CN114995918A - Starting method and configuration method and device of baseboard management controller and electronic equipment - Google Patents
Starting method and configuration method and device of baseboard management controller and electronic equipment Download PDFInfo
- Publication number
- CN114995918A CN114995918A CN202210919497.1A CN202210919497A CN114995918A CN 114995918 A CN114995918 A CN 114995918A CN 202210919497 A CN202210919497 A CN 202210919497A CN 114995918 A CN114995918 A CN 114995918A
- Authority
- CN
- China
- Prior art keywords
- volatile memory
- public key
- management controller
- baseboard management
- encryption information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Storage Device Security (AREA)
Abstract
本发明公开了一种基板管理控制器的启动方法、启动配置方法、装置、电子设备及计算机可读存储介质,涉及计算机技术领域,该启动方法包括:基板管理控制器上电启动后,获取非易失性存储器中存储的公钥;根据公钥,对非易失性存储器中存储的数字签名进行解密,得到文件加密信息;根据文件加密信息,检测非易失性存储器中存储的镜像文件是否正确;若是,则加载镜像文件到基板管理控制器的内存中运行;本发明通过根据文件加密信息,检测非易失性存储器中存储的镜像文件是否正确,能够检测镜像文件是否被篡改,从而能够在不使用RoT的基础上,基于非易失性存储器的已有特性,实现BMC芯片的安全启动,避免了更新芯片所增加硬件成本。
The invention discloses a startup method, startup configuration method, device, electronic device and computer-readable storage medium of a baseboard management controller, and relates to the technical field of computers. The public key stored in the volatile memory; according to the public key, the digital signature stored in the non-volatile memory is decrypted to obtain the file encryption information; according to the file encryption information, it is detected whether the image file stored in the non-volatile memory is If yes, load the image file into the memory of the baseboard management controller to run; the present invention detects whether the image file stored in the non-volatile memory is correct according to the file encryption information, and can detect whether the image file has been tampered with, thereby enabling On the basis of not using RoT, based on the existing characteristics of non-volatile memory, the secure boot of the BMC chip is realized, which avoids the increased hardware cost of updating the chip.
Description
技术领域technical field
本发明涉及计算机技术领域,特别涉及一种基板管理控制器的启动方法、启动装置、启动配置方法、启动配置装置、电子设备及计算机可读存储介质。The present invention relates to the field of computer technology, and in particular, to a startup method, startup device, startup configuration method, startup configuration device, electronic device, and computer-readable storage medium of a baseboard management controller.
背景技术Background technique
随着计算机技术发展,软件安全越来越重要。在存储设备中,BMC(BaseboardManagement Controller,基板管理控制器)作为带外管理中心,如果BMC软件程序在启动前被攻击,则会影响整个存储设备的正常管理。With the development of computer technology, software security is becoming more and more important. In a storage device, the Baseboard Management Controller (BMC) acts as an out-of-band management center. If the BMC software program is attacked before starting, it will affect the normal management of the entire storage device.
目前,业界通常的做法是:将RoT(Root of Trust,可信根)和CRTM(Core Root ofTrust for Measurement,可信度量代码)内置到BMC芯片内,然后通过RoT和CRTM验证BMC-IMAGE(镜像文件)是否被篡改,进而实现BMC的安全启动;但是,当前已经大量使用的BMC芯片基本上不支持安全启动功能。因此,如何能够在不使用RoT的基础上,实现BMC芯片的安全启动,保证BMC芯片的使用安全,避免更新芯片所增加硬件成本,是现今急需解决的问题。At present, the common practice in the industry is to build RoT (Root of Trust, Root of Trust) and CRTM (Core Root of Trust for Measurement, trusted measurement code) into the BMC chip, and then verify the BMC-IMAGE (mirror image) through RoT and CRTM. Whether the file) has been tampered with, so as to realize the secure boot of the BMC; however, the BMC chips that have been widely used at present basically do not support the secure boot function. Therefore, how to realize the safe boot of the BMC chip without using the RoT, ensure the safe use of the BMC chip, and avoid the increased hardware cost of updating the chip is an urgent problem to be solved today.
发明内容SUMMARY OF THE INVENTION
本发明的目的是提供一种基板管理控制器的启动方法、启动装置、启动配置方法、启动配置装置、电子设备及计算机可读存储介质,以在不使用RoT的基础上,实现BMC芯片的安全启动,避免更新芯片所增加硬件成本。The purpose of the present invention is to provide a startup method, startup device, startup configuration method, startup configuration device, electronic equipment and computer-readable storage medium of a baseboard management controller, so as to realize the security of BMC chips without using RoT. boot, avoiding the added hardware cost of updating the chip.
为解决上述技术问题,本发明提供一种基板管理控制器的启动方法,包括:In order to solve the above technical problems, the present invention provides a method for starting a baseboard management controller, including:
基板管理控制器上电启动后,获取非易失性存储器中存储的公钥;After the baseboard management controller is powered on and started, the public key stored in the non-volatile memory is obtained;
根据所述公钥,对所述非易失性存储器中存储的数字签名进行解密,得到文件加密信息;Decrypt the digital signature stored in the non-volatile memory according to the public key to obtain file encryption information;
根据所述文件加密信息,检测所述非易失性存储器中存储的镜像文件是否正确;Detecting whether the image file stored in the non-volatile memory is correct according to the file encryption information;
若是,则加载所述镜像文件到所述基板管理控制器的内存中运行。If so, load the image file into the memory of the baseboard management controller to run.
可选的,所述根据所述文件加密信息,检测所述非易失性存储器中存储的镜像文件是否正确,包括:Optionally, the detecting whether the image file stored in the non-volatile memory is correct according to the file encryption information includes:
利用第一预设摘要算法,计算所述镜像文件对应的摘要值;Using the first preset digest algorithm to calculate the digest value corresponding to the image file;
判断所述摘要值与所述文件加密信息是否相同;Judging whether the digest value is the same as the file encryption information;
若相同,则执行所述加载所述镜像文件到所述基板管理控制器的内存中运行的步骤。If the same, the step of loading the image file into the memory of the baseboard management controller is executed.
可选的,所述获取非易失性存储器中存储的公钥之前,还包括:Optionally, before acquiring the public key stored in the non-volatile memory, the method further includes:
加载所述非易失性存储器中存储的可信度量代码到所述基板管理控制器的内存中运行;Loading the trusted measurement code stored in the non-volatile memory into the memory of the baseboard management controller to run;
在所述可信度量代码的运行过程中,执行所述获取非易失性存储器中存储的公钥的步骤。During the running process of the trusted measurement code, the step of obtaining the public key stored in the non-volatile memory is performed.
可选的,所述加载所述非易失性存储器中存储的可信度量代码到所述基板管理控制器的内存中运行,包括:Optionally, the loading of the trusted measurement code stored in the non-volatile memory into the memory of the baseboard management controller for execution includes:
从所述非易失性存储器的保护区域加载所述可信度量代码到所述基板管理控制器的内存中运行;其中,所述保护区域为只读模式的可编程区域。The trusted metric code is loaded from the protection area of the non-volatile memory into the memory of the baseboard management controller to run; wherein, the protection area is a programmable area in read-only mode.
可选的,所述根据所述公钥,对所述非易失性存储器中存储的数字签名进行解密,得到文件加密信息之前,还包括:Optionally, before the digital signature stored in the non-volatile memory is decrypted according to the public key to obtain the file encryption information, the method further includes:
根据所述非易失性存储器中存储的预设加密信息,判断所述公钥是否正确;其中,所述预设加密信息存储在所述非易失性存储器中的一次编程区域;Determine whether the public key is correct according to the preset encryption information stored in the non-volatile memory; wherein, the preset encryption information is stored in a one-time programming area in the non-volatile memory;
若所述公钥正确,则执行所述根据所述公钥,对所述非易失性存储器中存储的数字签名进行解密,得到文件加密信息的步骤。If the public key is correct, the step of decrypting the digital signature stored in the non-volatile memory according to the public key to obtain file encryption information is performed.
可选的,所述根据所述非易失性存储器中存储的预设加密信息,判断所述公钥是否正确,包括:Optionally, determining whether the public key is correct according to preset encryption information stored in the non-volatile memory includes:
利用第二预设摘要算法,计算所述公钥对应的公钥摘要值;using the second preset digest algorithm to calculate the public key digest value corresponding to the public key;
判断所述公钥摘要值与所述预设加密信息是否相同;Determine whether the public key digest value is the same as the preset encryption information;
若相同,则确定所述公钥正确,并执行所述根据所述公钥,对所述非易失性存储器中存储的数字签名进行解密,得到文件加密信息的步骤。If they are the same, it is determined that the public key is correct, and the step of decrypting the digital signature stored in the non-volatile memory according to the public key to obtain file encryption information is performed.
