CN113127844A - Variable access method, device, system, equipment and medium - Google Patents
Variable access method, device, system, equipment and mediumDownload PDFInfo
- Publication number
- CN113127844A CN113127844ACN202110315421.3ACN202110315421ACN113127844ACN 113127844 ACN113127844 ACN 113127844ACN 202110315421 ACN202110315421 ACN 202110315421ACN 113127844 ACN113127844 ACN 113127844A
- Authority
- CN
- China
- Prior art keywords
- variable
- digital signature
- summary information
- uefi
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/572—Secure firmware programming, e.g. of basic input output system [BIOS]
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, an apparatus, a system, a device, and a medium for variable access.
Background
The UEFI (Unified Extensible Firmware Interface) variable refers to an Nvram variable stored in a BIOS chip and used in a UEFI BIOS (Basic Input Output System), an Interface function in a runtime is provided in the BIOS, and an operation for acquiring or setting the Nvram variable may be performed on the Nvram variable, a content of the variable may be obtained through a GetVariable (), and a content of the variable may be set through a SetVariable (). The OS (operating System) may access the UEFI variables by calling such interface functions. In the related art, anyone can read and write the UEFI variable at any time under the OS, which causes great threat to the security of the server.
Therefore, how to provide a solution to the above technical problem is a problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide a variable access method, a device, a system, equipment and a medium, which can prevent malicious reading and writing of a target UEFI variable under an OS (operating system), ensure the security of target UEFI variable access under the OS and improve the reliability of a server. The specific scheme is as follows:
the application provides a variable access method, which comprises the following steps:
acquiring a digital signature, a variable name and a GUID (unique identifier) corresponding to the variable name which are sent by client equipment through an interface function; the digital signature is generated by encrypting the summary information generated by the client device according to the variable name and the GUID of the target UEFI variable by using a specific private key;
decrypting the digital signature by using a public key to obtain the summary information;
performing hash processing on the variable name and the GUID to obtain summary information to be verified;
comparing the summary information with the summary information to be verified;
if so, accessing the target UEFI variable; and if not, denying access to the target UEFI variable.
Preferably, before decrypting the digital signature by using the public key to obtain the digest information, the method further includes:
judging whether the variable name is in a prestored table or not;
if the variable name is not in the pre-stored table, directly accessing the target UEFI variable;
and if the variable name is in the pre-stored table, executing the decryption of the digital signature by using the public key to obtain the summary information.
Preferably, if the variable name is in the pre-stored table, the decrypting the digital signature by using the public key is executed to obtain the digest information, including:
if the variable name is in the pre-stored table, determining the read-write attribute corresponding to the variable name from the pre-stored table;
and when the read-write attribute is that the read-write can be carried out only by verification, executing the decryption of the digital signature by using the public key to obtain the summary information.
Preferably, the method further comprises the following steps:
receiving a modification instruction of the pre-stored table;
and modifying the UEFI variable information in the pre-stored table according to the modification instruction.
Preferably, the interface function includes: a function GetVariable () and a function SetVariable ().
The application provides a variable access device, comprising:
the acquisition module is used for acquiring the digital signature, the variable name and the GUID corresponding to the variable name which are sent by the client equipment through an interface function; the digital signature is generated by encrypting the summary information generated by the client device according to the variable name and the GUID of the target UEFI variable by using a specific private key;
the decryption module is used for decrypting the digital signature by using a public key to obtain the summary information;
the first hash module is used for carrying out hash processing on the variable name and the GUID to obtain summary information to be verified;
the comparison module is used for comparing the summary information with the summary information to be verified;
determining whether to access a module, wherein the module is used for accessing the target UEFI variable if the module is consistent with the target UEFI variable; and if not, denying access to the target UEFI variable.
The application provides a variable access method, which comprises the following steps:
the client device performs hash processing according to the variable name and GUID of the target UEFI variable to generate summary information;
encrypting the information digest by using a specific private key to generate a digital signature;
and sending the digital signature, the variable name and the GUID to a BIOS through an interface function so that the BIOS can check by using a public key according to the digital signature, the variable name and the GUID.
