Research on Trusted Server Startup Method Based on BMC

doi:10.3969/j.issn.1671-1122.2021.05.008

Abstract

Abstract:

Based on hardware security, trusted computing technology can effectively realize the security of local and remote computing systems through trust chain, remote attestation and other technologies, and has been widely used in system security startup and measurement attestation. At present, the secure startup technology of terminal equipment has been relatively mature, but the research on trusted server startup technology is still less. Aiming at the problems of server BIOS firmware and operating system kernel image being tampered with, trust loss and low efficiency caused by long trust chain during server startup, this paper proposes a trusted server startup method based on BMC (baseboard manager controller). In this method, BMC is taken as the trusted root, and the star trust chain structure is used to construct the trust chain to realize the trusted start of the server. At the same time, combining with the information flow non-interference theoretical model, this paper gives a formal description of the trusted server startup. BMC is a common component on the server. The trusted startup method proposed in this paper takes BMC as the trusted root, which does not need additional hardware and has better versatility. At the same time, because of the star structure, this method reduces the trust transmission in the server startup process, and can effectively improve the security and efficiency of the server startup process.

Key words: BMC, trusted startup, active measurement, star chain

CLC Number:

TP309

XU Wanshan, ZHANG Jianbiao, YUAN Yilin, LI Zheng. Research on Trusted Server Startup Method Based on BMC[J]. Netinfo Security, 2021, 21(5): 67-73.

Figures/Tables 10

References 16

[1]	SHEN Changxiang, ZHANG Huanguo, WANG Huaimin, et al. Research and Development of Trusted Computing[J]. SCIENTIA SINICA: Informationis, 2010,61(2):139-166.
	沈昌祥, 张焕国, 王怀民, 等. 可信计算的研究与发展[J]. 中国科学:信息科学, 2010,61(2):139-166.
[2]	FENG Dengguo, LIU Jingbin, QIN Yu, et al. Trusted Computing Theory in Innovation and Development[J]. SCIENTIA SINICA: Informationis, 2020,71(8):1127-1147.
	冯登国, 刘敬彬, 秦宇, 等. 创新发展中的可信计算理论[J]. 中国科学:信息科学, 2020,71(8):1127-1147.
[3]	XU Mingdi, ZHANG Huanguo, ZHANG Fan, et al. A Survey of Trust Chain in Trusted Systems[J]. Acta Electronica Sinica, 2014,42(10):2024-2031.
	徐明迪, 张焕国, 张帆, 等. 可信系统信任链研究综述[J]. 电子学报, 2014,42(10):2024-2031.
[4]	XU Kaiyong, SHANG Jing, YANG Tianchi, et al. Active Measurement Model Based on Hybrid Trust Chain and Feature Prefabrication[J]. Computer Application Research, 2015,32(6):1791-1795.
	徐开勇, 尚京, 杨天池, 等. 基于混合信任链和特征预制的主动度量模型[J]. 计算机应用研究, 2015,32(6):1791-1795.
[5]	SI Limin, CAI Mian, CHEN Yinjing, et al. Research on a Trust Chain Transfer Model[J]. Computer Science, 2011,38(9):79-81, 107.
	司丽敏, 蔡勉, 陈银镜, 等. 一种信任链传递模型研究[J]. 计算机科学, 2011,38(9):79-81,107.
[6]	CHEN Liang, ZENG Rongren, LI Feng, et al. Trust Chain Transfer Model Based on Non-interference Theory[J]. Computer Science, 2016,43(10):141-144.
	陈亮, 曾荣仁, 李峰, 等. 基于无干扰理论的信任链传递模型[J]. 计算机科学, 2016,43(10):141-144.
[7]	CHANG Dexian, FENG Dengguo, QIN Yu, et al. Trust Chain Analysis of Trusted Virtual Platform Based on Extended LS ~ 2[J]. Journal of Communications, 2013,34(5):31-41.
	常德显, 冯登国, 秦宇, 等. 基于扩展LS~2的可信虚拟平台信任链分析[J]. 通信学报, 2013,34(5):31-41.
[8]	ZHAO Jia, SHEN Changxiang, LIU Jiqiang, et al. Trust Chain Model Based on Non-interference Theory[J]. Computer Research and Development, 2008,45(6):974-980.
	赵佳, 沈昌祥, 刘吉强, 等. 基于无干扰理论的可信链模型[J]. 计算机研究与发展, 2008,45(6):974-980.
[9]	YANG Xia, LEI Lin, WU Xinyong, et al. A Study on the Credible Start-up Method Using Digital Signature Technology[J]. Journal of University of Electronic Technology, 2016,45(3):448-452.
	杨霞, 雷林, 吴新勇, 等. 采用数字签名技术的可信启动方法研究[J]. 电子科技大学学报, 2016,45(3):448-452.
[10]	YU Yawei. Research and Implementation of Trusted Startup Based on USBKEY[D]. Beijing: Beijing University of Technology, 2016.
	郁亚威. 基于USBKEY的可信启动的研究与实现[D]. 北京:北京工业大学, 2016.
[11]	HE Xinfeng, TIAN Junfeng, LIU Fanming. Overview of Trusted Cloud Platform Technology[J]. Journal of Communications, 2019,40(2):154-163.
	何欣枫, 田俊峰, 刘凡鸣. 可信云平台技术综述[J]. 通信学报, 2019,40(2):154-163.
[12]	WANG Xiao, ZHANG Jianbiao, ZENG Zhiqiang. The Method of Constructing Trusted Virtual Execution Environment Based on Trusted Platform Control Module[J]. Journal of Beijing University of Technology, 2019,45(6):554-565.
	王晓, 张建标, 曾志强. 基于可信平台控制模块的可信虚拟执行环境构建方法[J]. 北京工业大学学报, 2019,45(6):554-565.
[13]	LIU Chuanyi, WANG Guofeng, LIN Jie, et al. Construction and Audit of Trusted Cloud Computing Operating Environment[J]. Chinese Journal of Computers, 2016,39(2):339-350.
	刘川意, 王国峰, 林杰, 等. 可信的云计算运行环境构建和审计[J]. 计算机学报, 2016,39(2):339-350.
[14]	XIU Guilin, ZHANG Bowei, LIU Fan, et al. Server Trusted Framework Based on Trusted Processor Chip[J]. Journal of Guangxi Normal University, 2020,38(2):43-50.
	修桂林, 张博为, 刘凡, 等. 基于可信处理器芯片的服务器可信框架[J]. 广西师范大学学报, 2020,38(2):43-50.
[15]	SUN Liang, CHEN Xiaochun, ZHONG Yang, et al. Server Security Startup Mechanism Based on Trusted BMC[J]. Journal of Shandong University, 2018,53(1):89-94.
	孙亮, 陈小春, 钟阳, 等. 基于可信BMC的服务器安全启动机制[J]. 山东大学学报, 2018,53(1):89-94.
[16]	ZHAO Bo, FEI Yongkang, XIANG He, et al. Research and Implementation of Security Startup Mechanism of Embedded System[J]. Computer Engineering and Application, 2014,51(10):72-77.
	赵波, 费永康, 向騻, 等. 嵌入式系统的安全启动机制研究与实现[J]. 计算机工程与应用, 2014,51(10):72-77.