本发明还提供了一种基板管理控制器的启动配置方法,包括:The present invention also provides a startup configuration method for the baseboard management controller, comprising:
对基板管理控制器的镜像文件进行加密,获取文件加密信息;Encrypt the image file of the baseboard management controller to obtain file encryption information;
利用预设非对称加密算法的私钥,对所述文件加密信息进行加密,生成数字签名;Using the private key of the preset asymmetric encryption algorithm to encrypt the file encryption information to generate a digital signature;
将所述镜像文件、所述数字签名和所述私钥对应的公钥存储到非易失性存储器。The image file, the digital signature and the public key corresponding to the private key are stored in a non-volatile memory.
可选的,该启动配置方法还包括:Optionally, the startup configuration method further includes:
将可信度量代码存储到所述非易失性存储器的保护区域;其中,所述保护区域为只读模式的可编程区域,所述可信度量代码用于验证所述镜像文件。The trusted measurement code is stored in a protection area of the non-volatile memory; wherein, the protection area is a programmable area in a read-only mode, and the trusted measurement code is used to verify the image file.
可选的,该启动配置方法还包括:Optionally, the startup configuration method further includes:
对所述公钥进行加密,得到预设加密信息;Encrypting the public key to obtain preset encryption information;
将所述预设加密信息写入到所述非易失性存储器中的一次编程区域。Writing the preset encrypted information into a one-time programming area in the non-volatile memory.
可选的,所述将所述预设加密信息写入到所述非易失性存储器中的一次编程区域之前,还包括:Optionally, before the writing the preset encrypted information into the one-time programming area in the non-volatile memory, the method further includes:
根据所述预设加密信息的大小,生成并输出存储器推荐信息;其中,所述存储器推荐信息包括一次编程区域的容量大于或等于所述预设加密信息的大小的非易失性存储器信息。Generate and output memory recommendation information according to the size of the preset encryption information; wherein the memory recommendation information includes non-volatile memory information whose capacity of a one-time programming area is greater than or equal to the size of the preset encryption information.
可选的,所述对所述公钥进行加密,得到预设加密信息,包括:Optionally, encrypting the public key to obtain preset encryption information, including:
利用第二预设摘要算法,对所述公钥进行加密,得到所述预设加密信息。Using the second preset digest algorithm, encrypt the public key to obtain the preset encryption information.
本发明还提供了一种基板管理控制器的启动装置,包括:The present invention also provides a starting device for the baseboard management controller, comprising:
公钥获取模块,用于在基板管理控制器上电启动后,获取非易失性存储器中存储的公钥;The public key acquisition module is used to acquire the public key stored in the non-volatile memory after the baseboard management controller is powered on and started;
公钥解密模块,用于根据所述公钥,对所述非易失性存储器中存储的数字签名进行解密,得到文件加密信息;a public key decryption module, configured to decrypt the digital signature stored in the non-volatile memory according to the public key to obtain file encryption information;
镜像检测模块,用于根据所述文件加密信息,检测所述非易失性存储器中存储的镜像文件是否正确;an image detection module, configured to detect whether the image file stored in the non-volatile memory is correct according to the file encryption information;
启动运行模块,用于若所述镜像文件正确,则加载所述镜像文件到所述基板管理控制器的内存中运行。A startup and operation module is configured to load the image file into the memory of the baseboard management controller for operation if the image file is correct.
本发明还提供了一种基板管理控制器的启动配置装置,包括:The present invention also provides a startup configuration device for the baseboard management controller, comprising:
文件加密模块,用于对基板管理控制器的镜像文件进行加密,获取文件加密信息;The file encryption module is used to encrypt the image file of the baseboard management controller and obtain the file encryption information;
私钥加密模块,用于利用预设非对称加密算法的私钥,对所述文件加密信息进行加密,生成数字签名;a private key encryption module for encrypting the file encryption information by using the private key of the preset asymmetric encryption algorithm to generate a digital signature;
存储模块,用于将所述镜像文件、所述数字签名和所述私钥对应的公钥存储到非易失性存储器。A storage module, configured to store the image file, the digital signature and the public key corresponding to the private key in a non-volatile memory.
本发明还提供了一种电子设备,包括:The present invention also provides an electronic device, comprising:
存储器,用于存储计算机程序;memory for storing computer programs;
处理器,用于执行所述计算机程序时实现如上述所述的基板管理控制器的启动方法或上述所述的基板管理控制器的启动配置方法的步骤。The processor is configured to implement the steps of the above-mentioned starting method of a baseboard management controller or the above-mentioned starting configuration method of a baseboard management controller when executing the computer program.
此外,本发明还提供了一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如上述所述的基板管理控制器的启动方法或上述所述的基板管理控制器的启动配置方法的步骤。In addition, the present invention also provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the above-mentioned method for starting a baseboard management controller is implemented or the steps of the above-mentioned startup configuration method of the baseboard management controller.
本发明所提供的一种基板管理控制器的启动方法,包括:基板管理控制器上电启动后,获取非易失性存储器中存储的公钥;根据公钥,对非易失性存储器中存储的数字签名进行解密,得到文件加密信息;根据文件加密信息,检测非易失性存储器中存储的镜像文件是否正确;若是,则加载镜像文件到基板管理控制器的内存中运行;A method for starting a baseboard management controller provided by the present invention includes: after the baseboard management controller is powered on and started, acquiring a public key stored in a non-volatile memory; Decrypt the digital signature of the file to obtain the file encryption information; check whether the image file stored in the non-volatile memory is correct according to the file encryption information; if so, load the image file into the memory of the baseboard management controller to run;
可见,本发明通过根据文件加密信息,检测非易失性存储器中存储的镜像文件是否正确,能够检测镜像文件是否被篡改,从而能够在不使用RoT的基础上,基于非易失性存储器的已有特性,实现BMC芯片的安全启动,避免了更新芯片所增加硬件成本。此外,本发明还提供了一种基板管理控制器的启动装置、启动配置方法、装置及电子设备,同样具有上述有益效果。It can be seen that the present invention can detect whether the image file stored in the non-volatile memory is correct and whether the image file has been tampered with according to the file encryption information, so that it can detect whether the image file is tampered with based on the file encryption information. It has the characteristics to realize the safe boot of the BMC chip and avoid the increased hardware cost of updating the chip. In addition, the present invention also provides a startup device, startup configuration method, device and electronic device for a baseboard management controller, which also have the above beneficial effects.
附图说明Description of drawings
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only It is an embodiment of the present invention. For those of ordinary skill in the art, other drawings can also be obtained according to the provided drawings without creative work.
图1为本发明实施例所提供的一种基板管理控制器的启动方法的流程图;FIG. 1 is a flowchart of a method for starting a baseboard management controller according to an embodiment of the present invention;
图2为本发明实施例所提供的另一种基板管理控制器的启动方法的存储区域划分的示意图;FIG. 2 is a schematic diagram of storage area division of another method for starting a baseboard management controller according to an embodiment of the present invention;
图3为本发明实施例所提供的另一种基板管理控制器的启动方法的流程图;3 is a flowchart of another method for starting a baseboard management controller according to an embodiment of the present invention;
图4为本发明实施例所提供的另一种基板管理控制器的启动方法的数字签名生产流程的示意图;4 is a schematic diagram of a digital signature production process of another startup method of a baseboard management controller provided by an embodiment of the present invention;
图5为本发明实施例所提供的另一种基板管理控制器的启动方法的流程示意图;5 is a schematic flowchart of another method for starting a baseboard management controller according to an embodiment of the present invention;
图6为本发明实施例所提供的一种基板管理控制器的启动配置方法的流程图;FIG. 6 is a flowchart of a startup configuration method of a baseboard management controller according to an embodiment of the present invention;
图7为本发明实施例所提供的一种基板管理控制器的启动装置的结构框图;FIG. 7 is a structural block diagram of a device for starting a baseboard management controller according to an embodiment of the present invention;
图8为本发明实施例所提供的一种基板管理控制器的启动配置装置的结构框图。FIG. 8 is a structural block diagram of an apparatus for starting configuration of a baseboard management controller according to an embodiment of the present invention.
具体实施方式Detailed ways
为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments These are some embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.
请参考图1,图1为本发明实施例所提供的一种基板管理控制器的启动方法的流程图。该启动方法可以包括:Please refer to FIG. 1 , which is a flowchart of a method for starting a baseboard management controller according to an embodiment of the present invention. The initiating method may include:
步骤101:基板管理控制器上电启动后,获取非易失性存储器中存储的公钥。Step 101: After the baseboard management controller is powered on and started, the public key stored in the non-volatile memory is obtained.
其中,本实施例中的公钥可以为对BMC启动所要运行的BMC软件对应的镜像文件(BMC-IMAGE)的文件加密信息加密后的数字签名进行解密所使用的秘钥,即对文件加密信息进行非对称加密所使用的私钥(KeyPri)对应的公钥(KeyPub)。The public key in this embodiment may be the secret key used for decrypting the encrypted digital signature of the file encryption information of the image file (BMC-IMAGE) corresponding to the BMC software to be run by the BMC startup, that is, the file encryption information The public key (KeyPub) corresponding to the private key (KeyPri) used for asymmetric encryption.