The application provides a variable access device, comprising:
the second hash module is used for performing hash processing on the client equipment according to the variable name and the GUID of the target UEFI variable to generate summary information;
the encryption module is used for encrypting the information abstract by using a specific private key to generate a digital signature;
and the sending module is used for sending the digital signature, the variable name and the GUID to the BIOS through an interface function so that the BIOS can check by using a public key according to the digital signature, the variable name and the GUID.
The present application provides a variable access system comprising:
the client device is used for performing hash processing according to the variable name and the GUID of the target UEFI variable to generate summary information; encrypting the information digest by using a specific private key to generate a digital signature; sending the digital signature, the variable name and the GUID to a BIOS through an interface function;
the BIOS is used for acquiring the digital signature, the variable name and the GUID corresponding to the variable name which are sent by the client equipment through an interface function; decrypting the digital signature by using a public key to obtain the summary information; performing hash processing on the variable name and the GUID to obtain summary information to be verified; comparing the summary information with the summary information to be verified; if so, accessing the target UEFI variable; and if not, denying access to the target UEFI variable.
The application provides an electronic device, including:
a memory for storing a computer program;
a processor for implementing the steps of the variable access method as described above when executing the computer program.
The present application provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the variable access method as described above.
The application provides a variable access method, which comprises the following steps: acquiring a digital signature, a variable name and a GUID corresponding to the variable name sent by client equipment through an interface function; the digital signature is generated by encrypting the summary information generated by the client device through a specific private key according to the variable name and GUID of the target UEFI variable; decrypting the digital signature by using the public key to obtain abstract information; carrying out hash processing on the variable name and the GUID to obtain summary information to be verified; comparing the summary information with summary information to be verified; if so, accessing a target UEFI variable; and if not, denying access to the target UEFI variable.
Therefore, the method and the device have the advantages that the abstract information of the target UFID variable needing to be accessed is encrypted by using the specific private key corresponding to the user in the client device to obtain the digital signature, the digital signature is verified in the interface function of the BIOS, and the target UEFI variable can be accessed only after the verification is successful.
The application also provides a variable access device, a system, equipment and a medium, which have the beneficial effects and are not repeated herein.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a variable access method provided in an embodiment of the present application;
fig. 2 is a schematic structural diagram of a variable access device according to an embodiment of the present application;
FIG. 3 is a flow chart of another variable access method provided by an embodiment of the present application;
fig. 4 is a schematic structural diagram of a variable access device according to an embodiment of the present application;
fig. 5 is a schematic diagram of a secure access mechanism of UEFI variables under an OS according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure;
fig. 7 is a block diagram of another electronic device according to an embodiment of the present disclosure.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The UEFI variable refers to an Nvram variable used in a UEFI BIOS and stored in a BIOS chip, an interface function under a runtime is provided in the BIOS, the interface function can acquire or set the NVRAM variable, the content of the variable can be acquired through a function GetVariable (), and the content of one variable can be set through a function SetVariable (). The UEFI variable may be accessed by the OS by calling such interface functions. In the related art, anyone can read and write the UEFI variable at any time under the OS, which causes great threat to the security of the server.
Based on the above technical problem, this embodiment provides a variable access method, in a client device, a specific private key corresponding to a user is used to encrypt digest information of a target UFID variable to be accessed to obtain a digital signature, the digest information is checked in an interface function of a BIOS, and only after the check is successful, the target UEFI variable can be accessed.
Referring to fig. 1, fig. 1 is a flowchart of a variable access method provided in an embodiment of the present application, which specifically includes:
s101, acquiring a digital signature, a variable name and a GUID corresponding to the variable name sent by client equipment through an interface function; the digital signature is generated by encrypting the summary information generated by the client device through a specific private key according to the variable name and GUID of the target UEFI variable;
the variable access method provided by this embodiment is mainly that, between the BIOS and the client device, a client corresponding to the client device generates a key pair, where a private key is used for signing in the client device, and a public key corresponding to the private key is included in a BIOS code and used for verifying the signature when calling an underlying function to access the UEFI variable. Specifically, the client device performs hash processing according to a variable name and a GUID (global Unique Identifier) of the target UEFI variable to generate digest information, and encrypts and purchases the digest information by using a private key to obtain a digital signature. The variable name is the name of a target UEFI variable that the client device needs to access, and the GUID is a unique identification code corresponding to the UEFI variable.
