Search

CN-120012111-B - Method and device for generating encrypted operating system installation file

CN120012111BCN 120012111 BCN120012111 BCN 120012111BCN-120012111-B

Abstract

The method and the device for generating the encrypted operating system installation file are characterized in that files of a kernel, a temporary file system and a root file system which are necessary for running the operating system are encrypted layer by layer in an operating system layer, data in the root file system can be finally accessed only by sequentially decrypting the kernel, the temporary file system and the root file system according to a boot loader on a target product hardware platform in a system starting process, the risk of static decryption after the system files are extracted is avoided, protection of the system layer on storage medium data is realized, safety of the operating system is improved, the files are written into the files according to second hardware address mapping information, direct reading of the files by users without access rights is avoided, data safety is improved, the users can only use product functions in limited operating environments in a user interface layer, the users with the bottom rights are prevented from accessing the data in the root file system, and the storage medium data is effectively protected in a user layer.

Inventors

  • LI XINLI
  • DENG ZHILONG
  • SUN XIAOYU

Assignees

  • 北京启明星辰信息安全技术有限公司
  • 北京网御星云信息技术有限公司
  • 启明星辰信息技术集团股份有限公司

Dates

Publication Date
20260505
Application Date
20250211

Claims (11)

  1. 1. A method of generating an encrypted operating system installation file, comprising: encrypting a kernel file, a temporary file system file and a root file system tool file for constructing an operating system respectively; Generating a boot loader file according to the decryption information of the kernel file and the predetermined first hardware address mapping information; Writing the boot loader file, the encrypted kernel file, the temporary file system file and the root file system tool file into a storage medium according to second hardware address mapping information to obtain a storage medium containing an operating system, wherein the second hardware address information comprises first hardware address mapping information, third hardware address mapping information of the temporary file system file and fourth hardware address mapping information of the root file system tool file; The system comprises a boot loader, a temporary file system tool file, a storage medium, a second hardware address mapping information, a first hardware address mapping information and a second hardware address mapping information, wherein the boot loader is integrated with loading and decrypting codes of a kernel file, the kernel is integrated with loading and decrypting codes of the temporary file system, the temporary file system is integrated with loading and decrypting codes of the root file system tool file, the storage medium is physically connected to a product and used for system operation and data storage of a product hardware platform, and the second hardware address mapping information comprises offset address information of the predetermined boot loader file, the encrypted kernel file, the temporary file system file and the root file system tool file.
  2. 2. The method according to claim 1, wherein the method further comprises: hiding and/or encrypting the first hardware address mapping information of the kernel file in the boot loader file, and obtaining the first hardware address mapping information through decryption of unhidden and decrypted information corresponding to the hiding and/or encrypting when the boot loader file runs; When the kernel file runs, the third hardware address mapping information is obtained through decryption of the unhidden and decrypted information corresponding to the hiding and/or encrypting; And when the temporary file system file runs, obtaining the fourth hardware address mapping information through decryption of the unhidden and decrypted information corresponding to the hiding and/or encrypting.
  3. 3. The method of claim 1, wherein the offset address information comprises offset address information of the storage medium determined using a master boot record MBR.
  4. 4. The method of claim 1, wherein the temporary file system file comprises an initialization RAM file system file.
  5. 5. The method of claim 1, wherein the root file system tool file is built using Busybox.
  6. 6. The method according to claim 1, wherein the method further comprises: configuring the temporary file system to be integrated in the kernel file in a kernel option configuration, or And configuring a mode of loading the temporary file system file in a kernel option to load the temporary file system file according to the configuration mode.
  7. 7. The method according to any one of claims 1 to 6, further comprising: storing a decryption key of the kernel file and a corresponding decryption algorithm in the boot loader file; storing a decryption key of the temporary file system file and a corresponding decryption algorithm in the kernel file; And storing the decryption key and the corresponding decryption algorithm of the root file system tool file in the temporary file system file.
  8. 8. The method according to any one of claims 1 to 6, further comprising: hiding the kernel file, and integrating codes for unhidden processing of the kernel file in the boot loader file; Hiding the temporary file system file, and integrating codes for carrying out unhidden processing on the temporary file system file in the kernel file; And carrying out hiding processing on the root file system tool file, and carrying out unhidden processing on the root file system tool file in the temporary file system file set.
  9. 9. A computer storage medium having a computer program stored therein, which when executed by a processor implements the method of generating an encrypted operating system installation file according to any one of claims 1 to 8.
  10. 10. A terminal comprises a memory and a processor, wherein the memory stores a computer program, The processor is configured to execute the computer program in the memory; The computer program, when executed by the processor, implements a method of generating an encrypted operating system installation file as claimed in any one of claims 1 to 8.
  11. 11. An apparatus for generating an encrypted operating system installation file includes an encryption unit, a generation unit, and a write processing unit, wherein, The encryption unit is configured to encrypt a kernel file, a temporary file system file, and a root file system tool file, respectively, which construct an operating system; The generating unit is configured to generate a bootloader file according to the decryption information of the kernel file and the predetermined first hardware address mapping information; The writing processing unit is configured to write a boot loader file, an encrypted kernel file, a temporary file system file and a root file system tool file into a storage medium according to second hardware address mapping information to obtain a storage medium containing an operating system, wherein the second hardware address information contains first hardware address mapping information, third hardware address mapping information of the temporary file system file and fourth hardware address mapping information of the root file system tool file; The system comprises a boot loader, a temporary file system tool file, a storage medium, a second hardware address mapping information, a first hardware address mapping information and a second hardware address mapping information, wherein the boot loader is integrated with loading and decrypting codes of a kernel file, the kernel is integrated with loading and decrypting codes of the temporary file system, the temporary file system is integrated with loading and decrypting codes of the root file system tool file, the storage medium is physically connected to a product and used for system operation and data storage of a product hardware platform, and the second hardware address mapping information comprises offset address information of the predetermined boot loader file, the encrypted kernel file, the temporary file system file and the root file system tool file.

