阅读说明：本技术 一种适用于多系统的加速可信度量电路 (Acceleration credibility measurement circuit suitable for multi-system ) 是由 贾旭 赵逢阳 张新建 董博 祁春慧 于 2021-07-22 设计创作，主要内容包括：本发明涉及一种适用于多系统的加速可信度量电路,涉及可信计算机系统及信息安全相关技术领域。本发明通过电路设计,可实现计算机系统中多个分系统的加速度量功能,从而实现计算机系统固件、BMC电路固件的可信度量,缩短系统的开机时间,将系统度量时间由分钟级缩短到秒级,优化用户开机体验。(The invention relates to an accelerated credibility measuring circuit applicable to multiple systems, and relates to the technical field of credible computer systems and information security related technologies. The invention can realize the acceleration measurement function of a plurality of subsystems in the computer system through circuit design, thereby realizing the credibility measurement of computer system firmware and BMC circuit firmware, shortening the starting time of the system, shortening the measurement time of the system from minute level to second level, and optimizing the starting experience of a user.)

1. An accelerated credibility measurement circuit suitable for multiple systems is characterized by comprising a firmware switching module (1), an interface acceleration module (2) and a credibility measurement module (3);

the firmware switching module (1) is used for respectively switching the firmware Flash to the CPLD and the CPU to realize the switching of the firmware Flash in a measurement stage and a normal starting stage;

the interface acceleration module (2) is used for accelerating the process of reading the firmware Flash by the credibility measurement module (3);

the credibility measuring module (3) is used for reading the accelerated firmware Flash data and realizing the credibility measuring function of the CPU.

2. The circuit according to claim 1, wherein the firmware switching module (1) is specifically configured to implement SPI/QSPI signal switching of the firmware Flash, that is, to switch the firmware Flash between the CPLD and the CPU, so as to implement reading of the firmware Flash by the CPLD and the CPU at different stages.

3. A circuit as claimed in claim 2, characterized in that the firmware switching module (1) comprises an analog switch, a firmware Flash, and a CPLD for controlling the analog switch.

4. The circuit of claim 3, wherein the firmware Flash is GD25Q127C series Flash, and the analog switch is SGM 6505.

5. The circuit according to claim 4, wherein the CSN, SCK, SI, SO, HOLD, WP signals of the firmware Flash are connected to common terminal pins COM 1-COM 6 of an analog switch SGM 6505; pins CPLD _ CSN, CPLD _ CLK, CPLD _ IO 0-CPLD _ IO3 of the CPLD are connected to NC 1-NC 6 of the analog switch SGM 6505; the EN # signal of the analog switch SGM6505 and IN1, IN2 are connected to the CPLD, and the CPLD controls whether the analog switch works and switches the common end signal to NC or NO.

6. The circuit according to claim 5, wherein the interface acceleration module (2) is specifically configured to read the firmware Flash through the SPI interface, and then convert the QSPI protocol into the EBC interface through CPLD internal logic conversion to connect with the confidence measurement module (3), and is configured to control a reset signal of the CPU to determine whether the CPU is normally started, and the interface acceleration module (2) includes a CPLD that is the same as the CPLD of the firmware switching module (1).

7. The circuit according to claim 6, characterized in that the interface acceleration module (2) is further specifically configured to read the signal of the firmware Flash switched by the analog switch in the form of Quad SPI.

8. The circuit according to claim 7, wherein the confidence measure module (3) is specifically configured to parse the accelerated firmware Flash signal transmitted by the interface acceleration module (2) to complete the confidence measure of the firmware Flash.

9. The circuit according to claim 8, wherein the interface between the trusted cryptography chip and the CPLD selected by the trusted metrology module (3) is an EBC interface, and since the input and output of the general-purpose pin of the CPLD are configurable, the EBC _ D [31..16], EBC _ ADD [31..0], EBC _ CLK, EBC _ WB _ PULSE, EBC _ WBE _ N [3..0], EBC _ RW, EBC _ OE, EBC _ READY, and EBC _ CS1 pins of the EBC interface of the trusted cryptography chip are connected to the IO pin of the CPLD.