Wherein, the interface function includes: a function GetVariable () and a function SetVariable (). Of course, the interface function may also include a GetNextVariableName function and a QueryVariableInfo function, which is not limited in this embodiment as long as the purpose of this embodiment can be achieved.
It is understood that UEFI variables include: the UEFI variable includes a target UEFI variable, and the socketpowermanageconfig and SocketMemoryConfig may also be set by a user through user definition.
Further, before this step, the method may further include: and receiving a function starting instruction.
It can be understood that different customers may have different requirements, and different use scenarios may also have different requirements, and therefore, an interface for turning on and off the function is reserved in the BIOS to meet the requirements of different customers.
S102, decrypting the digital signature by using the public key to obtain summary information;
and when the public key is successfully matched with the private key, the decryption can be carried out, and if the public key is different from the private key, the decryption fails.
In an implementation manner, public keys corresponding to a plurality of users are prestored in the BIOS, the user information is burned into a chip of the server, the BIOS acquires the user information from the chip, and then the public key of the user is selected from the prestored public keys corresponding to the plurality of users.
The Encryption and decryption algorithms corresponding to the public key or the private key are not limited, a user can select the Encryption and decryption algorithms according to actual requirements, and the Encryption and decryption algorithms can be symmetric Encryption algorithms such as Data Encryption Standard (DES), triple Data Encryption Standard (3 DES), Advanced Encryption Standard (AES) and Blowfish; asymmetric encryption algorithms such as RSA, ELGamal; but of course also single phase encryption.
S103, carrying out hash processing on the variable name and the GUID to obtain summary information to be verified;
the hash processing in this step is in the same manner as the client device, and the digest information to be verified is obtained.
S104, comparing the summary information with summary information to be verified;
if yes, go to step S105; if not, go to step S106.
S105, accessing a target UEFI variable;
and S106, denying access to the target UEFI variable.
Furthermore, after the target UEFI variable is refused to be accessed, alarm information can be sent so as to remind a user of the dangerous situation of malicious reading and writing.
Based on the technical scheme, in the embodiment, the abstract information of the target UFFI variable to be accessed is encrypted by using a specific private key corresponding to a user in the client device to obtain a digital signature, the abstract information is checked in an interface function of a BIOS, and the target UEFI variable can be accessed only after the check is successful.
Further, in order to improve flexibility of access, before decrypting the digital signature by using the public key to obtain the digest information, the method further includes:
s107, judging whether the variable name is in a prestored table or not;
the UEFI variables are many, but not all UEFI variables are particularly important and need to be protected, and all protected UEFI variables are listed in a prestored table. Specifically, the pre-stored table includes variable names and GUIDs of all protected UEFI variables, and may also include read-write attributes, where the read-write attributes may set whether the UEFI variables are readable and writable or require authentication to be read and written.
If the variable name is not in the pre-stored table, executing step S108; if the variable name is in the pre-stored table, step S102 is executed.
Further, the method can also comprise the following steps: and receiving a modification instruction of the pre-stored table, and modifying the UEFI variable information in the pre-stored table according to the modification instruction. Wherein the modification instruction includes, but is not limited to, any one or more of the following: and adding UEFI variables, deleting UEFI variables and modifying read-write attributes.
S108, directly accessing a target UEFI variable;
when the target UEFI variable is not prestored in the table, the variable does not need to be protected and can be directly accessed.
S102, decrypting the digital signature by using the public key to obtain the summary information.
Therefore, the access check is only performed on the UEFI variable in the pre-stored table, the check is targeted, the problem of low efficiency caused by indifference check is avoided, and the flexibility of access is improved.
Further, if the variable name is in the pre-stored table, performing decryption of the digital signature by using the public key to obtain the digest information, including:
if the variable name is in the pre-stored table, determining the read-write attribute corresponding to the variable name from the pre-stored table;
and when the read-write attribute is that the read-write can be carried out only by verification, the public key is used for decrypting the digital signature to obtain the abstract information.