Description

Method and device for generating encrypted operating system installation file Technical Field The present invention relates to information security technologies, and in particular, to a method and an apparatus for generating an encrypted operating system installation file. Background Linux is one of the mainstream operating systems worldwide, originates from Unix systems, adopts the GNU General Public License (GPL) protocol for open source, allows users to freely spread and modify software on the premise of adhering to the license protocol, and as open source software, linux has a huge developer community for continuously optimizing and improving system functions, and meanwhile, has a plurality of different release versions, and each version has unique characteristics and advantages. Linux is known to the world by the characteristics of excellent stability, safety and high customization, and has the main advantages of 1) safety, namely Linux has excellent safety and extremely low risk of being attacked by viruses and malicious software, 2) flexibility, namely a user can customize a Linux system according to own requirements, 3) free Linux is completely free open source software which can be used and distributed without limitation under the condition of adhering to GPL protocol, 4) rich software ecology, namely Linux has a large number of free open source application programs and tools which can meet various application requirements, 5) excellent performance, namely Linux has high-efficiency resource utilization rate, lower system delay, supports multithreading and high throughput and can stably run for a long time, and is suitable for various key and high concurrent task scenes. Linux occupies an important position in various industries by virtue of a wide application scene, and is a preferred operating system scheme in a plurality of fields, wherein the application scene mainly comprises 1) a server field, namely Linux is most widely applied in the server field, is widely used as a server system in various fields by virtue of stability and safety, various enterprises adopt Linux-based servers to provide services, and 2) an embedded field, namely a Linux kernel is widely applied to embedded equipment such as routers, switches and network storage equipment, and the characteristics of light weight and customizable of the Linux kernel make the Linux kernel become the best choice of an embedded system. Particularly, with the rapid development of the Internet of things and the artificial intelligence, linux is more and more favored in the fields, a plurality of Internet of things devices and artificial intelligence systems are built based on Linux, 3) the fields of scientific computing and supercomputing, namely Linux is dominant in the field of supercomputers, most of world-level supercomputers are driven by Linux operating systems, excellent expansion capacity and computing efficiency are also more suitable for processing various complex scientific computing tasks, and 4) the fields of Cloud computing, namely most of Cloud computing platforms such as AWS, google Cloud and Azure, are customized and optimized based on Linux operating systems. The platforms support multiple services such as virtual machines, containers, server-free computing and the like by utilizing the stability and the security of Linux so as to meet the requirements of different users, thereby being dominant in the market. 5) Personal desktop Linux has multiple personal desktop releases such as Ubuntu, fedora, which users seeking system security and privacy protection often choose to use as personal desktop systems. In addition, linux is an active community that can provide a large amount of resources and technical support, enabling users to deeply optimize and customize their operating systems. With the rapid development of science and technology and the continuous aggravation of market competition, in the current age of high digitization and networking, enterprises often encounter the problems of 1) intellectual property theft in the process of producing and selling products, namely, innovative products and technologies of the enterprises are easy to imitate or steal by competitors, especially in the aspects of software products and codes, unauthorized copying and secondary distribution behaviors seriously affect market share and brand reputation of the enterprises; 2) risk of data leakage, in which enterprise decisions are increasingly dependent on data driving, sensitive data (such as customer information, trade secrets and the like) stored in devices become the primary targets of hacking, data leakage not only causes economic losses but also causes legal liabilities and user trust crisis, 3) software cracking behavior, in which hackers and malicious users often crack the authorization of products through reverse technology, causing unauthorized use of commercial products of enterprises to be unrestricted, such cracking behavior not only