[go: up one dir, main page]

CN101794362A - Trusted computation trust root device for computer and computer - Google Patents

Trusted computation trust root device for computer and computer Download PDF

Info

Publication number
CN101794362A
CN101794362A CN 201010034553 CN201010034553A CN101794362A CN 101794362 A CN101794362 A CN 101794362A CN 201010034553 CN201010034553 CN 201010034553 CN 201010034553 A CN201010034553 A CN 201010034553A CN 101794362 A CN101794362 A CN 101794362A
Authority
CN
China
Prior art keywords
interface
module
root
trust
computer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN 201010034553
Other languages
Chinese (zh)
Inventor
李光
牛峰
吴悠
郝福珍
王江少
张拥政
张淑芬
张心臻
唐海
张玉
张鹏
范耀学
章文康
葛小蔓
张金霞
杨红
郑玉冰
马文龙
吴迪
贾立宗
从秀芳
刘绍方
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huabei Computing Technique Inst
Original Assignee
Huabei Computing Technique Inst
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huabei Computing Technique Inst filed Critical Huabei Computing Technique Inst
Priority to CN 201010034553 priority Critical patent/CN101794362A/en
Publication of CN101794362A publication Critical patent/CN101794362A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

本发明实施例提供一种计算机用可信计算信任根设备及计算机。该设备包括:电路板、接口转换模块和至少一个信任根模块;所述电路板上设有接口,所述接口与计算机主板的PCI接口或PCI-E接口或USB接口相匹配;所述接口转换模块和信任根模块均设置在电路板上;所述接口转换模块,用于对各模块经所述电路板的接口与计算机的PCI接口或PCI-E接口或USB接口进行数据交换;所述信任根模块,用于进行密钥生成、加解密处理,及存储密钥和敏感数据,提供完整性度量,数据安全保护和身份认证信息。该设备可用在普通计算机中,使普通计算机具备可信计算机的安全性。

Figure 201010034553

An embodiment of the present invention provides a trusted computing root of trust device for a computer and a computer. The device includes: a circuit board, an interface conversion module and at least one root of trust module; the circuit board is provided with an interface, and the interface matches a PCI interface or a PCI-E interface or a USB interface of a computer motherboard; the interface conversion The module and the trust root module are all arranged on the circuit board; the interface conversion module is used to exchange data between each module through the interface of the circuit board and the PCI interface or PCI-E interface or USB interface of the computer; the trust The root module is used for key generation, encryption and decryption processing, and storage of keys and sensitive data, providing integrity measurement, data security protection and identity authentication information. The device can be used in an ordinary computer, so that the ordinary computer has the security of a trusted computer.

Figure 201010034553

Description

计算机用可信计算信任根设备及计算机 Trusted Computing Trust Root Devices and Computers for Computers

技术领域technical field

本发明涉及计算机技术领域,特别是涉及一种计算机用可信计算信任根设备及计算机。The invention relates to the technical field of computers, in particular to a computer-used trusted computing root-of-trust device and a computer.

背景技术Background technique

传统的安全手段往往集中在网络边界,这是人们对待信息安全问题上的一个误区。事实上,终端是创建和存放重要数据的源头,而且绝大多数的攻击事件都是从终端发起的。究其根源,安全问题主要是由终端体系结构和操作系统的不安全所引起的,例如可能导致资源被任意使用,尤其是执行代码可修改,恶意程序可以植入攻击程序,肆意进行破坏更为严重的是对合法的用户没有进行严格的访问控制,可以进行超越权限访问,造成不安全事故。传统安全手段过分强调了易用性,而忽略了安全性。在传统的系统中,密钥和授权信息都直接存储在内存和硬盘之中,攻击者有很多的方法来获取它们。导致终端不安全。Traditional security methods are often concentrated on the network border, which is a misunderstanding in people's treatment of information security issues. In fact, the terminal is the source of creating and storing important data, and the vast majority of attacks are initiated from the terminal. The root cause of the security problem is mainly caused by the insecurity of the terminal architecture and operating system. For example, resources may be used arbitrarily, especially the execution code can be modified, malicious programs can be implanted into attack programs, and wanton damage is even more serious. What is serious is that there is no strict access control for legal users, and access beyond authority can be performed, resulting in unsafe accidents. Traditional security methods overemphasize ease of use, while ignoring security. In traditional systems, keys and authorization information are stored directly in memory and hard disks, and attackers have many ways to obtain them. lead to terminal insecurity.

为解决如何从终端操作平台实施高等级的安全防范,将不安全因素将从终端源头被控制,目前是通过可信计算(Trusted Computing,TC)技术来实现,可信计算即通过向计算机硬件平台引入安全芯片(TPM,Trusted Platform Module,可信赖平台模块或TCM,Trusted Cryptography Module,可信密码模块)架构,密钥和授权信息等这些秘密数据都是由安全芯片(TPM或TCM)来保护的。通过其提供的安全特性来提高终端系统的安全性,从而在根本上实现了对各种不安全因素的主动防御。其核心是在用户与计算机、网络平台间建立一种信任机制。In order to solve how to implement high-level security precautions from the terminal operating platform, the unsafe factors will be controlled from the source of the terminal. Currently, it is realized through trusted computing (Trusted Computing, TC) technology. Trusted computing refers to the computer hardware platform Introduce security chip (TPM, Trusted Platform Module, trusted platform module or TCM, Trusted Cryptography Module, trusted password module) architecture, secret data such as keys and authorization information are protected by security chip (TPM or TCM) . Through the security features it provides to improve the security of the terminal system, it fundamentally realizes the active defense against various unsafe factors. Its core is to establish a trust mechanism between users, computers and network platforms.