10. A method of implementing a computer system trust metric using the circuit of claim 9, it is characterized IN that after the computer system is powered on and works, the EN # signal of the analog switch SGM6505 is controlled to be low by the CPLD, the analog switch SGM6505 is enabled to work, IN1 and IN2 of the analog switch SGM6505 are controlled to be low level, the related signal of the firmware Flash is switched to the CPLD to execute the measurement process, after the measurement is finished, the IN1 and IN2 of the analog switch SGM6505 are controlled to be high level by the CPLD, the related signal of the firmware Flash is switched to the CPU, the CPU is normally started after reading the firmware Flash, the measurement process is realized by an internal engine of the trusted cryptography chip, after the measurement is finished, the trusted cryptography chip judges whether the firmware Flash is tampered, after the firmware Flash is confirmed to be trusted, the trusted cryptography chip sends a measurement finishing signal to the CPLD through the GPIO, the CPLD releases a reset pin of the CPU, the CPU starts to be started normally, and the whole trusted measurement process is finished.

Technical Field

The invention relates to the technical field of trusted computer systems and information security, in particular to an accelerated credibility measurement circuit suitable for multiple systems.

Background

With the arrival of the information age, the information security occupies a higher and higher position in the defense industry, and the confidentiality, integrity, availability, authenticity and controllability of information transmission are basic requirements of weaponry.

Computer systems are widely used in various fields such as national defense, education, finance, medical treatment, scientific research and the like, in order to realize the safety and reliability of computers, certain special computers need to be subjected to credibility measurement, wherein the credibility measurement comprises comprehensive measurement of computer system firmware, kernels and application software, the measurement of the computer firmware is a key step influencing the starting time of the computers, and the measurement mode of directly reading BIOS by adopting a credible password chip is slow at present, so that the starting time of the computer systems is seriously influenced.

Disclosure of Invention

Technical problem to be solved

The technical problem to be solved by the invention is as follows: how to speed up the measurement process of a multi-system trusted computer or other information security device.

(II) technical scheme

In order to solve the technical problem, the invention provides an accelerated credibility measurement circuit suitable for multiple systems, which comprises a firmware switching module 1, an interface acceleration module 2 and a credibility measurement module 3;

the firmware switching module 1 is used for respectively switching the firmware Flash to the CPLD and the CPU to realize the switching of the firmware Flash in a measurement stage and a normal starting stage;

the interface acceleration module 2 is used for accelerating the process of reading the firmware Flash by the credibility measurement module 3;

the credibility measurement module 3 is used for reading the accelerated firmware Flash data and realizing the credibility measurement function of the CPU.

Preferably, the firmware switching module 1 is specifically configured to implement SPI/QSPI signal switching of the firmware Flash, that is, to switch the firmware Flash between the CPLD and the CPU, so as to implement reading of the firmware Flash by the CPLD and the CPU at different stages.

Preferably, the firmware switching module 1 includes an analog switch, a firmware Flash, and a CPLD for controlling the analog switch.

Preferably, the firmware Flash is GD25Q127C series Flash, and the analog switch is SGM 6505.

Preferably, CSN, SCK, SI, SO, HOLD, WP signals of the firmware Flash are connected to common terminal pins COM 1-COM 6 of the analog switch SGM 6505; pins CPLD _ CSN, CPLD _ CLK, CPLD _ IO 0-CPLD _ IO3 of the CPLD are connected to NC 1-NC 6 of the analog switch SGM 6505; the EN # signal of the analog switch SGM6505 and IN1, IN2 are connected to the CPLD, and the CPLD controls whether the analog switch works and switches the common end signal to NC or NO.

Preferably, the interface acceleration module 2 is specifically configured to read the firmware Flash through the SPI interface, convert the QSPI protocol into the EBC interface through the CPLD internal logic conversion, connect the EBC interface with the trusted measurement module 3, and control the reset signal of the CPU to determine whether the CPU is normally started, and the interface acceleration module 2 includes a CPLD which is the same as the CPLD of the firmware switching module 1.

Preferably, the interface acceleration module 2 is further specifically configured to read a signal of the firmware Flash switched by the analog switch in a Quad SPI manner.

