摘要
文章提出一种基于ATX主板的可信平台控制模块(TPCM)主动度量及电源控制实现方法。该方法在保持主板原有设计的基础上,利用计算机主板已有的接口进行扩展设计,达到从第一条CPU指令开始的启动代码防篡改和防攻击的目的。结合电源控制的实现,该方法可以从根本上解决计算机启动源头代码不可信问题。该方法确保可信平台控制模块首先上电,主导计算机电源控制系统,度量启动代码的可信性和完整性。若检测到BIOS等固件信息被恶意篡改,则根据预先写在可信平台控制模块内部的安全策略进入非可信工作模式或阻止计算机上电。利用该方法设计的可信平台控制模块对计算机有主动的、绝对的控制权。极端情况下,一旦恶意代码入侵而导致系统失控的情况发生,可信平台控制模块可以采取关闭计算机、切断电源等绝对性保护措施。该方法不但可靠有效,而且实现成本低廉,安装简单。
This paper proposes an active measurement and control method of the trusted platform control module ( TPCM) based on advanced technology extended ( ATX) motherboard. Keeping the original design of the motherboard unchanged, the existing interfaces of the computer motherboard are extended to protect the boot code from been tampered and attacked from the first CPU instruction.Combined with the realization of the power control, the method can fundamentally solve the problem that the source of the boot is not to be trusted. This design makes sure the TPCM has been powered on firstly and lets the TPCM lead the power control system of the computer, measuring the credibility and the integrity of the boot code. If the BIOS and any other firmware have been maliciously tampered, the TPCM enter untrusted operation environment or prevent the computer from been powered on according to the pre written security policy in TPCM. The TPCM designed by this method has active and absolute control right on the computer. Once the malicious code invades and the system is out of control, the TPCM can take the absolute protection measures such as taking off the computer and cutting off the power. The method is not only reliable and effective, but also has the advantages of low cost and simple installation.
出处
《信息网络安全》
2016年第11期1-5,共5页
Netinfo Security
基金
国家自然科学基金[61472429]