The read-write attribute can set whether the UEFI variable is readable and writable or can be read and written after verification is needed; verification conditions can be refined through the setting of the read-write attribute, the safety of UEFI variable access under the OS is guaranteed, the reliability of the server is improved, the quality of products is enhanced, and the satisfaction of customers is improved.
Referring to fig. 2, fig. 2 is a schematic structural diagram of a variable access apparatus provided in an embodiment of the present application, where the variable access apparatus provided in the embodiment of the present application is described below, and the variable access apparatus described below and the variable access method described above may be referred to correspondingly, and includes:
an obtainingmodule 201, configured to obtain, through an interface function, a digital signature, a variable name, and a GUID corresponding to the variable name, which are sent by a client device; the digital signature is generated by encrypting the summary information generated by the client device through a specific private key according to the variable name and GUID of the target UEFI variable;
thedecryption module 202 is configured to decrypt the digital signature with the public key to obtain digest information;
thefirst hashing module 203 is configured to perform hashing processing on the variable name and the GUID to obtain summary information to be verified;
thecomparison module 204 is used for comparing the summary information with the summary information to be verified;
determining whether to access amodule 205, configured to access a target UEFI variable if the two variables are consistent; and if not, denying access to the target UEFI variable.
Further, the method also comprises the following steps:
the judging module is used for judging whether the variable name is in a prestored table or not;
the direct access module is used for directly accessing the target UEFI variable if the variable name is not in the prestored table;
and the execution module is used for executing the decryption of the digital signature by using the public key to obtain the summary information if the variable name is in the pre-stored table.
Further, the execution module includes:
a read-write attribute determining unit, configured to determine, if the variable name is in the pre-stored table, a read-write attribute corresponding to the variable name from the pre-stored table;
and the execution unit is used for executing the decryption of the digital signature by using the public key to obtain the summary information when the read-write attribute is that the read-write can be carried out only by verification.
Further, the method also comprises the following steps:
the modification instruction receiving module is used for receiving the modification instruction of the pre-stored table;
and the modification module is used for modifying the UEFI variable information in the pre-stored table according to the modification instruction.
Further, the interface function includes: a function GetVariable () and a function SetVariable ().
Since the embodiments of the apparatus portion and the method portion correspond to each other, please refer to the description of the embodiments of the method portion for the embodiments of the apparatus portion, which is not repeated here.
Referring to fig. 3, fig. 3 is a flowchart of another variable access method provided in the embodiment of the present application, including:
s301, the client device performs hash processing according to the variable name and GUID of the target UEFI variable to generate summary information;
s302, encrypting the information abstract by using a specific private key to generate a digital signature;
and S303, sending the digital signature, the variable name and the GUID to the BIOS through an interface function so that the BIOS can check by using a public key according to the digital signature, the variable name and the GUID.
Based on the technical scheme, in the embodiment, the abstract information of the target UFFI variable to be accessed is encrypted by using a specific private key corresponding to a user in the client device to obtain a digital signature, the abstract information is checked in an interface function of a BIOS, and the target UEFI variable can be accessed only after the check is successful.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a variable access device provided in an embodiment of the present application, where the variable access device provided in the embodiment of the present application is described below, and the device described below and the method described above may be referred to correspondingly, and includes:
thesecond hash module 401 is configured to perform hash processing on the client device according to the variable name and the GUID of the target UEFI variable to generate digest information;
anencryption module 402, configured to encrypt the information digest with a specific private key to generate a digital signature;
a sendingmodule 403, configured to send the digital signature, the variable name, and the GUID to the BIOS through an interface function, so that the BIOS performs verification by using the public key according to the digital signature, the variable name, and the GUID.
Since the embodiments of the apparatus portion and the method portion correspond to each other, please refer to the description of the embodiments of the method portion for the embodiments of the apparatus portion, which is not repeated here.
In the following, a variable access system provided by an embodiment of the present application is introduced, and the variable access system described below and the method described above may be referred to correspondingly.