具体的,对于本实施例中非易失性存储器中存储的公钥的具体内容和数量,可以由设计人员根据实用场景和用户需求自行设置,例如公钥可以与文件加密信息进行非对称加密所使用的私钥为一对秘钥对,如RSA加密算法(一种非对称的加解密算法)的一对RSA秘钥对,即非易失性存储器中存储的公钥可以为利用预设非对称加密算法对文件加密信息进行加密时所使用的私钥所对应的公钥;公钥数量也可以为多个,即非易失性存储器中存储的公钥可以文件加密信息进行多次加密所使用的多个私钥各自对应的公钥,如文件加密信息进行二次加密所使用的两个秘钥对应的两个公钥。只要处理器可以利用非易失性存储器中存储的公钥对文件加密信息加密后得到的数字签名进行解密,得到文件加密信息,本实施例对此不做任何限制。Specifically, the specific content and quantity of the public key stored in the non-volatile memory in this embodiment can be set by the designer according to practical scenarios and user requirements. For example, the public key can be asymmetrically encrypted with the file encryption information. The private key used is a pair of secret keys, such as a pair of RSA secret keys of the RSA encryption algorithm (an asymmetric encryption and decryption algorithm), that is, the public key stored in the non-volatile memory can be used for the The public key corresponding to the private key used by the symmetric encryption algorithm to encrypt the file encryption information; the number of public keys can also be multiple, that is, the public key stored in the non-volatile memory can be used to encrypt the file encryption information multiple times. The public keys corresponding to each of the multiple private keys used, such as the two public keys corresponding to the two secret keys used for the secondary encryption of the file encryption information. As long as the processor can use the public key stored in the non-volatile memory to decrypt the digital signature obtained after encrypting the file encryption information to obtain the file encryption information, this embodiment does not impose any limitation on this.
可以理解的是,本实施例所提供的BMC的启动方法可以应用于BMC,如存储设备的BMC芯片,即BMC的处理器(如图2中的BMC-CPU)可以在上电启动后,通过本实施例所提供的启动方法检测镜像文件是否被篡改,从而在镜像文件未被篡改时加载(LOAD)镜像文件到BMC的内存(如图2中的BMC-RAM)中运行,实现BMC的安全启动。It can be understood that the BMC startup method provided in this embodiment can be applied to the BMC. For example, the BMC chip of the storage device, that is, the BMC processor (the BMC-CPU in FIG. 2 ) The startup method provided in this embodiment detects whether the image file has been tampered with, so as to load (LOAD) the image file into the memory of the BMC (the BMC-RAM in Figure 2) when the image file has not been tampered with, so as to realize the security of the BMC. start up.
对应的,本实施例中利用可信度量代码(CRTM代码)检测镜像文件是否被篡改,即BMC的处理器可以在运行可信度量代码的过程中,检测镜像文件是否正确,从而实现BMC的安全启动;其中,可信度量代码可以为BMC运行的第一段代码,用于完成BMC的内存初始化和签名验证等基本功能。也就是说,本实施例所提供的方法本步骤之前还可以包括在BMC上电启动后,加载非易失性存储器中存储的可信度量代码到基板管理控制器的内存中运行;从而能够在可信度量代码的运行过程中,执行步骤101以及后续步骤。Correspondingly, in this embodiment, the trusted measurement code (CRTM code) is used to detect whether the image file has been tampered with, that is, the processor of the BMC can detect whether the image file is correct in the process of running the trusted measurement code, thereby realizing the security of the BMC. Startup; among them, the trusted measurement code can be the first piece of code run by the BMC, which is used to complete basic functions such as memory initialization and signature verification of the BMC. That is to say, before this step of the method provided in this embodiment, after the BMC is powered on and started, loading the trusted measurement code stored in the non-volatile memory into the memory of the baseboard management controller to run; During the running process of the trusted measurement code, step 101 and subsequent steps are performed.
具体的,为了保证非易失性存储器中存储的可信度量代码的安全性,本实施例中可信度量代码可以存储在非易失性存储器中的OTP(One Time Programe,一次编程区域)区域或可编程区域中的只读模式的保护区域;如图2所示,非易失性存储器为闪存(FLASH)时,CRTM代码可以存储在可编程区域(BLOCK区域)中仅为只读状态的保护区域。Specifically, in order to ensure the security of the trusted measurement code stored in the non-volatile memory, the trusted measurement code in this embodiment may be stored in an OTP (One Time Programe, one-time programming area) area in the non-volatile memory or the protection area of read-only mode in the programmable area; as shown in Figure 2, when the non-volatile memory is flash memory (FLASH), the CRTM code can be stored in the programmable area (BLOCK area) only in read-only state protected area.
步骤102:根据公钥,对非易失性存储器中存储的数字签名进行解密,得到文件加密信息。Step 102: Decrypt the digital signature stored in the non-volatile memory according to the public key to obtain file encryption information.
其中,本步骤中的数字签名可以为利用私钥对镜像文件对应的文件加密信息进行加密得到的结果,本步骤中利用非易失性存储器中存储的该私钥对应的公钥,对该数字签名进行解密,可以得到文件加密信息,从而利用解密得到的文件加密信息,检测非易失性存储器中存储的镜像文件是否被篡改。The digital signature in this step may be a result obtained by encrypting the file encryption information corresponding to the image file by using the private key. In this step, the public key corresponding to the private key stored in the nonvolatile memory is used to encrypt the digital The signature is decrypted to obtain the file encryption information, so as to use the decrypted file encryption information to detect whether the image file stored in the non-volatile memory has been tampered with.
具体的,对于本步骤中处理器根据公钥,对非易失性存储器中存储的数字签名进行解密,得到文件加密信息的具体方式,可以由设计人员自行设置,如处理器可以根据公钥,利用预设非对称加密算法对非易失性存储器中存储的数字签名进行解密,得到文件加密信息。只要保证处理器可以利用非易失性存储器中存储的公钥对非易失性存储器中存储的数字签名进行解密,本实施例对此不做任何限制。Specifically, in this step, the processor decrypts the digital signature stored in the non-volatile memory according to the public key, and obtains the specific method of file encryption information, which can be set by the designer. For example, the processor can, according to the public key, The digital signature stored in the non-volatile memory is decrypted by using a preset asymmetric encryption algorithm to obtain file encryption information. As long as it is guaranteed that the processor can decrypt the digital signature stored in the non-volatile memory by using the public key stored in the non-volatile memory, this embodiment does not impose any limitation on this.
进一步的,本步骤之前处理器还可以根据非易失性存储器中存储的预设加密信息,检测非易失性存储器中存储的公钥是否正确;在公钥正确,即公钥未被篡改时,进入步骤102;在公钥不正确,即公钥被篡改时,可以直接结束本流程,以停止启动BMC。其中,上述预设加密信息可以为预先设置的公钥进行加密后得到结果,如公钥进行摘要加密后得到的摘要值(即哈希HASH值)。Further, before this step, the processor can also detect whether the public key stored in the non-volatile memory is correct according to the preset encryption information stored in the non-volatile memory; when the public key is correct, that is, when the public key has not been tampered with. , and enter step 102; when the public key is incorrect, that is, when the public key is tampered with, the process can be directly ended to stop starting the BMC. The above preset encryption information may be a result obtained after encrypting a preset public key, such as a digest value (ie, a hash HASH value) obtained after digest encryption is performed on the public key.
对应的,对于上述根据非易失性存储器中存储的预设加密信息,检测非易失性存储器中存储的公钥是否正确的具体方式,可以由设计人员自行设置,如处理器可以利用第二预设摘要算法,计算公钥对应的公钥摘要值;判断公钥摘要值与预设加密信息是否相同;若相同,则确定公钥正确,并进入步骤102;若不相同,则确定公钥不正确,可以结束本流程,停止启动BMC。Correspondingly, for the above-mentioned specific method of detecting whether the public key stored in the non-volatile memory is correct according to the preset encryption information stored in the non-volatile memory, the designer can set it by himself. Preset digest algorithm, calculate the public key digest value corresponding to the public key; determine whether the public key digest value is the same as the preset encryption information; if they are the same, determine that the public key is correct, and go to step 102; if not, determine the public key If it is not correct, you can end this process and stop starting the BMC.
进一步的,为了非易失性存储器中存储的预设加密信息的安全性,本实施例中预设加密信息可以存储在非易失性存储器中的OTP(One Time Programe,一次编程区域)区域;如图2所示,非易失性存储器为FLASH时,预设加密信息(根公钥HASH值)可以存储在FLASH的OTP区域。Further, for the security of the preset encrypted information stored in the non-volatile memory, the preset encrypted information in this embodiment may be stored in an OTP (One Time Programe, one-time programming area) area in the non-volatile memory; As shown in Figure 2, when the non-volatile memory is FLASH, the preset encryption information (root public key HASH value) can be stored in the OTP area of FLASH.
步骤103:根据文件加密信息,检测非易失性存储器中存储的镜像文件是否正确;若是,则进入步骤104。Step 103 : according to the file encryption information, check whether the image file stored in the non-volatile memory is correct; if yes, go to step 104 .