现有的可信计算架构的计算机,由于要设置安全芯片(TPM或TCM),一般要采用特殊架构的主板,在其上集成安全芯片(TPM或TCM),或通过设置特殊的接口来安装安全芯片(TPM或TCM),从而形成具有可信计算功能的计算机。而普通的计算机由于主板上未设置安全芯片(TPM或TCM),或不具有安装安全芯片(TPM或TCM)的接口,从而导致无法实现可信计算,从而导致普通的计算机无法利用可信计算技术来提高使用中的安全性。Existing computers with trusted computing architecture, because of the need to set up a security chip (TPM or TCM), generally use a motherboard with a special architecture, integrate a security chip (TPM or TCM) on it, or install a security chip (TPM or TCM) by setting a special interface. chip (TPM or TCM), thus forming a computer with trusted computing functions. Ordinary computers do not have a security chip (TPM or TCM) on the motherboard, or do not have an interface for installing a security chip (TPM or TCM), resulting in the inability to implement trusted computing, resulting in the inability of ordinary computers to use trusted computing technology To improve the safety in use.

发明内容Contents of the invention

基于上述现有技术所存在的问题,本发明实施例提供一种计算机用可信计算信任根设备及计算机,解决普通计算机无法安装安全芯片实现可信计算的问题。Based on the problems existing in the above-mentioned prior art, an embodiment of the present invention provides a trusted computing root of trust device for computers and a computer to solve the problem that ordinary computers cannot be installed with security chips to implement trusted computing.

本发明的目的是通过下述技术方案实现的:The purpose of the present invention is achieved through the following technical solutions:

本发明实施例提供一种计算机用可信计算信任根设备,包括:An embodiment of the present invention provides a trusted computing root of trust device for computers, including:

电路板、接口转换模块和至少一个信任根模块;a circuit board, an interface conversion module, and at least one root of trust module;

所述电路板上设有接口,所述接口与计算机主板的PCI接口或PCI-E接口或USB接口相匹配;所述接口转换模块和信任根模块均设置在电路板上;Described circuit board is provided with interface, and described interface matches with the PCI interface of computer motherboard or PCI-E interface or USB interface; Described interface conversion module and root of trust module are all arranged on circuit board;

所述接口转换模块,用于对各模块经所述电路板的接口与计算机的PCI接口或PCI-E接口或USB接口进行数据交换;The interface conversion module is used to exchange data between each module through the interface of the circuit board and the PCI interface or PCI-E interface or USB interface of the computer;

所述信任根模块,用于进行密钥生成、加解密处理,及存储密钥和敏感数据,提供完整性度量,数据安全保护和身份认证信息。The root of trust module is used for key generation, encryption and decryption processing, and storage of keys and sensitive data, providing integrity measurement, data security protection and identity authentication information.

本发明实施例还提供一种计算机,包括:The embodiment of the present invention also provides a computer, including:

主机、可信计算信任根设备,存储装置、输入装置和输出装置;其中可信计算信任根设备采用上述的可信计算信任根设备;A host, a trusted computing root of trust device, a storage device, an input device, and an output device; wherein the trusted computing root of trust device adopts the above-mentioned trusted computing root of trust device;

所述存储装置、输入装置和输出装置均与所述主机内的主板电连接;所述可信计算信任根设备连接至所述主机内主板的PCI插槽或PCI-E插槽或USB接口与所述主板电连接。The storage device, the input device and the output device are all electrically connected to the motherboard in the host; the trusted computing trust root device is connected to the PCI slot or PCI-E slot or USB interface of the motherboard in the host and The main board is electrically connected.

从上述本发明实施例提供的技术方案中可以看出,本发明实施例中通过在具有与计算机的PCI接口或PCI-E接口或USB接口相匹配接口的电路板上设置接口转换模块、身份识别模块、主控模块和至少一个信任根模块,形成一种可连接至普通计算机主板的PCI接口或PCI-E接口或USB接口上使用的可信计算信任根设备。利用该可信计算信任根设备使得普通计算机增加可信计算功能,以较简单的方式使普通计算机具备了可信计算机的安全性。As can be seen from the technical solutions provided by the above-mentioned embodiments of the present invention, in the embodiments of the present invention, an interface conversion module, an identity recognition The module, the main control module and at least one root-of-trust module form a trusted computing root-of-trust device that can be connected to a PCI interface, a PCI-E interface, or a USB interface of a common computer motherboard. Utilizing the root of trust device for trusted computing enables ordinary computers to add trusted computing functions, and enables ordinary computers to have the security of trusted computers in a relatively simple manner.

附图说明Description of drawings

图1为本发明实施例一提供的可信计算信任根设备的结构框图;FIG. 1 is a structural block diagram of a trusted computing root of trust device provided by Embodiment 1 of the present invention;

图2为本发明实施例一提供的另一种可信计算信任根设备的结构框图;FIG. 2 is a structural block diagram of another trusted computing root of trust device provided by Embodiment 1 of the present invention;

图3为本发明实施例二提供的可信计算信任根设备的结构框图;FIG. 3 is a structural block diagram of a trusted computing root of trust device provided by Embodiment 2 of the present invention;

图4为本发明实施例二提供的另一种可信计算信任根设备的结构框图;FIG. 4 is a structural block diagram of another trusted computing root of trust device provided by Embodiment 2 of the present invention;

图5为本发明实施例三提供的计算机的结构示意图。FIG. 5 is a schematic structural diagram of a computer provided by Embodiment 3 of the present invention.