方案	可信根	信任链	启动时间	主动度量	通用
文献[9]方案	IROM固件	链式	$O(n)$	否	是
文献[14]方案	RCP芯片	链式	$O(n)$	是	否
文献[16]方案	TF卡	链式	$O(n)$	否	是
本文方案	BMC	星型	$O(\log n)$	是	是

	BIOS固件	引导程序	操作系统内核文件
文件名称	SENWEI.fd	bootloader.bin	vmlinuz-4.4.15-sw64
文件大小/MB	2.0	0.082	19.4

度量值类别	度量数据
基准值	0F64 7527 B2F1 3EB4 C828 6958 1E3E 593F 40F2 19EC 3E33 27E8 6F0B 123B 7609 644E
文件未被修改时	0F64 7527 B2F1 3EB4 C828 6958 1E3E 593F 40F2 19EC 3E33 27E8 6F0B 123B 7609 644E
文件被修改时	7C85 E743 E588 23CF D4D7 B63A DDb6 B727 CED3 B8EE 8F7E EFF1 2D3D 1FF2 E7A5 065D

度量值类别	度量数据
基准值	9DF9 3AEB D92C A6EA 5E67 E0DB F591 9792 14E0 5DA0 F8DA D260 D563 5C73 0F22 6472
文件未被修改时	9DF9 3AEB D92C A6EA 5E67 E0DB F591 9792 14E0 5DA0 F8DA D260 D563 5C73 0F22 6472
文件被修改时	64D8 8731 CCDB 6F92 7CE0 B82E 0FDD 2F76 708B 4B8E C9EA E5C4 BFD3 8479 DC5B 51B3

度量值类别	度量数据
基准值	0C42 E95F 40E5 A02D 8F54 074E EF79 A02C F682 7357 0453 2A72 A2AE 10D5 75F1 0B93
文件未被修改时	0C42 E95F 40E5 A02D 8F54 074E EF79 A02C F682 7357 0453 2A72 A2AE 10D5 75F1 0B93
文件被修改时	B4F5 440B 949F 5D04 E7E1 4193 5E13 CBD8 3A85 59C0 D648 0281 DBB4 D821 D6AA E490