可以理解的是,本实施例中处理器可以利用解密得到文件加密信息,检测非易失性存储器中存储的镜像文件是否被篡改,从而在确定镜像文件未被篡改时,进入步骤104加载镜像文件到BMC的内存中运行,开始运行BMC软件,实现BMC的安全启动。It can be understood that, in this embodiment, the processor can use decryption to obtain file encryption information to detect whether the image file stored in the non-volatile memory has been tampered with, so that when it is determined that the image file has not been tampered with, it enters step 104 to load the image file. Run it in the memory of the BMC, start running the BMC software, and realize the safe boot of the BMC.
对应的,对于本步骤中镜像文件不正确的情况,即镜像文件被篡改的情况,可以由设计人员自行设置,如处理器可以在确定镜像文件不正确时,直接结束本流程,不加载镜像文件,停止启动BMC。Correspondingly, if the image file is incorrect in this step, that is, the image file is tampered with, it can be set by the designer. For example, when the processor determines that the image file is incorrect, it can directly end the process without loading the image file. , stop starting the BMC.
对应的,对于本步骤中处理器根据文件加密信息,检测非易失性存储器中存储的镜像文件是否正确的具体方式,可以由设计人员根据实用场景和用户需求自行设置,如处理器可以利用文件加密信息对应的加密方式,对镜像文件进行加密,得到加密结果;检测加密结果与文件加密信息是否相同;若相同,则确定镜像文件正确;若不相同,则确定镜像文件不正确。例如,文件加密信息为利用第一预设摘要算法加密镜像文件得到的加密结果(即摘要值)时,本步骤中处理器可以利用第一预设摘要算法,计算镜像文件对应的摘要值;判断摘要值与文件加密信息是否相同;若相同,则可以进入步骤104。Correspondingly, the specific method for the processor to detect whether the image file stored in the non-volatile memory is correct according to the file encryption information in this step can be set by the designer according to practical scenarios and user needs. For example, the processor can use the file. Encrypt the image file corresponding to the encryption method to obtain the encryption result; check whether the encryption result is the same as the file encryption information; if they are the same, the image file is determined to be correct; if not, the image file is determined to be incorrect. For example, when the file encryption information is an encryption result (ie, a digest value) obtained by encrypting the image file using the first preset digest algorithm, the processor in this step may use the first preset digest algorithm to calculate the digest value corresponding to the image file; determine Whether the digest value and the file encryption information are the same; if they are the same, go to step 104 .
步骤104:加载镜像文件到基板管理控制器的内存中运行。Step 104: Load the image file into the memory of the baseboard management controller to run.
具体的,本步骤中处理器可以在确定镜像文件未被篡改时,加载镜像文件到BMC的内存中运行,开始运行BMC软件,完成BMC的安全启动。Specifically, in this step, when determining that the image file has not been tampered with, the processor may load the image file into the memory of the BMC for operation, start to run the BMC software, and complete the secure boot of the BMC.
本实施例中,本发明实施例通过根据文件加密信息,检测非易失性存储器中存储的镜像文件是否正确,能够检测镜像文件是否被篡改,从而能够在不使用RoT的基础上,基于非易失性存储器的已有特性,实现BMC芯片的安全启动,避免了更新芯片所增加硬件成本。In this embodiment, the embodiment of the present invention can detect whether the image file stored in the non-volatile memory is correct according to the file encryption information, and can detect whether the image file has been tampered with. The existing characteristics of the volatile memory are used to realize the safe boot of the BMC chip and avoid the increased hardware cost of updating the chip.
请参考图3,图3为本发明实施例所提供的另一种基板管理控制器的启动方法的流程图,该方法可以包括:Please refer to FIG. 3. FIG. 3 is a flowchart of another method for starting a baseboard management controller according to an embodiment of the present invention. The method may include:
步骤201:基板管理控制器上电启动后,加载非易失性存储器中存储的可信度量代码到基板管理控制器的内存中运行。Step 201: After the baseboard management controller is powered on and started, the trusted measurement code stored in the non-volatile memory is loaded into the memory of the baseboard management controller to run.
可以理解的是,本步骤中BMC的处理器可以在上电启动后,加载可信度量代码(CRTM代码)到BMC的内存(如图5中的BMC-RAM)中运行,从而利用运行的CRTM代码完成检测镜像文件是否被篡改,完成BMC的安全启动。It can be understood that in this step, the processor of the BMC can load the trusted measurement code (CRTM code) into the memory of the BMC (the BMC-RAM in Figure 5) to run after power-on, so as to use the running CRTM. The code completes the detection of whether the image file has been tampered with, and completes the secure boot of the BMC.
具体的,本实施例中可信度量代码可以存储在非易失性存储器中的保护区域,即仅为只读模式的可编程区域,以避免存储后的可信度量代码被恶意篡改;如图2所示,非易失性存储器为闪存(FLASH)时,CRTM代码(可信度量代码)可以存储在可编程区域(BLOCK区域)中仅为只读状态的保护区域。对应的,本步骤中BMC的处理器可以在上电启动后,从非易失性存储器的保护区域加载可信度量代码到基板管理控制器的内存中运行;其中,保护区域为只读模式的可编程区域。Specifically, in this embodiment, the trusted measurement code can be stored in a protected area in the non-volatile memory, that is, a programmable area in read-only mode, so as to avoid malicious tampering of the stored trusted measurement code; as shown in the figure 2, when the non-volatile memory is flash memory (FLASH), the CRTM code (credible measurement code) can be stored in the programmable area (BLOCK area) in a read-only protected area. Correspondingly, in this step, the processor of the BMC can load the trusted metric code from the protection area of the non-volatile memory to the memory of the baseboard management controller after being powered on and run; wherein, the protection area is in read-only mode. Programmable area.
步骤202:在可信度量代码的运行过程中,获取非易失性存储器中存储的公钥。Step 202: During the running process of the trusted measurement code, obtain the public key stored in the non-volatile memory.
其中,本步骤中的公钥可以存储在非易失性存储器的非保护区域,即保护区域之外的可编程区域,也就是正常的存储区域。如图2所示,公钥可以与数字签名和镜像文件(BMC IMAGE)共同存储在非易失性存储器(FLASH)的非保护区域。The public key in this step may be stored in a non-protected area of the non-volatile memory, that is, a programmable area outside the protected area, that is, a normal storage area. As shown in Figure 2, the public key can be stored in a non-protected area of the non-volatile memory (FLASH) together with the digital signature and image file (BMC IMAGE).
步骤203:根据非易失性存储器中存储的预设加密信息,判断公钥是否正确;若是,则进入步骤204。Step 203 : according to the preset encryption information stored in the non-volatile memory, determine whether the public key is correct; if yes, go to step 204 .
其中,预设加密信息可以存储在非易失性存储器中的一次编程区域(如图2中的OTP区域),如预设加密信息可以在生产阶段写入到非易失性存储器的一次编程区域。Among them, the preset encrypted information can be stored in the one-time programming area in the non-volatile memory (the OTP area in Figure 2), for example, the preset encrypted information can be written into the one-time programming area of the non-volatile memory during the production stage .
可以理解的是,本步骤中的预设加密信息可以为预先设置的公钥加密后的加密结果,如公钥(如图5中的根公钥)通过摘要算法进行加密后得到摘要值(如图5中的RSA公钥的HASH值)。It can be understood that the preset encryption information in this step can be the encryption result encrypted by the preset public key, for example, the public key (the root public key in Figure 5) is encrypted by the digest algorithm to obtain the digest value (such as HASH value of the RSA public key in Figure 5).
具体的,对于本步骤中处理器根据非易失性存储器中存储的预设加密信息,判断公钥是否正确的具体方式,可以由设计人员根据实用场景和用户需求自行设置,如预设加密信息为公钥通过第二预设摘要算法加密后得到摘要值时,本步骤中处理器可以利用第二预设摘要算法,计算公钥对应的公钥摘要值;判断公钥摘要值与预设加密信息是否相同;若相同,则确定公钥正确,可以进入步骤204,继续进行接下来的镜像文件验证过程;若不相同,则确定公钥不正确,可以直接结束本流程,不再启动运行BMC。本实施例对此不做任何限制。Specifically, in this step, the processor determines whether the public key is correct according to the preset encryption information stored in the non-volatile memory. The specific method can be set by the designer according to practical scenarios and user needs, such as preset encryption information. When the public key is encrypted by the second preset digest algorithm to obtain the digest value, in this step, the processor can use the second preset digest algorithm to calculate the public key digest value corresponding to the public key; determine the public key digest value and the preset encryption value. Whether the information is the same; if it is the same, it is determined that the public key is correct, and you can go to step 204 to continue the next image file verification process; if not, it is determined that the public key is incorrect, you can directly end the process, and no longer start the BMC. . This embodiment does not impose any limitation on this.
步骤204:根据公钥,对非易失性存储器中存储的数字签名进行解密,得到文件加密信息。Step 204: Decrypt the digital signature stored in the non-volatile memory according to the public key to obtain file encryption information.