具体实施方式Detailed ways

下面结合附图和具体实施例对本发明作进一步说明。The present invention will be further described below in conjunction with the accompanying drawings and specific embodiments.

实施例一Embodiment one

本实施例一提供一种计算机用可信计算信任根设备,应用在普通计算机中,使普通计算机具备可信计算功能,如图1所示,该可信计算信任根设备包括:Embodiment 1 provides a trusted computing root of trust device for computers, which is applied to ordinary computers to enable ordinary computers to have trusted computing functions. As shown in Figure 1, the trusted computing root of trust device includes:

电路板1、接口转换模块3和至少一个信任根模块4;A circuit board 1, an interface conversion module 3 and at least one root of trust module 4;

其中,所述电路板1上设有接口2,接口2可采用PCI接口或PCI-E接口或USB接口,它与计算机主板的PCI接口或PCI-E接口(即计算机主板上的PCI插槽或PCI-E插槽)或USB接口相匹配;接口2采用PCI接口或PCI-E接口时,一般是由接口模块与电路板上印刷形成的金手指电连接形成的PCI接口或PCI-E接口,其中电路板上的金手指实现了与PCI插槽或PCI-E插槽的物理兼容,而接口模块则实现与计算机主板的PCI插槽或PCI-E插槽数据交换协议上的兼容;接口2采用USB接口时,一般是由接口模块与USB插头电连接形成的USB接口,其中USB插头实现了与计算机主板的USB接口的物理兼容,而接口模块则实现与计算机主板的USB接口数据交换协议上的兼容;Wherein, described circuit board 1 is provided with interface 2, and interface 2 can adopt PCI interface or PCI-E interface or USB interface, and it and the PCI interface of computer motherboard or PCI-E interface (namely the PCI slot on the computer motherboard or PCI-E slot) or USB interface; when interface 2 adopts PCI interface or PCI-E interface, it is generally a PCI interface or PCI-E interface formed by the electrical connection between the interface module and the golden finger printed on the circuit board, The gold fingers on the circuit board are physically compatible with the PCI slot or the PCI-E slot, and the interface module is compatible with the PCI slot or the PCI-E slot data exchange protocol of the computer motherboard; interface 2 When a USB interface is used, it is generally a USB interface formed by an electrical connection between an interface module and a USB plug. compatible;

上述可信计算信任根设备中的接口转换模块3和信任根模块4均设置在电路板1上;The interface conversion module 3 and the root of trust module 4 in the trusted computing root of trust device are both arranged on the circuit board 1;

所述的接口转换模块3分别与电路板1的接口2和各模块电连接,用于对各模块(信任根模块4)经所述电路板1的接口2与计算机的PCI接口或PCI-E接口或USB接口进行数据交换;该接口转换模块3可采用具有PCI接口或PCI-E接口或USB接口功能的ASIC芯片;或采用CPLD芯片或FPGA芯片,并用IP核在CPLD芯片或FPGA芯片上实现PCI接口或PCI-E接口桥功能或USB接口功能;The interface conversion module 3 is electrically connected with the interface 2 of the circuit board 1 and each module respectively, and is used for each module (root of trust module 4) through the interface 2 of the circuit board 1 and the PCI interface or PCI-E of the computer. interface or USB interface for data exchange; the interface conversion module 3 can adopt the ASIC chip with PCI interface or PCI-E interface or USB interface function; or adopt CPLD chip or FPGA chip, and use IP core to realize on CPLD chip or FPGA chip PCI interface or PCI-E interface bridge function or USB interface function;

所述的信任根模块4是一个可独立进行密钥生成、加解密的芯片,内部拥有独立的处理器和存储单元的芯片,一般采用TPM芯片或TCM芯片,该信任根模块4可存储密钥和敏感数据,为所在的计算平台提供完整性度量,数据安全保护和身份认证服务。如图2所示,信任根模块一般可设置多个,各信任根模块可分别用于为不同权限用户的提供可信计算的数据处理和存储。The root of trust module 4 is a chip that can independently perform key generation, encryption and decryption, and has a chip with an independent processor and storage unit inside. TPM chips or TCM chips are generally used. The root of trust module 4 can store keys and sensitive data, providing integrity measurement, data security protection and identity authentication services for the computing platform where it resides. As shown in Figure 2, multiple root-of-trust modules can generally be set up, and each root-of-trust module can be used to provide trusted computing data processing and storage for users with different permissions.

上述可信计算信任根设备中的接口采用USB接口时,可制成内置设备或外置设备的形式,通过USB接口与普通计算机连接,使普通计算机具备可信计算机的功能;当上述可信计算信任根设备中的接品采用PCI接口或PCI-E接口时,该信任根设备可制成板卡形式,插装在普通计算机主板的PCI插槽或PCI-E插槽上使用,具有使用方便的优点。When the interface in the trusted computing root of trust device above adopts a USB interface, it can be made into a built-in device or an external device, and connected to an ordinary computer through the USB interface, so that the ordinary computer has the function of a trusted computer; when the above-mentioned trusted computing When the connection in the root-of-trust device adopts PCI interface or PCI-E interface, the root-of-trust device can be made into a board form, which can be plugged into the PCI slot or PCI-E slot of an ordinary computer motherboard for use, which is convenient to use. The advantages.