The present application provides a variable access system comprising:
the client device is used for performing hash processing according to the variable name and the GUID of the target UEFI variable to generate summary information; encrypting the information digest by using a specific private key to generate a digital signature; sending the digital signature, the variable name and the GUID to a BIOS through an interface function;
the BIOS is used for acquiring the digital signature, the variable name and the GUID corresponding to the variable name sent by the client equipment through the interface function; decrypting the digital signature by using the public key to obtain abstract information; carrying out hash processing on the variable name and the GUID to obtain summary information to be verified; comparing the summary information with summary information to be verified; if so, accessing a target UEFI variable; and if not, denying access to the target UEFI variable.
Since the embodiment of the variable access system portion corresponds to the embodiment of the method portion, please refer to the description of the embodiment of the method portion for the embodiment of the variable access system portion, which is not repeated here.
Referring to fig. 5, fig. 5 is a schematic diagram of a secure access mechanism of a UEFI variable under an OS according to an embodiment of the present application, specifically:
1. the client is responsible for generating a key pair, wherein the private key is held in the client for signature; the public key is contained in BIOS codes by the BIOS and used for verifying the signature when calling a bottom function;
2. the BIOS is responsible for managing the public key, loading the corresponding public key for different clients, and closing the function for the clients who do not need the function;
3. and a pre-storage table is maintained in the BIOS, and the pre-storage table contains information such as names/GUIDs/read-write attributes of all protected UEFI variables. The read-write attribute can set whether the UEFI variable is readable and writable or can be read and written only by authentication;
4. when a client needs to access a target UEFI variable, firstly determining a variable name and a GUID of the target UEFI variable to be acquired, then performing hash processing on the information to generate summary information, then encrypting the summary information by using a private key to generate a digital signature, and finally transmitting the digital signature, the variable name, the GUID and other information as parameters to a function GetVariable () or SetVariable ();
5. in the functions GetVariable () and SetVariable () of the BIOS, firstly checking whether a target UEFI variable to be accessed is in a prestored table, if not, the target UEFI variable to be accessed can be accessed randomly, if so, firstly checking a read-write attribute, determining whether a signature needs to be verified, and if so, determining whether the target UEFI variable can be accessed again according to a signature verification result.
The process of checking the label comprises the following steps: firstly, taking out a digital signature, decrypting the digital signature by using a public key to obtain an information abstract, then performing Hash on a variable name and GUID information in an incoming parameter, comparing the obtained abstract with the decrypted abstract information, if the obtained abstract and the decrypted abstract information are consistent, successfully verifying, and then calling a bottom function; if the summary information is inconsistent, the verification is failed, and the access to the variable is refused.
In the following, an electronic device provided by an embodiment of the present application is introduced, and the electronic device described below and the method described above may be referred to correspondingly.
The present application further provides an electronic device, as shown in fig. 6, fig. 6 is a schematic structural diagram of an electronic device provided in an embodiment of the present application, and the electronic device includes:
amemory 501 for storing a computer program;
aprocessor 502 for implementing the steps of the method as described above when executing the computer program.
Thememory 501 includes a nonvolatile storage medium, an internal memory. The non-volatile storage medium stores an operating system and computer-readable instructions, and the internal memory provides an environment for the operating system and the computer-readable instructions in the non-volatile storage medium to run.
On the basis of the foregoing embodiment, as a preferred implementation, referring to fig. 7, fig. 7 is a structural diagram of another electronic device provided in an embodiment of the present application, where the electronic device further includes:
theinput interface 503 is connected to theprocessor 502, and is configured to obtain computer programs, parameters, and instructions imported from outside, and store the computer programs, parameters, and instructions into thememory 501 under the control of theprocessor 502. Theinput interface 503 may be connected to an input device for receiving parameters or instructions manually input by a user. The input device may be a touch layer covered on a display screen, or a button, a track ball or a touch pad arranged on a terminal shell, or a keyboard, a touch pad or a mouse, etc.
And adisplay unit 504, connected to theprocessor 502, for displaying data sent by theprocessor 502. Thedisplay unit 504 may be a display screen on a Personal Computer (PC), a liquid crystal display screen, an electronic ink display screen, or the like.
