您的位置:山东大学 -> 科技期刊社 -> 《山东大学学报(理学版)》

山东大学学报(理学版) ›› 2018, Vol. 53 ›› Issue (1): 89-94.doi: 10.6040/j.issn.1671-9352.2.2017.346

• • 上一篇    

基于可信BMC的服务器安全启动机制

孙亮1,陈小春1,钟阳1,林志鹏2,任彤3   

  1. 1.中电科技(北京)有限公司, 北京 100083;2.中国人民解放军96632部队, 北京 100085;3.军事科学院原第六十一研究所, 北京 100141
  • 收稿日期:2017-08-28 出版日期:2018-01-20 发布日期:2018-01-19
  • 作者简介:孙亮(1980— ), 男, 高级工程师,博士, 研究方向为可信计算、固件安全. E-mail:lsun@zd-tech.com.cn

Secure startup mechanism of server based on trusted BMC

SUN Liang1, CHEN Xiao-chun1, ZHONG Yang1, LIN Zhi-peng2, REN Tong3   

  1. 1. ZD Technologies( Beijing)Company Limited, Beijing 100083, China;
    2. Troops 96632 of Peoples Liberation Army, Beijing 100085, China;
    3. The Former 61th Research Institute of Academy of Military Science, Beijing 100141, China
  • Received:2017-08-28 Online:2018-01-20 Published:2018-01-19

摘要: 服务器启动过程涉及到CPLD、BMC、BIOS等关键部件,任何一个环节没有保护,都将带来安全隐患。将服务器的启动过程纳入到可信计算体系中进行保护,能够防止关键硬件替换、软件篡改、服务器带外攻击等问题。服务器主板上的可信芯片在服务器启动阶段主动对可信BMC引导层进行验证,保证其处于正常工作状态。可信BMC能够根据用户既定策略,对BMC操作系统层进行完整性度量,并实现对BIOS的主动度量,确保BIOS镜像的完整无误。BIOS将对服务器关键软硬件进行度量,最终构建完整的信任链,为服务器提供可信计算环境的支撑平台。该机制已经基于昆仑BMC进行了相应验证。

关键词: 可信计算, 固件, 可信BMC, 安全启动

Abstract: The startup process of server involves CPLD, BMC, BIOS and other important components either of which is left without protection resulting in security risks. Trusted Computing is helpful for the server boot protection, such as key hardware replacement, software tampering and server attacks. The trusted chip on baseboard of the server verifies the boot loader of BMC. The trusted BMC measures the integrity of the BMC operating system and BIOS according to the established policies. BIOS measures the server key hardware and software so as to build a complete trusted chain. The mechanism has been verified based on Kunlun BMC.

Key words: firmware, trusted computing, trusted BMC, secure startup

中图分类号: 

  • TP309.1
[1] 黄韬,刘江,霍如,等. 未来网络体系架构研究综述[J]. 通信学报,2014,35(8):184-197. HUANG Tao, LIU Jiang, HUO Ru, et al. Survey of research on future network architectures[J]. Journal on Communications, 2014, 35(8):184-197.
[2] 林闯,苏文博,孟坤,等. 云计算安全:架构、机制与模型评价[J]. 计算机学报,2013,36(9):1765-1784. LIN Chuang, SU Wenbo, MENG Kun, et al. Cloud computing security: architecture, mechanism and modeling[J]. Chinese Journal of Computers, 2013, 36(9):1765-1784.
[3] 张水平,李纪真,张凤琴, 等. 基于云计算的数据中心安全体系研究与实现[J]. 计算机工程与设计,2011,32(12):3965-3968+3979. ZHANG Shuiping, LI Jizhen, ZHANG Fengqin, et al. Research and implementation of data center security system based on cloud computing[J]. Computer Engineering and Design, 2011, 32(12):3965-3968+3979.
[4] 胡章丰,郭春梅,毕学尧. 云计算及SDN与安全技术研究[J]. 信息网络安全,2013,10(13):40-43. HU Zhangfeng, GUO Chunmei, BI Xueyao. Research on cloud computing, SDN and security technology[J]. Netinfo Security, 2013, 10(13):40-43.
[5] 詹志宏. 基于SDN的数据中心路由策略与安全认证研究[D].合肥:安徽大学,2016. ZHAN Zhihong. The study of data center routing strategy and security cerfificate based on SDN[D]. Hefei: Anhui University, 2016.
[6] 孙亮,陈小春,王冠,等. 基于UEFI固件的攻击验证技术研究[J]. 信息安全与通信保密,2016,07:89-93. SUN Liang, CHEN Xiaochun,WANG Guan, et al. Verificationtechnology based on UEFI firmware trojan[J]. Information Security and Communications Privacy, 2016, 07:89-93.
[7] 许鑫. 基于Intel TXT技术的可信服务器设计与实现[D].济南:山东大学,2015. XU Xin. The design and implementation of the trusted server based on intel trusted excution technology[D]. Jinan: Shandong University, 2015.
[8] 沈昌祥,张焕国,王怀民,等. 可信计算的研究与发展[J]. 中国科学:信息科学,2010,40(2):139-166. SHEN Changxiang, ZHANG Huanguo, WANG Huaimin, et al. The reasearch and development of trust computing[J]. Scientia Sinica(Informations), 2010, 40(2):139-166.
[1] 张建标,李志刚,刘国杰,王超,王玮. 面向Windows环境进程主动动态度量方法[J]. 山东大学学报(理学版), 2018, 53(7): 46-50.
[2] 李晓策,潘晓中,麦涛涛. 多组件属性的远程证明[J]. 山东大学学报(理学版), 2016, 51(9): 53-58.
[3] 罗钧1,蒋敬旗2,闵志盛1,李成清2. 基于SHA-1模块的可信嵌入式系统安全启动方法[J]. J4, 2012, 47(9): 1-6.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!