Preferably, the reliability measuring module 3 is specifically configured to analyze the accelerated signal of the firmware Flash transmitted by the interface acceleration module 2, so as to complete the reliability measurement of the firmware Flash.

Preferably, the interface between the trusted cryptography chip and the CPLD selected by the trusted metrics module 3 is an EBC interface, and the input and output of the general pin of the CPLD are configurable, so that the pins EBC _ D [31..16], EBC _ ADD [31..0], EBC _ CLK, EBC _ WB _ PULSE, EBC _ WBE _ N [3..0], EBC _ RW, EBC _ OE, EBC _ READY, and EBC _ CS1 of the EBC interface of the trusted cryptography chip are connected to the IO pin of the CPLD.

The invention also provides a method for realizing the credibility measurement of the computer system by using the circuit, after the computer system is electrified and operated, controlling EN # signal of analog switch SGM6505 to be low by CPLD to make analog switch SGM6505 work, controlling IN1 and IN2 of analog switch SGM6505 to be low level, switching firmware Flash related signal to CPLD and then executing measurement process, after measurement is completed, the CPLD controls IN1 and IN2 of the analog switch SGM6505 to be high level, relevant signals of the firmware Flash are switched to the CPU, the CPU is started normally after reading the firmware Flash, the measurement process is realized by an internal engine of the trusted cryptography chip, after the measurement is finished, the trusted cryptography chip judges whether the firmware Flash is tampered, after the firmware Flash is confirmed to be trusted, the trusted cryptography chip sends a measurement finishing signal to the CPLD through the GPIO, the CPLD releases a reset pin of the CPU, the CPU starts to be started normally, and the whole trusted measurement process is finished.

(III) advantageous effects

The invention can realize the acceleration measurement function of a plurality of subsystems in the computer system through circuit design, thereby realizing the credibility measurement of computer system firmware and BMC circuit firmware, shortening the starting time of the system, shortening the measurement time of the system from minute level to second level, and optimizing the starting experience of a user.

Drawings

FIG. 1 is a schematic diagram of a circuit implementation of the present invention and its application framework in a computer system;

FIG. 2 is a schematic diagram of the connection between the firmware Flash and the analog switch in the circuit of the present invention;

FIG. 3 is a schematic diagram of the connection of the analog switch in the circuit of the present invention with the CPU and CPLD;

fig. 4 is a schematic diagram of the connection between the CPLD and the trusted cryptography chip in the circuit of the present invention.

Detailed Description

In order to make the objects, contents, and advantages of the present invention clearer, the following detailed description of the embodiments of the present invention will be made in conjunction with the accompanying drawings and examples.

The credibility measurement circuit provided by the invention can be applied to a computer system, as shown in fig. 1, the circuit comprises a firmware switching module 1, an interface acceleration module 2 and a credibility measurement module 3, and a system implementation block diagram of the circuit is shown in fig. 1.

The firmware switching module 1 is used for respectively switching the firmware Flash to the CPLD and the CPU to realize the switching of the firmware Flash in a measurement stage and a normal starting stage;

the interface acceleration module 2 is used for replacing a conventional password chip to directly read the firmware Flash through an SPI interface, so that the extension of multi-system measurement is realized, the reading speed of the firmware Flash is improved, and the acceleration measurement is realized;

the credibility measurement module 3 is used for reading the accelerated firmware Flash data and realizing the credibility measurement function of the CPU, thereby ensuring the credibility of the computer system.

The firmware switching module 1 is used for realizing SPI/QSPI signal switching of the firmware Flash, namely switching the firmware Flash between the CPLD and the CPU so as to realize reading of the firmware Flash by the CPLD and the CPU at different stages; the firmware switching module 1 comprises an analog switch, a firmware Flash and a CPLD (complex programmable logic device) for controlling the analog switch;

the firmware of the CPU is generally stored in a serial Flash, the firmware Flash provides an SPI/QSPI interface to the outside, a GD25Q127C series Flash which is innovative in terms of mega is selected in the embodiment, the Flash supports a standard SPI interface, a Dual SPI interface and a Quad SPI interface, the highest transmission rate reaches 416Mbit/s, an analog switch selected in the firmware switching module 1 is SGM6505 which is micro in Santa Band, the chip can realize the function of 2-to-1 switching of 6 paths of data, the working voltage range is 2.0-5.0V, and the highest transmission rate is 450MHz @ -3dB Bandwidth.