And anetwork port 505 connected to theprocessor 502 for performing communication connection with each external terminal device. The communication technology used by the communication connection may be a wired communication technology or a wireless communication technology, such as a Mobile High-Definition Link (MHL), a Universal Serial Bus (USB), a High-Definition Multimedia Interface (HDMI), a wireless fidelity (WiFi), a bluetooth communication technology, a low-power bluetooth communication technology, an ieee802.11 s-based communication technology, and the like.
Since the embodiment of the electronic device portion and the embodiment of the method portion correspond to each other, please refer to the description of the embodiment of the method portion for the embodiment of the electronic device portion, which is not repeated here.
The following describes a computer-readable storage medium provided by embodiments of the present application, and the computer-readable storage medium described below and the method described above may be referred to correspondingly.
The present application provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the variable access method as described above.
Since the embodiment of the computer-readable storage medium portion and the embodiment of the method portion correspond to each other, please refer to the description of the embodiment of the method portion for the embodiment of the computer-readable storage medium portion, which is not repeated here.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
A method, apparatus, system, device and medium for variable access provided by the present application are described in detail above. The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
Claims (10)
1. A variable access method, comprising:
acquiring a digital signature, a variable name and a GUID (unique identifier) corresponding to the variable name which are sent by client equipment through an interface function; the digital signature is generated by encrypting the summary information generated by the client device according to the variable name and the GUID of the target UEFI variable by using a specific private key;
decrypting the digital signature by using a public key to obtain the summary information;
performing hash processing on the variable name and the GUID to obtain summary information to be verified;
comparing the summary information with the summary information to be verified;
if so, accessing the target UEFI variable; and if not, denying access to the target UEFI variable.
2. The variable access method according to claim 1, wherein before decrypting the digital signature using the public key to obtain the digest information, the method further comprises:
judging whether the variable name is in a prestored table or not;
if the variable name is not in the pre-stored table, directly accessing the target UEFI variable;
and if the variable name is in the pre-stored table, executing the decryption of the digital signature by using the public key to obtain the summary information.
3. The variable access method according to claim 2, wherein the decrypting the digital signature using the public key to obtain the digest information if the variable name is in the pre-stored table comprises:
if the variable name is in the pre-stored table, determining the read-write attribute corresponding to the variable name from the pre-stored table;
and when the read-write attribute is that the read-write can be carried out only by verification, executing the decryption of the digital signature by using the public key to obtain the summary information.
4. The variable access method of claim 2, further comprising:
receiving a modification instruction of the pre-stored table;
and modifying the UEFI variable information in the pre-stored table according to the modification instruction.
5. The variable access method of claim 1, wherein the interface function comprises: a function GetVariable () and a function SetVariable ().
6. A variable access apparatus, comprising:
the acquisition module is used for acquiring the digital signature, the variable name and the GUID corresponding to the variable name which are sent by the client equipment through an interface function; the digital signature is generated by encrypting the summary information generated by the client device according to the variable name and the GUID of the target UEFI variable by using a specific private key;
the decryption module is used for decrypting the digital signature by using a public key to obtain the summary information;
the first hash module is used for carrying out hash processing on the variable name and the GUID to obtain summary information to be verified;
the comparison module is used for comparing the summary information with the summary information to be verified;
determining whether to access a module, wherein the module is used for accessing the target UEFI variable if the module is consistent with the target UEFI variable; and if not, denying access to the target UEFI variable.
7. A variable access method, comprising:
the client device performs hash processing according to the variable name and GUID of the target UEFI variable to generate summary information;
encrypting the information digest by using a specific private key to generate a digital signature;
and sending the digital signature, the variable name and the GUID to a BIOS through an interface function so that the BIOS can check by using a public key according to the digital signature, the variable name and the GUID.