其中,本步骤中的文件加密信息可以为镜像文件加密后得到加密结果,如图4中镜像文件(BMC-IMAGE)通过摘要算法进行加密后得到摘要,从而利用公钥对应的私钥(RSA私钥)对该摘要进行加密后,可以得到需要存储到非易失性存储器中数字签名,使得BMC的处理器可以利用公钥对数字签名进行解密,得到该摘要。Wherein, the file encryption information in this step can be obtained by encrypting the image file to obtain the encryption result. As shown in Figure 4, the image file (BMC-IMAGE) is encrypted by the digest algorithm to obtain the digest, so that the private key (RSA private key) corresponding to the public key is used to obtain the digest. After encrypting the digest, the digital signature that needs to be stored in the non-volatile memory can be obtained, so that the processor of the BMC can use the public key to decrypt the digital signature to obtain the digest.
具体的,对于本步骤中处理器根据公钥,对非易失性存储器中存储的数字签名进行解密,得到文件加密信息的具体方式,可以由设计人员自行设置,如可以采用现有技术中非对称加解密算法的公钥解密方法相同或相似的方式实现,本实施例对此不做任何限制。Specifically, in this step, the processor decrypts the digital signature stored in the non-volatile memory according to the public key to obtain the file encryption information, which can be set by the designer. The public key decryption method of the symmetric encryption/decryption algorithm is implemented in the same or similar manner, which is not limited in this embodiment.
步骤205:根据文件加密信息,检测非易失性存储器中存储的镜像文件是否正确;若是,则进入步骤206。Step 205: According to the file encryption information, check whether the image file stored in the non-volatile memory is correct; if yes, go to step 206.
具体的,对于本步骤中处理器根据文件加密信息,检测非易失性存储器中存储的镜像文件是否正确的具体方式,可以由设计人员根据实用场景和用户需求自行设置,如文件加密信息为镜像文件通过第一预设摘要算法加密后得到摘要值(如图5中的BMC-IMAGE摘要值A)时,本步骤中处理器可以利用第一预设摘要算法,计算镜像文件对应的摘要值(如图5中的摘要值A’);判断摘要值与文件加密信息是否相同;若相同,则确定镜像文件正确,并进入步骤206,继续进行BMC的启动;若不相同,则确定镜像文件不正确,可以结束本流程,不再启动运行BMC,本实施例对此不做任何限制。Specifically, in this step, the processor detects whether the image file stored in the non-volatile memory is correct according to the file encryption information, which can be set by the designer according to practical scenarios and user needs. For example, the file encryption information is an image file. When the file is encrypted by the first preset digest algorithm to obtain a digest value (the BMC-IMAGE digest value A in FIG. 5 ), in this step, the processor can use the first preset digest algorithm to calculate the digest value corresponding to the image file ( Digest value A' in Figure 5); determine whether the digest value is the same as the file encryption information; if the same, then determine that the mirror file is correct, and enter
可以理解的是,对于上述第一预设摘要算法和第二预设摘要算法的具体摘要算法(SHA算法,又称HASH算法)选择,可以由设计人员根据实用场景和用户需求自行设置,如第一预设摘要算法和第二预设摘要算法可以为相同的摘要算法,如MD5(消息摘要算法第五版)、SM3(国密算法)、SHA-1(一种安全哈希算法)、SHA-224(一种安全哈希算法)、SHA-256(一种安全哈希算法)、SHA-384(一种安全哈希算法)和SHA-512(一种安全哈希算法)等摘要算法;第一预设摘要算法和第二预设摘要算法也可以采用不同的摘要算法,例如,第一预设摘要算法可以为MD5算法,第二预设摘要算法可以为SM3算法。本实施例对此不做任何限制。It can be understood that the selection of the specific digest algorithm (SHA algorithm, also known as HASH algorithm) of the first preset digest algorithm and the second preset digest algorithm can be set by the designer according to practical scenarios and user needs. The first preset digest algorithm and the second preset digest algorithm can be the same digest algorithm, such as MD5 (Message Digest Algorithm Fifth Edition), SM3 (National Secret Algorithm), SHA-1 (a secure hash algorithm), SHA - Digest algorithms such as 224 (a secure hash algorithm), SHA-256 (a secure hash algorithm), SHA-384 (a secure hash algorithm) and SHA-512 (a secure hash algorithm); The first preset digest algorithm and the second preset digest algorithm may also use different digest algorithms. For example, the first preset digest algorithm may be the MD5 algorithm, and the second preset digest algorithm may be the SM3 algorithm. This embodiment does not impose any limitation on this.
步骤206:加载镜像文件到基板管理控制器的内存中运行。Step 206: Load the image file into the memory of the baseboard management controller to run.
具体的,本步骤中处理器可以在确定镜像文件未被篡改时,加载镜像文件到BMC的内存中运行,开始运行BMC软件,完成BMC的安全启动。Specifically, in this step, when determining that the image file has not been tampered with, the processor may load the image file into the memory of the BMC for operation, start to run the BMC software, and complete the secure boot of the BMC.
本实施例中,本发明实施例根据非易失性存储器中存储的预设加密信息,判断公钥是否正确,能够对非易失性存储器中存储的公钥进行验证,检测公钥是否被篡改,进一步保证BMC芯片启动的安全性。In this embodiment, the embodiment of the present invention determines whether the public key is correct according to the preset encryption information stored in the non-volatile memory, can verify the public key stored in the non-volatile memory, and detect whether the public key has been tampered with , to further ensure the security of BMC chip startup.
基于上述实施例所提供的基板管理控制器的启动方法,本实施例提供了一种基板管理控制器的启动配置方法,以配置BMC启动时所使用的非易失性存储器,保证BMC的安全启动。Based on the startup method of the baseboard management controller provided by the above embodiment, the present embodiment provides a startup configuration method of the baseboard management controller, so as to configure the non-volatile memory used when the BMC starts, so as to ensure the safe startup of the BMC .
请参考图6,图6为本发明实施例所提供的一种基板管理控制器的启动配置方法的流程图。该启动配置方法可以包括:Please refer to FIG. 6 . FIG. 6 is a flowchart of a startup configuration method of a baseboard management controller according to an embodiment of the present invention. The startup configuration method may include:
步骤301:对基板管理控制器的镜像文件进行加密,获取文件加密信息。Step 301: Encrypt the image file of the baseboard management controller to obtain file encryption information.
可以理解的是,本实施例所提供的BMC的启动配置方法可以应用于计算机设备,如非易失性存储器的生产设备,即计算机设备的处理器可以通过配置BMC启动时所使用的非易失性存储器(如FLASH),实现对BMC安全启动的配置,保证BMC能够安全启动。It can be understood that the BMC startup configuration method provided in this embodiment can be applied to computer equipment, such as a non-volatile memory production equipment, that is, the processor of the computer equipment can configure the non-volatile memory used when the BMC starts. A non-volatile memory (such as FLASH) is used to implement the configuration of the BMC safe boot and ensure that the BMC can boot safely.
具体的,本实施例并不限定处理器对基板管理控制器的镜像文件进行加密,获取文件加密信息的具体方式,如图4所示,处理器可以利用摘要算法(如上述第一预设摘要算法)对BMC的镜像文件(BMC-IMAGE)进行加密,得到文件加密信息(即摘要值)。Specifically, this embodiment does not limit the processor to encrypt the image file of the baseboard management controller to obtain the file encryption information. Algorithm) to encrypt the BMC image file (BMC-IMAGE) to obtain file encryption information (ie digest value).
步骤302:利用预设非对称加密算法的私钥,对文件加密信息进行加密,生成数字签名。Step 302: Encrypt the file encryption information by using the private key of the preset asymmetric encryption algorithm to generate a digital signature.
具体的,本步骤中处理器可以利用预设非对称加密算法的私钥,对文件加密信息进行非对称加密,得到镜像文件的签名文件(即数字签名)。对于本实施例中预设非对称加密算法的私钥的具体内容和数量,可以由设计人员根据实用场景和用户需求自行设置,如私钥可以对文件加密信息进行非对称加密所使用的秘钥;私钥的数量可以为1个,如RSA加密算法的一对RSA秘钥对中的私钥,即该RSA秘钥对中的公钥可以存储在非易失性存储器中,用于对非易失性存储器中存储的数字签名进行解密,得到文件加密信息;私钥的数量也可以为多个,如RSA加密算法的多对RSA秘钥对中的私钥,即处理器可以利用多个私钥对文件加密信息进行多次加密,得到数字签名。只要处理器可以预设非对称加密算法的私钥,对文件加密信息进行加密,生成相应的公钥能够解密的数字签名,本实施例对此不做任何限制。Specifically, in this step, the processor may use the private key of the preset asymmetric encryption algorithm to perform asymmetric encryption on the file encryption information to obtain a signature file (ie, a digital signature) of the image file. The specific content and quantity of the private key of the preset asymmetric encryption algorithm in this embodiment can be set by the designer according to practical scenarios and user requirements. For example, the private key can be used for asymmetric encryption of file encryption information. ; The number of private keys can be 1, such as the private key in a pair of RSA key pairs of the RSA encryption algorithm, that is, the public key in the RSA key pair can be stored in non-volatile memory for non-volatile The digital signature stored in the volatile memory is decrypted to obtain the file encryption information; the number of private keys can also be multiple, such as the private keys in the multiple pairs of RSA key pairs of the RSA encryption algorithm, that is, the processor can use multiple The private key encrypts the file encryption information multiple times to obtain a digital signature. As long as the processor can preset the private key of the asymmetric encryption algorithm, encrypt the file encryption information, and generate a digital signature that can be decrypted by the corresponding public key, this embodiment does not impose any limitation.