上述可信计算信任根设备使用时,可连接至普通计算机主板的PCI插槽或PCI-E插槽或USB接口上;计算机加电后,可信计算信任根设备启动,计算机BIOS启动后,可以正常访问可信计算信任根设备上相应的信任根模块,从信任板模块中获取信任根数据后,进行正常启动,之后的启动过程与通用的可信计算机启动模式一致。并且,可以进一步通过在BIOS或操作系统引导程序(OS Loader)中集成身份识别和控制软件,实现对用户的身份识别和多个信任根模块的调度。When the above trusted computing root of trust device is in use, it can be connected to the PCI slot or PCI-E slot or USB interface of a common computer motherboard; after the computer is powered on, the trusted computing root of trust device starts, and after the computer BIOS starts, it can Normal access to the corresponding root-of-trust module on the trusted computing root-of-trust device, after obtaining the root-of-trust data from the trust board module, start normally, and the subsequent startup process is consistent with the general trusted computer startup mode. In addition, by integrating identification and control software in BIOS or OS Loader, user identification and scheduling of multiple root-of-trust modules can be realized.

本发明实施例提供的信任根设备,由于具备与普通计算机主板上的PCI插槽或PCI E插槽或USB接口相匹配的接口,可以方便的连接到普通计算机主板上使用,无需重新设计计算机主板,只要安装、升级进行可信计算相应的软件,即可使普通计算机实现可信计算机的所有功能。并且,在一个可信计算信任根设备上设置多个信任根模块(即提供了多块TPM芯片或TCM芯片)时,可满足在计算机上运行的虚拟机系统上每个操作系统独立使用一块信任根芯片的需求,提高虚拟机上多操作系统的安全性。The root of trust device provided by the embodiment of the present invention can be easily connected to the common computer mainboard for use without redesigning the computer mainboard due to having an interface matching the PCI slot or the PCIE slot or the USB interface on the common computer mainboard. , as long as the corresponding software for trusted computing is installed and upgraded, the ordinary computer can realize all the functions of a trusted computer. Moreover, when multiple root-of-trust modules (that is, multiple TPM chips or TCM chips are provided) are set on a root-of-trust device for trusted computing, each operating system on a virtual machine system running on a computer can independently use a piece of trust root chip requirements, and improve the security of multiple operating systems on virtual machines.

实施例二Embodiment two

本实施例二提供一种计算机用可信计算信任根设备,应用在普通计算机中,使普通计算机具备可信计算功能,该信任根设备的结构与上述实施例一中给出的信任根设备基本相同,不同的是本实施例的信任根设备还设有身份识别模块5和主控模块6,如图3所示,该信任根设备的身份识别模块5和主控模块6均设置在电路板1上,身份识别模块5和主控模块6分别与接口转换模块3电连接,主控模块6分别与身份识别模块5、各信任根模块电连接;The second embodiment provides a trusted computing root of trust device for computers, which is applied to ordinary computers to enable ordinary computers to have trusted computing functions. The structure of this root of trust device is basically the same as that given in the first embodiment above. The same, but the difference is that the root of trust device in this embodiment is also provided with an identity recognition module 5 and a main control module 6, as shown in Figure 3, the identity recognition module 5 and the main control module 6 of the root of trust device are all arranged on the circuit board 1, the identity recognition module 5 and the main control module 6 are electrically connected to the interface conversion module 3 respectively, and the main control module 6 is electrically connected to the identity recognition module 5 and each trust root module respectively;

所述的身份识别模块5用于对用户的身份进行识别,并将识别后确认的用户信息传输至所述主控模块6;该身份识别模块4可采用指纹识别模块、虹膜识别模块、USB KEY识别模块、智能卡(IC卡)识别模块等身份识别装置中的任一种;Described identification module 5 is used for identifying user's identity, and the user information confirmed after identification is transmitted to described main control module 6; This identification module 4 can adopt fingerprint identification module, iris identification module, USB KEY Any one of identification devices such as identification modules and smart card (IC card) identification modules;

所述的主控模块6用于根据所述身份识别模块5的确认的用户信息的权限开通相应的信任根模块,实现对多个信任根模块进行调度访问;该主控模块6可采用ASIC芯片;或采用CPLD芯片或FPGA芯片,并用IP核在CPLD芯片或FPGA芯片上实现控制功能。The main control module 6 is used to open the corresponding trust root module according to the authority of the confirmed user information of the identity recognition module 5, so as to realize scheduling access to a plurality of trust root modules; the main control module 6 can adopt an ASIC chip ; Or adopt CPLD chip or FPGA chip, and use IP core to realize control function on CPLD chip or FPGA chip.

本实施例的信任根设备中的信任根模块一般也可设置多个,分别与所述主控模块6和接口转换模块3电连接,各信任根模块分别用于为不同权限用户的提供可信计算的数据处理和存储。The root of trust modules in the root of trust device of this embodiment can generally also be provided with multiple, respectively electrically connected to the main control module 6 and the interface conversion module 3, and each root of trust module is used to provide trusted Computational data processing and storage.

上述信任根设备中还可以设置非易失存储模块7,它分别与主控模块6和接口转换模块3电连接,用于当主控模块6控制的信任根模块存储空间不足时,对信任根模块加密后的数据进行存储,该非易失存储模块7的安全读写由主控模块6控制。该非易失存储模块7一般采用Flash芯片,是对该信任根设备中的信任根模块存储空间有限的补充。The above-mentioned root of trust device can also be provided with a non-volatile storage module 7, which is electrically connected to the main control module 6 and the interface conversion module 3 respectively, and is used to store the root of trust when the root of trust module controlled by the main control module 6 has insufficient storage space. The data encrypted by the module is stored, and the safe reading and writing of the non-volatile memory module 7 is controlled by the main control module 6 . The non-volatile storage module 7 generally adopts a Flash chip, which is a supplement to the limited storage space of the root-of-trust module in the root-of-trust device.