8. A variable access system, comprising:
the client device is used for performing hash processing according to the variable name and the GUID of the target UEFI variable to generate summary information; encrypting the information digest by using a specific private key to generate a digital signature; sending the digital signature, the variable name and the GUID to a BIOS through an interface function;
the BIOS is used for acquiring the digital signature, the variable name and the GUID corresponding to the variable name which are sent by the client equipment through an interface function; decrypting the digital signature by using a public key to obtain the summary information; performing hash processing on the variable name and the GUID to obtain summary information to be verified; comparing the summary information with the summary information to be verified; if so, accessing the target UEFI variable; and if not, denying access to the target UEFI variable.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the variable access method of any one of claims 1 to 5 or claim 7 when executing said computer program.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the variable access method according to any one of claims 1 to 5 or claim 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110315421.3ACN113127844A (en) | 2021-03-24 | 2021-03-24 | Variable access method, device, system, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110315421.3ACN113127844A (en) | 2021-03-24 | 2021-03-24 | Variable access method, device, system, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113127844Atrue CN113127844A (en) | 2021-07-16 |
Family
ID=76774255
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110315421.3APendingCN113127844A (en) | 2021-03-24 | 2021-03-24 | Variable access method, device, system, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113127844A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115563628A (en)* | 2022-01-17 | 2023-01-03 | 荣耀终端有限公司 | Variable reading and writing method and variable reading and writing device |
| CN117520253A (en)* | 2024-01-08 | 2024-02-06 | 长城信息股份有限公司 | Method for clearing CMOS (complementary metal oxide semiconductor) by Feiteng platform, electronic equipment and storage medium |
| TWI885722B (en)* | 2024-01-29 | 2025-06-01 | 系微股份有限公司 | The method for secure communication, the comupting device, the computer-readable recording medium, and the system for secure communication |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1826579A (en)* | 2003-07-18 | 2006-08-30 | 科尔街有限公司 | Controlling access to an area |
| US20150089238A1 (en)* | 2013-09-20 | 2015-03-26 | Insyde Software Corp. | System and method for verifying changes to uefi authenticated variables |
| CN104991774A (en)* | 2015-07-03 | 2015-10-21 | 武汉噢易云计算有限公司 | System and method for guiding interception system in UEFI platform |
| US20160246964A1 (en)* | 2015-02-24 | 2016-08-25 | Dell Products, Lp | Method to Protect BIOS NVRAM from Malicious Code Injection by Encrypting NVRAM Variables and System Therefor |
| CN106815531A (en)* | 2015-12-02 | 2017-06-09 | 比亚迪股份有限公司 | The treating method and apparatus of equipment identification information |
| CN108369520A (en)* | 2016-01-25 | 2018-08-03 | 惠普发展公司,有限责任合伙企业 | Protect basic input/output (BIOS) code |
| CN109804378A (en)* | 2016-10-21 | 2019-05-24 | 惠普发展公司 ,有限责任合伙企业 | BIOS safety |
| CN110018841A (en)* | 2019-04-15 | 2019-07-16 | 苏州浪潮智能科技有限公司 | A kind of UEFI BIOS upgrade method, system and relevant apparatus |
| CN111159700A (en)* | 2019-12-03 | 2020-05-15 | 北京工业大学 | Computer remote safe starting method and system based on UEFI system |
| CN111523112A (en)* | 2020-04-23 | 2020-08-11 | 苏州浪潮智能科技有限公司 | A method, device, device and medium for secure booting of a server |
| CN111934862A (en)* | 2019-08-23 | 2020-11-13 | 广州华多网络科技有限公司 | Server access method, device, readable medium and electronic equipment |
- 2021
- 2021-03-24CNCN202110315421.3Apatent/CN113127844A/enactivePending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1826579A (en)* | 2003-07-18 | 2006-08-30 | 科尔街有限公司 | Controlling access to an area |
| US20150089238A1 (en)* | 2013-09-20 | 2015-03-26 | Insyde Software Corp. | System and method for verifying changes to uefi authenticated variables |
| US20160246964A1 (en)* | 2015-02-24 | 2016-08-25 | Dell Products, Lp | Method to Protect BIOS NVRAM from Malicious Code Injection by Encrypting NVRAM Variables and System Therefor |