例如,处理器可以采用一种RSA算法生成一对或多对RSA秘钥对(即公钥和私钥),利用RSA秘钥对中的私钥对文件加密信息进行非对称加密,生成镜像文件的数字签名。For example, the processor can use an RSA algorithm to generate one or more pairs of RSA keys (that is, public and private keys), and use the private key in the RSA key pair to asymmetrically encrypt the file encryption information to generate an image file. digital signature.
具体的,对于本实施例中预设非对称加密算法的私钥的具体内容和数量,可以由设计人员根据实用场景和用户需求自行设置,例如公钥可以与文件加密信息进行非对称加密所使用的私钥为一对秘钥对,如RSA加密算法(一种非对称的加解密算法)的一对RSA秘钥对,即非易失性存储器中存储的公钥可以为利用预设非对称加密算法对文件加密信息进行加密时所使用的私钥所对应的公钥;公钥数量也可以为多个,即非易失性存储器中存储的公钥可以文件加密信息进行多次加密所使用的多个私钥各自对应的公钥,如文件加密信息进行二次加密所使用的两个私钥对应的两个公钥。只要处理器可以利用非易失性存储器中存储的公钥对文件加密信息加密后得到的数字签名进行解密,得到文件加密信息,本实施例对此不做任何限制Specifically, the specific content and quantity of the private key of the preset asymmetric encryption algorithm in this embodiment can be set by the designer according to practical scenarios and user requirements. For example, the public key can be used for asymmetric encryption of file encryption information. The private key is a pair of secret keys, such as a pair of RSA keys of the RSA encryption algorithm (an asymmetric encryption and decryption algorithm), that is, the public key stored in the non-volatile memory can be asymmetric using a preset The public key corresponding to the private key used by the encryption algorithm to encrypt the file encryption information; the number of public keys can also be multiple, that is, the public key stored in the non-volatile memory can be used for multiple encryption of the file encryption information. The public keys corresponding to each of the multiple private keys, such as the two public keys corresponding to the two private keys used for the secondary encryption of the file encryption information. As long as the processor can use the public key stored in the non-volatile memory to decrypt the digital signature obtained by encrypting the file encryption information to obtain the file encryption information, this embodiment does not impose any restrictions on this.
需要说明的是,本实施例并不限定处理器利用预设非对称加密算法的私钥,对文件加密信息进行加密,生成数字签名的具体方式,如图4所示,处理器可以利用RSA私钥对BMC的镜像文件加密信息进行加密,生成数字签名。It should be noted that this embodiment does not limit the specific manner in which the processor uses the private key of the preset asymmetric encryption algorithm to encrypt the file encryption information and generate a digital signature. As shown in FIG. 4 , the processor can use the RSA private key. The key encrypts the encrypted information of the image file of the BMC to generate a digital signature.
步骤303:将镜像文件、数字签名和私钥对应的公钥存储到非易失性存储器。Step 303: Store the image file, the digital signature and the public key corresponding to the private key in a non-volatile memory.
可以理解的是,本步骤中可以将镜像文件、数字签名和公钥(如上述RSA秘钥对中的公钥)一起发布,并写入到非易失性存储器正常的存储区域(如图2中的非保护区域)。It can be understood that in this step, the image file, digital signature and public key (such as the public key in the above-mentioned RSA key pair) can be released together, and written to the normal storage area of the non-volatile memory (as shown in Figure 2). non-protected area in ).
进一步的,本实施例中处理器还可以对公钥进行加密,得到预设加密信息;将预设加密信息写入到非易失性存储器中的一次编程区域,以实现BMC启动时的公钥验证过程;如处理器可以利用摘要算法对公钥进行加密,得到预设加密信息(即摘要值)并写入到非易失性存储器中的一次编程区域。例如,处理器可以利用第二预设摘要算法对公钥进行加密,得到预设加密信息(即摘要值)并写入到非易失性存储器中的一次编程区域;对应的,处理器还可以根据第二预设摘要算法生成的序列的长度(即生成序列长度),从多个可选非易失性存储器中选择确定写入预设加密信息的非易失性存储器,如非易失性存储器可以为OTP区域大于或等于该生成序列长度且OTP区域最小的可选非易失性存储器。Further, in this embodiment, the processor can also encrypt the public key to obtain preset encryption information; the preset encryption information is written into the one-time programming area in the non-volatile memory, so as to realize the public key when the BMC is started. Verification process; for example, the processor can use the digest algorithm to encrypt the public key, obtain preset encrypted information (ie digest value), and write it into the one-time programming area in the non-volatile memory. For example, the processor can use the second preset digest algorithm to encrypt the public key, obtain preset encrypted information (ie digest value), and write it into a one-time programming area in the non-volatile memory; correspondingly, the processor can also According to the length of the sequence generated by the second preset digest algorithm (that is, the length of the generated sequence), select and determine the non-volatile memory for writing the preset encrypted information from a plurality of optional non-volatile memories, such as non-volatile memory The memory may be an optional non-volatile memory with an OTP area greater than or equal to the length of the generated sequence and with a minimum OTP area.
对应的,本实施例中处理器还可以将可信度量代码写入到非易失性存储器中的一次编程区域或可编程区域中的只读模式的保护区域,以利用可信度量代码验证镜像文件,保证BMC的安全启动。如图2所示,处理器可以将可信度量代码写入到FLASH的BLOCK区域(即可编程区域)并将存储可信度量代码的区域(即保护区域)设置为只读模式;相应的,该FLASH可以不包含丝印,如处理器可以输出提示信息,以提示工作人员去除FLASH的丝印,从而避免利用丝印上的信息修改保护区域中可信度量代码的情况,保证BMC的安全启动;也就是说,本实施例中的非易失性存储器可以不包含丝印。Correspondingly, in this embodiment, the processor can also write the trusted metric code into a one-time programming area in the non-volatile memory or a read-only protected area in the programmable area, so as to use the trusted metric code to verify the image. file to ensure the safe boot of BMC. As shown in Figure 2, the processor can write the trusted metric code into the BLOCK area of FLASH (that is, the programmable area) and set the area where the trusted metric code is stored (that is, the protected area) in read-only mode; accordingly, The FLASH may not contain silkscreen, for example, the processor can output prompt information to prompt the staff to remove the silkscreen of the FLASH, so as to avoid using the information on the silkscreen to modify the trusted measurement code in the protection area and ensure the safe startup of the BMC; that is, That said, the non-volatile memory in this embodiment may not contain silkscreen.
进一步的,本实施例所提供的基板管理控制器的启动配置方法,还可以包括非易失性存储器的选择过程,例如,非易失性存储器中的一次编程区域用于存储预设加密信息时,本实施例中基板管理控制器的启动配置设备(如非易失性存储器的生产设备)的处理器可以根据预设加密信息的大小,生成并输出存储器推荐信息;其中,存储器推荐信息包括一次编程区域的容量大于或等于预设加密信息的大小的非易失性存储器信息;也就是说,启动配置设备可以通过输出存储器推荐信息,可以向工作人员展示合适OTP区域大小的非易失性存储器,从而方便工作人员能够选择相应的非易失性存储器,使处理器能够利用工作人员选择的非易失性存储器进行预设加密信息、可信度量代码、镜像文件、数字签名和公钥的存储;相应的,处理器可以根据接收的存储器选择指令,在存储器选择指令对应的非易失性存储器中存储预设加密信息、可信度量代码、镜像文件、数字签名和公钥。Further, the startup configuration method of the baseboard management controller provided in this embodiment may further include a selection process of the non-volatile memory, for example, when the one-time programming area in the non-volatile memory is used to store preset encrypted information. In this embodiment, the processor of the startup configuration device of the baseboard management controller (such as a non-volatile memory production device) can generate and output memory recommendation information according to the size of the preset encrypted information; wherein, the memory recommendation information includes a once Non-volatile memory information whose capacity of the programming area is greater than or equal to the size of the preset encrypted information; that is, the startup configuration device can display the non-volatile memory of the appropriate OTP area size to the staff by outputting memory recommendation information. , so that the staff can choose the corresponding non-volatile memory, so that the processor can use the non-volatile memory selected by the staff to store preset encryption information, trusted measurement code, image file, digital signature and public key Correspondingly, according to the received memory selection instruction, the processor may store preset encryption information, trust measurement code, image file, digital signature and public key in the non-volatile memory corresponding to the memory selection instruction.