上述信任根设备中接口转换模块3可以单独设置在电路板1上,与接口2和各模块电连接;该接口转换模块3也可以设置在主控模块6内(参见图4),通过主控模块6实现与接口2和各模块电连接,即在一个主控模块6内实现两个模块(即主控模块和接口转换模块)的功能。该接口转换模块3主要是提供信任根模块4、身份识别模块5与接口2(即PCI接口或PCI-E接口或USB接口)的连接,将兼容其它形式接口的各模块通过该接口转换模块3实现与接口2(即PCI接口或PCI-E接口或USB接口)相兼容,如目前大多信任根芯片TPM或TCM外部接口是LPC接口,无法直接与PCI接口或PCI-E接口或USB接口进行连接,而通过接口转换模块3即可实现信任根芯片与PCI接口或PCI-E接口或USB接口进行连接;身份识别模块5一般提供的是串口或USB接口,也无法直接与PCI接口或PCI-E接口连接,而通过接口转换模块3即可实现身份识别模块与PCI接口或PCI-E接口连接。也可以在集成接口转换模块3的主控模块6内集成接口2的接口模块(参见图4),如可在一个CPLD或FPGA中集成主控模块、接口转换模块3和接口2的接口模块,这样在一个主控模块内集成了三个模块的功能,提高了集成度,也便于降低整个设备的成本。The interface conversion module 3 in the above-mentioned root of trust device can be separately arranged on the circuit board 1, and is electrically connected with the interface 2 and each module; the interface conversion module 3 can also be arranged in the main control module 6 (see FIG. The module 6 realizes the electrical connection with the interface 2 and each module, that is, realizes the functions of two modules (namely, the main control module and the interface conversion module) in one main control module 6 . This interface conversion module 3 mainly provides the connection of the root of trust module 4, the identity recognition module 5 and the interface 2 (i.e. PCI interface or PCI-E interface or USB interface), and each module compatible with other forms of interfaces passes through the interface conversion module 3 Realize compatibility with interface 2 (i.e. PCI interface or PCI-E interface or USB interface). For example, most of the root-of-trust chip TPM or TCM external interfaces are LPC interfaces, which cannot be directly connected to PCI interfaces, PCI-E interfaces or USB interfaces. , and the root of trust chip can be connected to the PCI interface or the PCI-E interface or the USB interface through the interface conversion module 3; the identification module 5 generally provides a serial port or a USB interface, and cannot directly connect with the PCI interface or the PCI-E interface. Interface connection, and the identity identification module can be connected with the PCI interface or the PCI-E interface through the interface conversion module 3. It is also possible to integrate the interface module (see Fig. 4) of interface 2 in the main control module 6 of the integrated interface conversion module 3, such as the interface module that can integrate the main control module, interface conversion module 3 and interface 2 in a CPLD or FPGA, In this way, the functions of the three modules are integrated in one main control module, which improves the degree of integration and facilitates the reduction of the cost of the entire device.

上述可信计算信任根设备中的接口采用USB接口时,可制成内置设备或外置设备的形式,通过USB接口与普通计算机连接,使普通计算机具备可信计算机的功能;当上述可信计算信任根设备中的接品采用PCI接口或PCI-E接口时,该信任根设备可制成板卡形式,插装在普通计算机主板的PCI插槽或PCI-E插槽上使用,具有使用方便的优点。When the interface in the trusted computing root of trust device above adopts a USB interface, it can be made into a built-in device or an external device, and connected to an ordinary computer through the USB interface, so that the ordinary computer has the function of a trusted computer; when the above-mentioned trusted computing When the connection in the root-of-trust device adopts PCI interface or PCI-E interface, the root-of-trust device can be made into a board form, which can be plugged into the PCI slot or PCI-E slot of an ordinary computer motherboard for use, which is convenient to use. The advantages.

上述可信计算信任根设备使用时,可连接至普通计算机主板的PCI插槽或PCI-E插槽或USB接口上,计算机加电后,用户首先需要通过可信计算信任根设备上的身份识别模块进行身份认证,身份认证通过后,主控模块根据用户的权限开通相应的信任根模块,计算机BIOS启动,可以正常访问相应的信任根模块,从信任板模块中获取信任根数据后,进行正常启动,之后的启动过程与通用的可信计算机启动模式一致。When the above Trusted Computing Root of Trust device is used, it can be connected to the PCI slot or PCI-E slot or USB interface of the motherboard of a common computer. After the computer is powered on, the user first needs to identify the identity on the Trusted Computing Root of Trust device. The module performs identity authentication. After the identity authentication is passed, the main control module activates the corresponding root of trust module according to the user's authority, and the computer BIOS starts, and the corresponding root of trust module can be accessed normally. After obtaining the root of trust data from the trust board module, normal Startup, the subsequent startup process is consistent with the general trusted computer startup mode.

本发明实施例提供的信任根设备,由于具备与普通计算机主板上的PCI插槽或PCI-E插槽或USB接口相匹配的接口,可以方便的连接到普通计算机主板上使用,无需重新设计计算机主板,只要安装、升级进行可信计算相应的软件,即可使普通计算机实现可信计算机的所有功能。利用该信任根设备,使得普通计算机对用户的身份识别是在信任根设备内完成,计算机上软件无法直接接触到该信任根设备,从而提高了身份识别的安全性。并且,当在一个信任根设备上设置多个信任根模块(即提供了多块TPM芯片或TCM芯片)时,可满足在计算机上运行的虚拟机系统上每个操作系统独立使用一块信任根芯片的需求,提高虚拟机上多操作系统的安全性。The root of trust device provided by the embodiment of the present invention can be easily connected to an ordinary computer motherboard for use without redesigning the computer due to having an interface that matches a PCI slot or a PCI-E slot or a USB interface on an ordinary computer motherboard. The motherboard, as long as the corresponding software for trusted computing is installed and upgraded, the ordinary computer can realize all the functions of a trusted computer. By utilizing the root of trust device, the identification of the user by an ordinary computer is completed in the root of trust device, and the software on the computer cannot directly contact the root of trust device, thereby improving the security of identification. Moreover, when multiple root-of-trust modules are provided on a root-of-trust device (that is, multiple TPM chips or TCM chips are provided), each operating system on a virtual machine system running on a computer can independently use a root-of-trust chip. To improve the security of multiple operating systems on virtual machines.