| CN104991774A (en)* | 2015-07-03 | 2015-10-21 | 武汉噢易云计算有限公司 | System and method for guiding interception system in UEFI platform |
| CN106815531A (en)* | 2015-12-02 | 2017-06-09 | 比亚迪股份有限公司 | The treating method and apparatus of equipment identification information |
| CN108369520A (en)* | 2016-01-25 | 2018-08-03 | 惠普发展公司,有限责任合伙企业 | Protect basic input/output (BIOS) code |
| CN109804378A (en)* | 2016-10-21 | 2019-05-24 | 惠普发展公司 ,有限责任合伙企业 | BIOS safety |
| CN110018841A (en)* | 2019-04-15 | 2019-07-16 | 苏州浪潮智能科技有限公司 | A kind of UEFI BIOS upgrade method, system and relevant apparatus |
| CN111934862A (en)* | 2019-08-23 | 2020-11-13 | 广州华多网络科技有限公司 | Server access method, device, readable medium and electronic equipment |
| CN111159700A (en)* | 2019-12-03 | 2020-05-15 | 北京工业大学 | Computer remote safe starting method and system based on UEFI system |
| CN111523112A (en)* | 2020-04-23 | 2020-08-11 | 苏州浪潮智能科技有限公司 | A method, device, device and medium for secure booting of a server |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115563628A (en)* | 2022-01-17 | 2023-01-03 | 荣耀终端有限公司 | Variable reading and writing method and variable reading and writing device |
| CN115563628B (en)* | 2022-01-17 | 2023-09-22 | 荣耀终端有限公司 | A variable reading and writing method and a variable reading and writing device |
| CN117520253A (en)* | 2024-01-08 | 2024-02-06 | 长城信息股份有限公司 | Method for clearing CMOS (complementary metal oxide semiconductor) by Feiteng platform, electronic equipment and storage medium |
| CN117520253B (en)* | 2024-01-08 | 2024-04-19 | 长城信息股份有限公司 | A method for clearing CMOS on Feiteng platform, electronic device and storage medium |
| TWI885722B (en)* | 2024-01-29 | 2025-06-01 | 系微股份有限公司 | The method for secure communication, the comupting device, the computer-readable recording medium, and the system for secure communication |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113014539B (en) | Internet of things equipment safety protection system and method | |
| US9270466B2 (en) | System and method for temporary secure boot of an electronic device | |
| US9148415B2 (en) | Method and system for accessing e-book data | |
| CN103929307B (en) | Cipher-code input method, intelligent cipher key equipment and client terminal device | |
| CN108763917B (en) | Data encryption and decryption method and device | |
| US20150095652A1 (en) | Encryption and decryption processing method, apparatus, and device | |
| US20200026882A1 (en) | Methods and systems for activating measurement based on a trusted card | |
| CN106372497B (en) | Application programming interface API protection method and protection device | |
| CN105975867B (en) | Data processing method | |
| CN107124279B (en) | Method and device for erasing terminal data | |
| EP2051181A1 (en) | Information terminal, security device, data protection method, and data protection program | |
| CN113127844A (en) | Variable access method, device, system, equipment and medium | |
| US20150358321A1 (en) | Storage device, information processing apparatus, and information processing method | |
| WO2017067201A1 (en) | Wi-fi connection method, terminal, and system | |
| CN113014444A (en) | Internet of things equipment production test system and safety protection method | |
| CN105337729A (en) | Encryption method and device of mobile terminal and mobile terminal | |
| CN117240625B (en) | Tamper-resistant data processing method and device and electronic equipment | |
| WO2024124804A1 (en) | Software function activation method, apparatus and device, and storage medium | |
| US9210134B2 (en) | Cryptographic processing method and system using a sensitive data item | |
| CN104994498B (en) | The method and system that a kind of terminal applies are interacted with mobile phone card application | |
| TW201738802A (en) | A removable security device and a method to prevent unauthorized exploitation and control access to files | |
| CN118260774B (en) | Server starting method and device, storage medium and electronic equipment | |
| CN114219055A (en) | Bar code generation method, bar code verification method and payment system | |
| CN113177199A (en) | Data processing method and device | |
| CN117610083A (en) | File verification method and device, electronic equipment and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication | Application publication date:20210716 |