对应的,启动配置设备的处理器也可以根据预设加密信息的大小,确定非易失性存储器;其中,非易失性存储器的一次编程区域的容量大于或等于预设加密信息的大小。例如,处理器可以根据预设加密信息的大小,从预设非易失性存储器中确定非易失性存储器,该非易失性存储器可以为目标预设非易失性存储器中一次编程区域的容量最小的预设非易失性存储,目标预设非易失性存储器可以为一次编程区域的容量大于或等于预设加密信息的大小的预设非易失性存储器。Correspondingly, the processor of the startup configuration device may also determine the non-volatile memory according to the size of the preset encrypted information; wherein the capacity of the one-time programming area of the non-volatile memory is greater than or equal to the size of the preset encrypted information. For example, the processor may determine the non-volatile memory from the preset non-volatile memory according to the size of the preset encryption information, and the non-volatile memory may be the size of the one-time programming area in the target preset non-volatile memory. The preset non-volatile memory with the smallest capacity, and the target preset non-volatile memory may be the preset non-volatile memory whose capacity of the one-time programming area is greater than or equal to the size of the preset encrypted information.
具体的,上述预设加密信息的大小可以为公钥加密后得到的预设加密信息的实际大小;上述预设加密信息的大小也可以为公钥加密所使用的加密算法(如第二预设摘要算法)生成的序列的长度(即生成序列长度),例如,处理器利用第二预设摘要算法,对公钥进行加密,得到预设加密信息的情况下,处理器可以根据第二预设摘要算法的生成序列长度,生成并输出存储器推荐信息;其中,存储器推荐信息包括一次编程区域的容量大于或等于生成序列长度的非易失性存储器信息。Specifically, the size of the above-mentioned preset encryption information may be the actual size of the preset encryption information obtained after public key encryption; the size of the above-mentioned preset encryption information may also be the encryption algorithm used for public key encryption (such as the second preset encryption algorithm). The length of the sequence generated by the digest algorithm) (that is, the length of the generated sequence). For example, when the processor encrypts the public key by using the second preset digest algorithm to obtain the preset encryption information, the processor can use the second preset digest algorithm to encrypt the public key. The generated sequence length of the digest algorithm generates and outputs memory recommendation information; wherein, the memory recommendation information includes non-volatile memory information whose capacity of the one-time programming area is greater than or equal to the generated sequence length.
本实施例中,本发明实施例通过将镜像文件、数字签名和私钥对应的公钥存储到非易失性存储器,能够配置BMC启动时所使用的非易失性存储器,保证BMC的安全启动。In this embodiment, by storing the image file, the digital signature and the public key corresponding to the private key in the non-volatile memory, the non-volatile memory used when the BMC is started can be configured to ensure the safe start of the BMC. .
相应于上面的启动方法实施例,本发明实施例还提供了一种基板管理控制器的启动装置,下文描述的一种基板管理控制器的启动装置与上文描述的一种基板管理控制器的启动方法可相互对应参照。Corresponding to the above embodiments of the starting method, the embodiments of the present invention further provide a starting device for a baseboard management controller, the starting device for a baseboard management controller described below is the same as the The activation methods can refer to each other.
请参考图7,图7为本发明实施例所提供的一种基板管理控制器的启动装置的结构框图。该启动装置可以包括:Please refer to FIG. 7 , which is a structural block diagram of an apparatus for starting a baseboard management controller according to an embodiment of the present invention. The activation means may include:
公钥获取模块10,用于在基板管理控制器上电启动后,获取非易失性存储器中存储的公钥;The public
公钥解密模块20,用于根据公钥,对非易失性存储器中存储的数字签名进行解密,得到文件加密信息;The public
镜像检测模块30,用于根据文件加密信息,检测非易失性存储器中存储的镜像文件是否正确;The
启动运行模块40,用于若镜像文件正确,则加载镜像文件到基板管理控制器的内存中运行。The startup and
可选的,镜像检测模块30可以包括:Optionally, the
第一计算子模块,用于利用第一预设摘要算法,计算镜像文件对应的摘要值;a first calculation submodule, configured to calculate the digest value corresponding to the image file by using the first preset digest algorithm;
第一判断子模块,用于判断摘要值与文件加密信息是否相同;若相同,则向启动运行模块40发送启动信号。The first judging sub-module is used to judge whether the digest value is the same as the file encryption information;
可选的,该启动装置还可以包括:Optionally, the starting device may further include:
加载模块,用于加载非易失性存储器中存储的可信度量代码到基板管理控制器的内存中运行;在可信度量代码的运行过程中,向公钥获取模块10发送启动信号。The loading module is used to load the trusted measurement code stored in the non-volatile memory into the memory of the baseboard management controller to run; during the running process of the trusted measurement code, send a start signal to the public
可选的,加载模块可以具体用于从非易失性存储器的保护区域加载可信度量代码到基板管理控制器的内存中运行;其中,保护区域为只读模式的可编程区域。Optionally, the loading module may be specifically configured to load the trusted metric code from the protection area of the non-volatile memory to the memory of the baseboard management controller to run; wherein, the protection area is a programmable area in read-only mode.
可选的,该启动装置还可以包括:Optionally, the starting device may further include:
公钥验证模块,用于根据非易失性存储器中存储的预设加密信息,判断公钥是否正确;其中,预设加密信息存储在非易失性存储器中的一次编程区域;若公钥正确,则向公钥解密模块20发送启动信号。The public key verification module is used for judging whether the public key is correct according to the preset encryption information stored in the non-volatile memory; wherein, the preset encryption information is stored in the one-time programming area in the non-volatile memory; if the public key is correct , the start signal is sent to the public
可选的,公钥验证模块可以包括:Optionally, the public key authentication module may include:
第二计算子模块,用于利用第二预设摘要算法,计算公钥对应的公钥摘要值;The second calculation submodule is configured to calculate the public key digest value corresponding to the public key by using the second preset digest algorithm;
第二判断子模块,用于判断公钥摘要值与预设加密信息是否相同;若相同,则确定公钥正确,并向公钥解密模块20发送启动信号。The second judgment sub-module is used for judging whether the public key digest value is the same as the preset encryption information;
本实施例中,本发明实施例通过镜像检测模块30根据文件加密信息,检测非易失性存储器中存储的镜像文件是否正确,能够检测镜像文件是否被篡改,从而能够在不使用RoT的基础上,基于非易失性存储器的已有特性,实现BMC芯片的安全启动,避免了更新芯片所增加硬件成本。In this embodiment, the embodiment of the present invention uses the
相应于上面的启动配置方法实施例,本发明实施例还提供了一种基板管理控制器的启动配置装置,下文描述的一种基板管理控制器的启动配置装置与上文描述的一种基板管理控制器的启动配置方法可相互对应参照。Corresponding to the above embodiments of the startup configuration method, the embodiments of the present invention further provide a startup configuration device for a baseboard management controller, a startup configuration device for a baseboard management controller described below and a baseboard management controller described above. The startup configuration methods of the controllers can refer to each other correspondingly.
请参考图8,图8为本发明实施例所提供的一种基板管理控制器的启动配置装置的结构框图。该启动配置装置可以包括:Please refer to FIG. 8 . FIG. 8 is a structural block diagram of an apparatus for starting configuration of a baseboard management controller according to an embodiment of the present invention. The boot configuration means may include:
文件加密模块50,用于对基板管理控制器的镜像文件进行加密,获取文件加密信息;The
私钥加密模块60,用于利用预设非对称加密算法的私钥,对文件加密信息进行加密,生成数字签名;The private
存储模块70,用于将镜像文件、数字签名和私钥对应的公钥存储到非易失性存储器。The
可选的,该启动配置装置还可以包括:Optionally, the startup configuration device may further include:
代码存储模块,用于将可信度量代码存储到非易失性存储器的保护区域;其中,保护区域为只读模式的可编程区域,可信度量代码用于验证镜像文件。The code storage module is used for storing the trusted measurement code in the protection area of the non-volatile memory; wherein, the protection area is a programmable area in read-only mode, and the trusted measurement code is used to verify the image file.
可选的,该启动配置装置还可以包括:Optionally, the startup configuration device may further include:
公钥加密模块,用于对公钥进行加密,得到预设加密信息;The public key encryption module is used to encrypt the public key to obtain preset encrypted information;
加密存储模块,用于将预设加密信息写入到非易失性存储器中的一次编程区域。The encryption storage module is used for writing preset encrypted information into a one-time programming area in the non-volatile memory.
可选的,该启动配置装置还可以包括:Optionally, the startup configuration device may further include:
推荐生成模块,用于根据预设加密信息的大小,生成并输出存储器推荐信息;其中,存储器推荐信息包括一次编程区域的容量大于或等于预设加密信息的大小的非易失性存储器信息。The recommendation generating module is configured to generate and output memory recommendation information according to the size of the preset encrypted information; wherein, the memory recommendation information includes non-volatile memory information whose capacity of the one-time programming area is greater than or equal to the size of the preset encrypted information.