实施例三Embodiment three

本实施例三提供一种计算机,如图5所示,该计算机包括:Embodiment 3 provides a computer. As shown in FIG. 5, the computer includes:

主机21、可信计算信任根设备25,存储装置(图中未示出)、输入装置22和输出装置23;其中主机21内设有主板24,所述的可信计算信任根设备25采用上述实施例一中给出的可信计算信任根设备;Host 21, trusted computing root of trust device 25, storage device (not shown in the figure), input device 22 and output device 23; wherein the host 21 is provided with a motherboard 24, and the trusted computing root of trust device 25 adopts the above-mentioned The trusted computing trust root device given in Embodiment 1;

所述存储装置、输入装置22和输出装置23均与所述主机21内的主板24电连接;所述的可信计算信任根设备25连接至所述主机21内主板24的PCI插槽或PCI-E插槽或USB接口上与所述主板24电连接。The storage device, the input device 22 and the output device 23 are all electrically connected to the motherboard 24 in the host computer 21; the trusted computing root of trust device 25 is connected to the PCI slot or PCI slot of the motherboard 24 in the host computer 21. The -E slot or the USB interface is electrically connected to the main board 24 .

该计算机与普通的计算机的硬件结构基本相同,不同的是该计算机还包括可信计算信任根设备,通过将可信计算信任根设备连接至主机内主板的PCI插槽或PCI-E插槽或USB接口上,从而使得该计算机在与相应软件的配合下,具备了可信计算机的安全性。The hardware structure of this computer is basically the same as that of an ordinary computer, and the difference is that the computer also includes a trusted computing root of trust device, by connecting the trusted computing root of trust device to the PCI slot or PCI-E slot of the motherboard in the host computer or USB interface, so that the computer has the security of a trusted computer with the cooperation of the corresponding software.

以上所述,仅为本发明较佳的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应该以权利要求书的保护范围为准。The above is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any person skilled in the art within the technical scope disclosed in the present invention can easily think of changes or Replacement should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be determined by the protection scope of the claims.

Claims (10)

