values and in the 5th hashed value and the 5th ginsengExamine hashed value it is consistent in the case of computer is maintained in credible mode of operation.
Here, this method can also alternatively include (not shown):Obtained by trusted software base from dynamic memoryThe key code of application program and the 6th hashed value for generating the key code;And
6th hashed value is compared with the 6th reference Hash values and in the 6th hashed value and the 6th reference Hash values notPrompting is issued the user with the case of consistent or computer is entered untrusted mode of operation.
In addition, the method according to the invention can also include abnormality processing flow, in specifically comprising the following stepsIt is one or more:
Computer is set to enter untrusted mode of operation in the case where the first hashed value and the first reference Hash values are inconsistentOr make electricity under computer or restart;
In the case where the second hashed value and the second reference Hash values are inconsistent and/or in the 3rd hashed value and the 3rd referenceEnter computer in the case that hashed value is inconsistent and/or in the case where the 4th hashed value and the 4th reference Hash values are inconsistentEnter untrusted mode of operation or make electricity under computer or restart;And
Computer is set to enter untrusted mode of operation in the case where the 5th hashed value and the 5th reference Hash values are inconsistentOr make electricity under computer or restart.
Although some embodiments of the present invention are described in present specification, to art technologyPersonnel are it is readily apparent that these embodiments are merely possible to shown in example.It is it may occur to persons skilled in the art that numerousFlexible program, alternative solution and improvement project without beyond the scope of this invention.Appended claims are intended to limit this hairBright scope, and thereby cover method and structure of these claims and its in the range of equivalents in itself.