Search

CN-119848857-B - Trusted boot method, system, computer device and storage medium

CN119848857BCN 119848857 BCN119848857 BCN 119848857BCN-119848857-B

Abstract

The application relates to a trusted starting method, a trusted starting system, computer equipment and a storage medium. The method comprises the steps of firstly carrying out trusted measurement on an extension unit in an improved trusted root when the improved trusted root is electrified, determining a starting loading unit according to a deployment mode between the improved trusted root and a computing node under the condition that a trusted measurement result of the extension unit is trusted, controlling a central processing unit in the computing node to start by using a logic control unit, loading target starting firmware in the starting loading unit into the central processing unit to start and run, so as to finish trusted measurement and safe starting of the starting firmware, then carrying out trusted measurement on a preset measurement object in a starting stage, and determining that a trusted starting process of the computing node is finished when the trusted measurement result of the preset measurement object is trusted, so that the trusted measurement of all links is realized in the starting process of the computing node.

Inventors

  • SHEN JUNWEI
  • Duan Guna
  • QI HONGDONG

Assignees

  • 北京可信华泰信息技术有限公司

Dates

Publication Date
20260505
Application Date
20241114

Claims (8)

  1. 1. A trusted boot method, the method comprising: When an improved trusted root on a computing node is electrified, performing trusted measurement on an expansion unit in the improved trusted root to obtain a trusted measurement result of the expansion unit, wherein the expansion unit comprises a logic control unit and a first storage unit; When the trusted measurement result of the extension unit is trusted, determining a starting loading unit according to a deployment mode between the computing node and the improved trusted root, wherein the starting loading unit is the first storage unit or the second storage unit with successful measurement, and the second storage unit is a storage unit in the computing node; The logic control unit is used for controlling a central processing unit in the computing node to be electrified and started, and target starting firmware in the starting loading unit is loaded into the central processing unit to start operation, wherein the target starting firmware is first starting firmware in the first storage unit or starting firmware in the second storage unit; When the starting of the target starting firmware is completed, carrying out trusted measurement on a preset measurement object to obtain a trusted measurement result corresponding to the preset measurement object; when the trusted measurement result of the preset measurement object is trusted, determining that the trusted starting process of the computing node is completed; and when the trusted measurement result of the extension unit is trusted, determining a start loading unit according to a deployment mode between the computing node and the improved trusted root, wherein the method comprises the following steps: When the credible measurement result of the extension unit is credible, judging whether a second storage unit exists in the computing node according to a deployment mode between the computing node and the improved credible root; When the second storage unit does not exist in the computing node, the first storage unit is used as a starting loading unit; judging whether a second storage unit exists in the computing node according to a deployment mode between the computing node and the improved trusted root, wherein the method comprises the following steps: and in the case that the improved trusted root is in matched connection with a mainboard interface of a second storage unit in the computing node, determining that the second storage unit does not exist in the computing node, wherein the first storage unit in the improved trusted root replaces the first storage unit through interface connection, or, And judging that the second storage unit exists in the computing node under the condition that the improved trusted root is not in matched connection with the main board interface of the second storage unit.
  2. 2. The method according to claim 1, wherein when the trusted measurement result of the extension unit is trusted, after determining whether a second storage unit exists in the computing node according to a deployment manner between the computing node and the improved trusted root, the method further comprises: when the second storage unit exists in the computing node, the logic control unit is used for controlling the second storage unit to be electrified and started, and the improved trusted root is used for carrying out trusted measurement on second starting firmware in the second storage unit to obtain a trusted measurement result of the second starting firmware; And when the trusted measurement result of the second boot firmware is trusted, taking the second storage unit as a boot loading unit.
  3. 3. The method of claim 2, wherein after obtaining the trusted metric of the second boot firmware, the method further comprises: when the trusted measurement result of the second starting firmware is not trusted, accumulating and determining the continuous measurement times of the starting firmware in the second storage unit; When the continuous measurement times of starting firmware in the second storage unit are smaller than preset times, updating the second starting firmware in the second storage unit by using the first starting firmware in the first storage unit; Determining a firmware update state of the second storage unit, and accumulating the number of synchronous updates; When the firmware updating state is successful in updating, performing trusted measurement on the updated third starting firmware in the second storage unit to obtain a trusted measurement result of the third starting firmware; and when the trusted measurement result of the third boot firmware is trusted, taking the second storage unit as the boot loading unit.
  4. 4. The method of claim 3, wherein after accumulating and determining the number of consecutive metrics of the second boot firmware when the trusted metrics of the second boot firmware are not trusted, the method further comprises: and when the continuous measurement times of starting the firmware in the second storage unit are larger than or equal to preset times or the firmware updating state is failed to update, taking the first storage unit as a starting loading unit.
  5. 5. The method of claim 1, wherein performing a trusted metric on a preset metric object when the target boot firmware is booted to complete, to obtain a trusted metric result corresponding to the preset metric object, comprises: When the starting of the target starting firmware is completed, carrying out trusted measurement on the measurement operating system bootstrap program to obtain a trusted measurement result of the measurement operating system bootstrap program; when the trusted measurement result of the measurement operating system bootstrap program is trusted, loading the measurement operating system bootstrap program, and carrying out trusted measurement on the measurement operating system program to obtain the trusted measurement result of the measurement operating system program; When the trusted measurement result of the measurement operating system program is trusted, loading the measurement operating system program, and performing trusted measurement on a preset application program to obtain the trusted measurement result of the preset application program; And when the trusted measurement result of the preset application program is trusted, obtaining a trusted measurement result of successful measurement of the preset measurement object, wherein the preset measurement object comprises the measurement operating system bootstrap program, the measurement operating system program and the preset application program.
  6. 6. A trusted boot system, comprising a computing node and an improved trusted root deployed at different locations on a motherboard to which the computing node corresponds, corresponding to different deployment modes, the computing node with the trusted root deployed therein being configured to implement the trusted boot method of any one of claims 1-5.
  7. 7. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any one of claims 1 to 5 when executing the computer program.
  8. 8. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the method of any one of claims 1 to 5.