可选的,公钥加密模块可以具体用于利用第二预设摘要算法,对公钥进行加密,得到预设加密信息。Optionally, the public key encryption module may be specifically configured to use the second preset digest algorithm to encrypt the public key to obtain preset encryption information.
本实施例中,本发明实施例通过存储模块60将镜像文件、数字签名和私钥对应的公钥存储到非易失性存储器,能够配置BMC启动时所使用的非易失性存储器,保证BMC的安全启动。In this embodiment, the embodiment of the present invention stores the image file, the digital signature and the public key corresponding to the private key in the non-volatile memory through the
相应于上面的方法实施例,本发明实施例还提供了一种电子设备,下文描述的一种电子设备与上文描述的一种基板管理控制器的启动方法和基板管理控制器的启动配置方法可相互对应参照。Corresponding to the above method embodiments, the embodiments of the present invention further provide an electronic device, an electronic device described below, a startup method of a baseboard management controller and a startup configuration method of a baseboard management controller described above can refer to each other.
一种电子设备,包括:An electronic device comprising:
存储器,用于存储计算机程序;memory for storing computer programs;
处理器,用于执行计算机程序时实现上述实施例所提供的基板管理控制器的启动方法或基板管理控制器的启动配置方法的步骤。The processor is configured to implement the steps of the baseboard management controller startup method or the baseboard management controller startup configuration method provided by the above embodiments when executing the computer program.
具体的,本实施例所提供的电子设备可以为具体为BMC芯片,如存储设备的BMC芯片;本实施例所提供的电子设备也可以为计算机设备,如非易失性存储器的生产设备。Specifically, the electronic device provided by this embodiment may be a BMC chip, such as a BMC chip of a storage device; the electronic device provided by this embodiment may also be a computer device, such as a nonvolatile memory production device.
相应于上面的方法实施例,本发明实施例还提供了一种计算机可读存储介质,下文描述的一种计算机可读存储介质与上文描述的一种基板管理控制器的启动方法和基板管理控制器的启动配置方法可相互对应参照。Corresponding to the above method embodiments, embodiments of the present invention further provide a computer-readable storage medium, a computer-readable storage medium described below, a method for starting a baseboard management controller and a baseboard management described above. The startup configuration methods of the controllers can refer to each other correspondingly.
一种计算机可读存储介质,计算机可读存储介质上存储有计算机程序,计算机程序被处理器执行时实现上述实施例所提供的基板管理控制器的启动方法或基板管理控制器的启动配置方法的步骤。A computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the method for starting a baseboard management controller or the method for starting configuration of a baseboard management controller provided by the foregoing embodiments is implemented. step.
该计算机可读存储介质具体可以为U盘、移动硬盘、只读存储器(Read-OnlyMemory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可存储程序代码的计算机可读存储介质。The computer-readable storage medium may specifically be a USB flash drive, a removable hard disk, a read-only memory (Read-Only Memory, ROM), a random access memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, etc., which can store various program codes. computer readable storage medium.
说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。对于实施例公开的装置、电子设备及计算机可读存储介质而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。The various embodiments in the specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same and similar parts between the various embodiments can be referred to each other. For the apparatuses, electronic devices, and computer-readable storage media disclosed in the embodiments, since they correspond to the methods disclosed in the embodiments, the descriptions are relatively simple, and for related parts, please refer to the descriptions of the methods.
以上对本发明所提供的一种基板管理控制器的启动方法、启动装置、启动配置方法、启动配置装置、电子设备及计算机可读存储介质进行了详细介绍。本文中应用了具体个例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想。应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以对本发明进行若干改进和修饰,这些改进和修饰也落入本发明权利要求的保护范围内。The startup method, startup device, startup configuration method, startup configuration device, electronic device, and computer-readable storage medium of a baseboard management controller provided by the present invention have been described above in detail. The principles and implementations of the present invention are described herein by using specific examples, and the descriptions of the above embodiments are only used to help understand the method and the core idea of the present invention. It should be pointed out that for those skilled in the art, without departing from the principle of the present invention, several improvements and modifications can also be made to the present invention, and these improvements and modifications also fall within the protection scope of the claims of the present invention.
Claims (15)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210919497.1A CN114995918A (en) | 2022-08-02 | 2022-08-02 | Starting method and configuration method and device of baseboard management controller and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210919497.1A CN114995918A (en) | 2022-08-02 | 2022-08-02 | Starting method and configuration method and device of baseboard management controller and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114995918A true CN114995918A (en) | 2022-09-02 |
Family
ID=83021633
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210919497.1A Pending CN114995918A (en) | 2022-08-02 | 2022-08-02 | Starting method and configuration method and device of baseboard management controller and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114995918A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117170694A (en) * | 2023-09-15 | 2023-12-05 | 合芯科技(苏州)有限公司 | A BMC data burning configuration method, device, equipment and media |
| CN119690530A (en) * | 2025-02-25 | 2025-03-25 | 浪潮计算机科技有限公司 | Baseboard management controller startup method, device, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112651030A (en) * | 2021-01-14 | 2021-04-13 | 北京工业大学 | Trusted starting method for BMC firmware system security |
| CN113505380A (en) * | 2021-06-11 | 2021-10-15 | 山东云海国创云计算装备产业创新中心有限公司 | BMC (baseboard management controller) safe starting method, device, equipment and medium based on state cryptographic algorithm |
| CN113626803A (en) * | 2021-06-28 | 2021-11-09 | 苏州浪潮智能科技有限公司 | BMC firmware protection method, system and device and readable storage medium |
| CN114329554A (en) * | 2021-12-28 | 2022-04-12 | 苏州浪潮智能科技有限公司 | Method, device, equipment and medium for managing key file of baseboard management controller |
-
2022
- 2022-08-02 CN CN202210919497.1A patent/CN114995918A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112651030A (en) * | 2021-01-14 | 2021-04-13 | 北京工业大学 | Trusted starting method for BMC firmware system security |
| CN113505380A (en) * | 2021-06-11 | 2021-10-15 | 山东云海国创云计算装备产业创新中心有限公司 | BMC (baseboard management controller) safe starting method, device, equipment and medium based on state cryptographic algorithm |
| CN113626803A (en) * | 2021-06-28 | 2021-11-09 | 苏州浪潮智能科技有限公司 | BMC firmware protection method, system and device and readable storage medium |
| CN114329554A (en) * | 2021-12-28 | 2022-04-12 | 苏州浪潮智能科技有限公司 | Method, device, equipment and medium for managing key file of baseboard management controller |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117170694A (en) * | 2023-09-15 | 2023-12-05 | 合芯科技(苏州)有限公司 | A BMC data burning configuration method, device, equipment and media |
| CN117170694B (en) * | 2023-09-15 | 2024-05-14 | 合芯科技(苏州)有限公司 | A BMC data burning configuration method, device, equipment and medium |
| CN119690530A (en) * | 2025-02-25 | 2025-03-25 | 浪潮计算机科技有限公司 | Baseboard management controller startup method, device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104156659B (en) | Embedded system secure start method | |
| KR101393307B1 (en) | Secure boot method and semiconductor memory system for using the method | |
| CN109710315B (en) | BIOS (basic input output System) flash writing method and BIOS mirror image file processing method | |
| CN109714303B (en) | BIOS starting method and data processing method | |
| TWI436280B (en) | Access authentication method for accessing basic input/output system settings | |
| KR100792287B1 (en) | Security method using self-generated encryption key and applied security device | |
| WO2020037612A1 (en) | Embedded program secure boot method, apparatus and device, and storage medium | |
| US20100082960A1 (en) | Protected network boot of operating system | |
| KR102864753B1 (en) | Apparatus and method for securely managing keys | |
| CN113434853B (en) | Method for burning firmware to storage device and controller | |
| KR102062073B1 (en) | Information processing apparatus and method of controlling the apparatus | |
| US20140317417A1 (en) | Generation of working security key based on security parameters | |
| JP5736994B2 (en) | Information processing apparatus, validity verification method, and program | |
| TWI760752B (en) | System for accelerating verification procedure for image file | |
| JP6391439B2 (en) | Information processing apparatus, server apparatus, information processing system, control method, and computer program | |
| WO2017133559A1 (en) | Secure boot method and device | |
| CN114995918A (en) | Starting method and configuration method and device of baseboard management controller and electronic equipment | |
| CN113722720B (en) | A system startup method and related device | |
| CN112148314B (en) | Mirror image verification method, device and equipment of embedded system and storage medium | |
| CN114722413B (en) | A method, device, server and medium for establishing a secure trust chain | |
| CN112835628A (en) | A server operating system booting method, device, device and medium | |
| KR101954439B1 (en) | Soc having double security features, and double security method for soc | |
| CN117472465A (en) | System-on-chip secure starting method and device, electronic equipment and storage medium | |
| CN116561734A (en) | Verification method, verification device, computer and computer configuration system | |
| CN113761538A (en) | Security boot file configuration method, boot method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220902 |
|
| RJ01 | Rejection of invention patent application after publication |