1.一种计算机用可信计算信任根设备,其特征在于,包括:1. A computer trust root device for trusted computing, characterized in that it comprises: 电路板、接口转换模块和至少一个信任根模块;a circuit board, an interface conversion module, and at least one root of trust module; 所述电路板上设有接口,所述接口与计算机主板的PCI接口或PCI-E接口或USB接口相匹配;所述接口转换模块和信任根模块均设置在电路板上;Described circuit board is provided with interface, and described interface matches with the PCI interface of computer motherboard or PCI-E interface or USB interface; Described interface conversion module and root of trust module are all arranged on circuit board; 所述接口转换模块,用于对各模块经所述电路板的接口与计算机的PCI接口或PCI-E接口或USB接口进行数据交换;The interface conversion module is used to exchange data between each module through the interface of the circuit board and the PCI interface or PCI-E interface or USB interface of the computer; 所述信任根模块,用于进行密钥生成、加解密处理,及存储密钥和敏感数据,提供完整性度量,数据安全保护和身份认证信息。The root of trust module is used for key generation, encryption and decryption processing, and storage of keys and sensitive data, providing integrity measurement, data security protection and identity authentication information. 2.如权利要求1所述的计算机用可信计算信任根设备,其特征在于,所述信任根模块可为多个,分别用于对应处理不同权限用户的安全数据。2. The trusted computing root-of-trust device for computers according to claim 1, wherein there may be multiple root-of-trust modules, which are respectively used to correspondingly process security data of users with different rights. 3.如权利要求1或2所述的计算机用可信计算信任根设备,其特征在于,所述信任根设备还包括:身份识别模块和主控模块;所述身份识别模块和主控模块均设置在所述电路板上,分别与所述接口转换模块电连接;3. The computer trust root device for trusted computing as claimed in claim 1 or 2, wherein the root of trust device also includes: an identity recognition module and a main control module; both the identity recognition module and the main control module arranged on the circuit board and electrically connected to the interface conversion modules respectively; 所述身份识别模块,用于对用户的身份进行识别,并将识别后确认的用户信息传输至所述主控模块;The identity identification module is used to identify the identity of the user, and transmit the user information confirmed after identification to the main control module; 所述主控模块,用于根据所述身份识别模块确认的用户信息的权限开通相应的信任根模块。The main control module is used to open a corresponding trust root module according to the authority of the user information confirmed by the identity recognition module. 4.如权利要求3所述的计算机用可信计算信任根设备,其特征在于,所述信任根设备还包括:非易失存储模块,与所述主控模块电连接,用于当所述主控模块控制的信任根模块存储空间不足时,存储信任根模块加密后的数据。4. The trusted computing root-of-trust device for computers as claimed in claim 3, wherein the root-of-trust device further comprises: a non-volatile storage module electrically connected to the main control module, for when the When the storage space of the root of trust module controlled by the main control module is insufficient, the encrypted data of the root of trust module is stored. 5.如权利要求3所述的计算机用可信计算信任根设备,其特征在于,所述身份识别模块采用指纹识别模块、虹膜识别模块、USB KEY识别模块、智能卡识别模块中的任一种。5. computer as claimed in claim 3 trusts root equipment with trusted computing, is characterized in that, described identification module adopts any one in fingerprint identification module, iris identification module, USB KEY identification module, smart card identification module. 6.如权利要求3所述的计算机用可信计算信任根设备,其特征在于,所述主控模块采用ASIC芯片;或所述主控模块采用通过IP核在其上实现控制功能的CPLD芯片或FPGA芯片。6. computer as claimed in claim 3 trusts root of trust device with trusted computing, it is characterized in that, described main control module adopts ASIC chip; Or described main control module adopts the CPLD chip that realizes control function thereon by IP core or FPGA chips. 7.如权利要求1所述的计算机用可信计算信任根设备,其特征在于,所述接口转换模块单独设置在所述电路板上,与所述电路板的接口及各模块电连接;或者,所述接口转换模块设置在所述主控模块内,通过主控模块与所述电路板的接口及各模块电连接。7. The trusted computing root of trust device for computers as claimed in claim 1, wherein the interface conversion module is separately arranged on the circuit board, and is electrically connected to the interface of the circuit board and each module; or , the interface conversion module is arranged in the main control module, and is electrically connected with the interface of the circuit board and each module through the main control module. 8.如权利要求1、2或7任一项所述的计算机用可信计算信任根设备,其特征在于,所述接口转换模块采用PCI接口或PCI-E接口或USB接口的ASIC芯片;或所述接口转换模块采用通过IP核在其上实现PCI接口或PCI-E接口或USB接口功能的CPLD芯片或FPGA芯片。8. The trusted computing root of trust device for computers as claimed in any one of claims 1, 2 or 7, wherein the interface conversion module adopts an ASIC chip with a PCI interface or a PCI-E interface or a USB interface; or The interface conversion module adopts a CPLD chip or an FPGA chip on which a PCI interface, a PCI-E interface or a USB interface function is realized through an IP core. 9.如权利要求1所述的计算机用可信计算信任根设备,其特征在于,所述信任根模块采用TPM芯片或TCM芯片。9. The trusted computing root-of-trust device for computers according to claim 1, wherein the root-of-trust module adopts a TPM chip or a TCM chip. 10.一种计算机,其特征在于,包括:10. A computer, characterized in that, comprising: 主机、可信计算信任根设备,存储装置、输入装置和输出装置;其中可信计算信任根设备采用上述权利要求1~9中任一项所述的可信计算信任根设备;A host, a trusted computing root of trust device, a storage device, an input device, and an output device; wherein the trusted computing root of trust device adopts the trusted computing root of trust device described in any one of claims 1 to 9; 所述存储装置、输入装置和输出装置均与所述主机内的主板电连接;所述可信计算信任根设备连接至所述主机内主板的PCI插槽或PCI-E插槽或USB接口与所述主板电连接。The storage device, the input device and the output device are all electrically connected to the motherboard in the host; the trusted computing trust root device is connected to the PCI slot or PCI-E slot or USB interface of the motherboard in the host and The main board is electrically connected.
CN 201010034553 2010-01-22 2010-01-22 Trusted computation trust root device for computer and computer Pending CN101794362A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010034553 CN101794362A (en) 2010-01-22 2010-01-22 Trusted computation trust root device for computer and computer

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010034553 CN101794362A (en) 2010-01-22 2010-01-22 Trusted computation trust root device for computer and computer

Publications (1)

Publication Number Publication Date
CN101794362A true CN101794362A (en) 2010-08-04

Family

ID=42587048

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010034553 Pending CN101794362A (en) 2010-01-22 2010-01-22 Trusted computation trust root device for computer and computer

Country Status (1)

Country Link
CN (1) CN101794362A (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102012985A (en) * 2010-11-19 2011-04-13 国网电力科学研究院 Sensitive data dynamic identification method based on data mining
CN105307109A (en) * 2015-11-19 2016-02-03 上海斐讯数据通信技术有限公司 USB (Universal Serial Bus) wireless connector, wireless connection system and USB wireless communication method
CN105653995A (en) * 2015-09-01 2016-06-08 刘晓建 Repeatedly-use dependable computing apparatus of common computer man-computer interaction equipment
CN106324864A (en) * 2016-11-23 2017-01-11 上海擎感智能科技有限公司 Intelligent glasses, configuration method thereof and configuration method
CN106341224A (en) * 2016-07-20 2017-01-18 国网安徽省电力公司信息通信分公司 Customized server-based TCM application system and system guidance method
CN106529221A (en) * 2016-11-22 2017-03-22 北京中金国信科技有限公司 FPGA program copying prevention method and PCI-E password card
CN106844241A (en) * 2017-02-27 2017-06-13 郑州云海信息技术有限公司 A kind of safety card, security card slot and board
CN106933764A (en) * 2017-03-31 2017-07-07 山东超越数控电子有限公司 A kind of credible password module and its method of work based on domestic TCM chips
CN108140092A (en) * 2015-12-02 2018-06-08 密码研究公司 Equipment with multiple trusted roots
CN109117638A (en) * 2018-07-13 2019-01-01 中国电子科技集团公司第三十研究所 A kind of credible and secure mainboard of height and its control method based on physics switching
CN109426736A (en) * 2017-08-22 2019-03-05 鸿富锦精密工业(武汉)有限公司 Credible main board system
CN111538993A (en) * 2020-04-16 2020-08-14 南京东科优信网络安全技术研究院有限公司 Device and method for performing credibility measurement by introducing external hardware trust root
CN114090488A (en) * 2021-11-11 2022-02-25 深圳市同泰怡信息技术有限公司 Credibility measurement expansion board, basic input and output system, credibility measurement method and device
WO2022237551A1 (en) * 2021-05-12 2022-11-17 华为技术有限公司 Secure boot device and method
CN117155714A (en) * 2023-10-31 2023-12-01 苏州元脑智能科技有限公司 Communication device, method, system, apparatus, medium, encryption system, and server