Description

Trusted boot method, system, computer device and storage medium Technical Field The present application relates to the field of computer technologies, and in particular, to a trusted starting method, a trusted starting system, a trusted starting computer device, and a trusted starting storage medium. Background The trusted computing starts with starting firmware as a source, measures layer by layer and builds a trusted chain. Because the domestic trusted computing has late development and less application, most of the existing computing nodes do not establish a trusted computing security guarantee mechanism, in order to enable the computing nodes to have the trusted computing security guarantee mechanism, the computing nodes need to be trusted modified, in the trusted modification process of some computing nodes, although trusted roots are added to construct the trusted mechanism, the trusted root is limited by the structure of the original main board, the starting sequence of components on the main board cannot be changed, so that starting firmware at the initial stage of starting cannot be measured, a complete trusted chain cannot be realized, and a safe and trusted computing environment cannot be truly realized. Because the starting firmware is the source of the starting of the computing node, once a storage unit is damaged or the internal firmware is destroyed, the computing node cannot be started, and a great security risk exists. Disclosure of Invention The application provides a trusted starting method, a trusted starting system, computer equipment and a storage medium, which are used for solving the problems that the existing computing node cannot be started in a trusted way and a complete trusted chain is established after a trusted root is added. In a first aspect, the present application provides a trusted boot method, the method comprising: When an improved trusted root on a computing node is electrified, performing trusted measurement on an expansion unit in the improved trusted root to obtain a trusted measurement result of the expansion unit, wherein the expansion unit comprises a logic control unit and a first storage unit; When the trusted measurement result of the extension unit is trusted, determining a starting loading unit according to a deployment mode between the computing node and the improved trusted root, wherein the starting loading unit is the first storage unit or the second storage unit with successful measurement, and the second storage unit is a storage unit in the computing node; The logic control unit is used for controlling a central processing unit in the computing node to be electrified and started, and target starting firmware in the starting loading unit is loaded into the central processing unit to start operation, wherein the target starting firmware is first starting firmware in the first storage unit or starting firmware in the second storage unit; When the starting of the target starting firmware is completed, carrying out trusted measurement on a preset measurement object to obtain a trusted measurement result corresponding to the preset measurement object; and when the trusted measurement result of the preset measurement object is trusted, determining that the trusted starting process of the computing node is finished. Optionally, when the trusted measurement result of the extension unit is trusted, determining a boot loader unit according to a deployment manner between the computing node and the improved trusted root, including: When the credible measurement result of the extension unit is credible, judging whether a second storage unit exists in the computing node according to a deployment mode between the computing node and the improved credible root; And when the second storage unit does not exist in the computing node, taking the first storage unit as a starting loading unit. Optionally, determining whether a second storage unit exists in the computing node according to a deployment manner between the computing node and the improved trusted root includes: and in the case that the improved trusted root is in matched connection with a mainboard interface of a second storage unit in the computing node, determining that the second storage unit does not exist in the computing node, wherein the first storage unit in the improved trusted root replaces the first storage unit through interface connection, or, And judging that the second storage unit exists in the computing node under the condition that the improved trusted root is not in matched connection with the main board interface of the second storage unit. Optionally, after the determining, according to the deployment manner between the computing node and the improved trusted root, whether the second storage unit exists in the computing node when the trusted measurement result of the extension unit is trusted, the method further includes: When the second storage unit exists in the computing node, the logic co