Connecting CSN, SCK, SI (IO0), SO (IO1), HOLD (IO3) and WP (IO2) signals of firmware Flash to common terminal pins COM 1-COM 6 of an analog switch SGM 6505; connecting CPLD _ CSN, CPLD _ CLK and CPLD _ IO 0-3 pins of the CPLD to NC 1-NC 6 of the analog switch SGM 6505; the CPU _ SPI _ CSN0, the CPU _ SPI _ SCK, the CPU _ SPI _ SDI and the CPU _ SPI _ SDO of the CPU (or other controller) are respectively connected to NO 1-NO 4 of an analog switch SGM 6505; the EN # signal of the analog switch SGM6505 and IN1, IN2 are connected to the CPLD, and the CPLD controls whether the analog switch works and switches the common end signal to NC or NO.

After the computer system is electrified and works, the CPLD controls the EN # signal of the analog switch SGM6505 to be low, so that the analog switch SGM6505 works. And controlling IN1 and IN2 of the analog switch SGM6505 to be low level, and switching the signals related to the firmware Flash to the CPLD to execute the measurement process. After the measurement is finished, the CPLD controls IN1 and IN2 of the analog switch SGM6505 to be high level, relevant signals of the firmware Flash are switched to the CPU, and the CPU is started normally after reading the firmware Flash.

The interface acceleration module 2 is used for accelerating the process of reading the firmware Flash by the credibility measurement module 3, shortening the credibility measurement time, and controlling a reset signal of the CPU to determine whether the CPU is normally started, and the interface acceleration module 2 comprises a CPLD which is the same as the CPLD of the firmware switching module 1.

In the conventional measurement process, a signal of a firmware Flash is directly connected to a standard SPI interface of a credible measurement module 3 after passing through an analog switch, the maximum transmission rate of the interface is dozens of Mbits/s, the measurement process can be as long as 2-3 minutes for a multi-subsystem computer, and in addition, the normal starting time of the system after measurement is completed is long, the starting process of the computer is long, and the use experience of a user is influenced.

The interface acceleration module 2 reads the signals of the firmware Flash switched by the analog switch in a Quad SPI mode, the reading speed can reach 400Mbit/s at most, the QSPI protocol is converted into an EBC interface or other high-speed parallel interfaces through the internal logic conversion of the CPLD to be connected with the credibility measurement module 3, and the credibility measurement process is executed by the credibility measurement module 3.

The credibility measuring module 3 is used for analyzing the signals of the firmware Flash after the data transmitted by the interface acceleration module 2 is accelerated, so as to complete the credibility measurement of the firmware Flash. The main stream of the trusted cryptography chip provides an EBC or other parallel interface to the outside, the interface between the trusted cryptography chip and the CPLD selected by the trusted cryptography module 3 in this embodiment is an EBC interface, and since the input and output of the general pin of the CPLD are configurable, the pins EBC _ D [31..16], EBC _ ADD [31..0], EBC _ CLK, EBC _ WB _ PULSE, EBC _ WBE _ N [3..0], EBC _ RW, EBC _ OE, EBC _ READY, and EBC _ CS1 of the EBC interface of the trusted cryptography chip are connected to the general IO pin of the CPLD, and the measurement process is realized by the internal engine of the trusted cryptography chip. After the measurement is finished, the trusted password chip judges whether the firmware Flash is tampered, after the firmware Flash is confirmed to be trusted, the trusted password chip sends a measurement finishing signal to the CPLD through the GPIO, the CPLD releases a reset pin of the CPU, the CPU starts to be started normally, and the whole trusted measurement process is finished.

It can be seen that the circuitry of embodiments of the present invention is applicable to a multi-subsystem environment. The conventional credible measuring circuit can only sequentially complete the measurement of the firmware Flash, and the measurement time is overlapped, so the measurement time is longer.

The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.