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102012985B (en) * 2010-11-19 2013-12-25 国网电力科学研究院 Sensitive data dynamic identification method based on data mining
CN102012985A (en) * 2010-11-19 2011-04-13 国网电力科学研究院 Sensitive data dynamic identification method based on data mining
CN105653995A (en) * 2015-09-01 2016-06-08 刘晓建 Repeatedly-use dependable computing apparatus of common computer man-computer interaction equipment
CN105307109A (en) * 2015-11-19 2016-02-03 上海斐讯数据通信技术有限公司 USB (Universal Serial Bus) wireless connector, wireless connection system and USB wireless communication method
CN108140092A (en) * 2015-12-02 2018-06-08 密码研究公司 Equipment with multiple trusted roots
CN106341224A (en) * 2016-07-20 2017-01-18 国网安徽省电力公司信息通信分公司 Customized server-based TCM application system and system guidance method
CN106529221B (en) * 2016-11-22 2019-03-19 北京中金国信科技有限公司 A kind of FPGA program anti-copy method and PCI-E cipher card
CN106529221A (en) * 2016-11-22 2017-03-22 北京中金国信科技有限公司 FPGA program copying prevention method and PCI-E password card
CN106324864A (en) * 2016-11-23 2017-01-11 上海擎感智能科技有限公司 Intelligent glasses, configuration method thereof and configuration method
CN106844241A (en) * 2017-02-27 2017-06-13 郑州云海信息技术有限公司 A kind of safety card, security card slot and board
CN106933764A (en) * 2017-03-31 2017-07-07 山东超越数控电子有限公司 A kind of credible password module and its method of work based on domestic TCM chips
CN109426736A (en) * 2017-08-22 2019-03-05 鸿富锦精密工业(武汉)有限公司 Credible main board system
CN109117638A (en) * 2018-07-13 2019-01-01 中国电子科技集团公司第三十研究所 A kind of credible and secure mainboard of height and its control method based on physics switching
CN111538993A (en) * 2020-04-16 2020-08-14 南京东科优信网络安全技术研究院有限公司 Device and method for performing credibility measurement by introducing external hardware trust root
WO2021208354A1 (en) * 2020-04-16 2021-10-21 南京东科优信网络安全技术研究院有限公司 Apparatus and method for performing trusted measurement by introducing external hardware root of trust
WO2022237551A1 (en) * 2021-05-12 2022-11-17 华为技术有限公司 Secure boot device and method
CN114090488A (en) * 2021-11-11 2022-02-25 深圳市同泰怡信息技术有限公司 Credibility measurement expansion board, basic input and output system, credibility measurement method and device
CN117155714A (en) * 2023-10-31 2023-12-01 苏州元脑智能科技有限公司 Communication device, method, system, apparatus, medium, encryption system, and server
CN117155714B (en) * 2023-10-31 2024-02-09 苏州元脑智能科技有限公司 Communication device, method, system, apparatus, medium, encryption system, and server
WO2025091791A1 (en) * 2023-10-31 2025-05-08 苏州元脑智能科技有限公司 Communication apparatus, method and system, device, medium, encryption system and server

Similar Documents

Publication Publication Date Title
CN101794362A (en) Trusted computation trust root device for computer and computer
US9081946B2 (en) Secure mass storage device
CN100437618C (en) Portable information safety device
US9495524B2 (en) Secure user authentication using a master secure element
US9047486B2 (en) Method for virtualizing a personal working environment and device for the same
CN101551784B (en) Method and device for encrypting data in ATA memory device with USB interface
US6199167B1 (en) Computer architecture with password-checking bus bridge
CN201820230U (en) Trusted Computing Trust Root Devices and Computers for Computers
US20090132816A1 (en) PC on USB drive or cell phone
US20050228993A1 (en) Method and apparatus for authenticating a user of an electronic system
CN100481107C (en) An identity control method based on credibility platform module and fingerprint identifying
CN101281570B (en) A Trusted Computing System
CN102254119B (en) Safe mobile data storage method based on fingerprint U disk and virtual machine
US20160110532A1 (en) User Authorization And Presence Detection In Isolation From Interference From And Control By Host Central Processing Unit And Operating System
US20070288689A1 (en) USB apparatus and control method therein
CN102063591A (en) Methods for updating PCR (Platform Configuration Register) reference values based on trusted platform
CN102184357B (en) Portable trustworthy private information processing system
CN101276384A (en) Security control chip and implementing method thereof
CN102024115B (en) Computer with user security subsystem
CN100432890C (en) Computer starting up identifying system and method
CN105975872A (en) Method for testing TPM (trusted platform Module) under Windows
CN2916768Y (en) Embedded Single Security Chip Biometric Fingerprint Identification System
CN212749835U (en) Safe credible computer based on domestic TPM encryption module
CN201845340U (en) Safety computer provided with user safety subsystem
CN108520172A (en) A security chip encryption for living fingerprint identification can manage USB flash drive

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20100804