Trust measurement methods for hosts with external expansion cards and hosts

By acquiring and transmitting trusted measurement results from the motherboard and external cards on the host, and generating combined measurement results, the problem of untrusted measurement of external cards is solved, realizing overall trusted measurement of the host and external cards, and ensuring system security.

CN114428958BActive Publication Date: 2026-06-30ALIBABA (CHINA) CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
ALIBABA (CHINA) CO LTD
Filing Date
2021-12-17
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

Existing technologies cannot perform trust measurement on the underlying firmware of external boards and other components mounted on the host, which makes it impossible to build an overall trust measurement and ensure the security of external boards and other components.

Method used

By acquiring the trusted measurement results from the host motherboard and external cards, and transmitting them to the trusted computing module on the motherboard via the PCIe bus or SPI bus, a summary calculation is performed to generate a combined measurement result to achieve trusted measurement of the host.

Benefits of technology

It achieves overall trust measurement of the host and external cards, ensuring the security of external cards and reducing the impact on host boot speed.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN114428958B_ABST
    Figure CN114428958B_ABST
Patent Text Reader

Abstract

This disclosure provides a method for trust measurement of a host with an external expansion card and a host. The method includes: obtaining a trust measurement result of the host's motherboard; obtaining a trust measurement result of the external expansion card, wherein the external expansion card is connected to the motherboard; and obtaining a combined measurement result based on the trust measurement result of the motherboard and the trust measurement result of the external expansion card, wherein the combined measurement result is used to perform trust measurement on the host.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the field of IT security technology, and specifically to a method for trust measurement of a host with external cards and the host itself. Background Technology

[0002] With the development of cloud computing, 5G, artificial intelligence, and the Internet of Things (IoT) technologies, and the increasing demand for computing services, new computing service models such as heterogeneous and edge computing are being widely adopted. Traditional general-purpose mainframes used in internet infrastructure are increasingly equipped with external cards, such as graphics processing units (GPUs), network processing units (NPUs), or customized cards for specific application scenarios, to provide specialized computing services. As system complexity increases, the construction of trusted and secure systems is receiving more attention and emphasis. The strength of security capabilities is determined by the "weakest link" in system security protection, and the underlying firmware security of external cards on the mainframe is the key focus and challenge for overall system security.

[0003] External expansion cards are typically detachably connected to the motherboard via slots or other connectors. Currently, when performing trust measurements, only the host's own trust chain can be established. Trust chains cannot be built for the underlying firmware such as external expansion cards mounted on the host. Therefore, it is impossible to construct an overall trust measurement, and consequently, the security of the underlying firmware such as external expansion cards mounted on the host cannot be guaranteed. Summary of the Invention

[0004] To address the problems in the related technologies, this disclosure provides a method for measuring the trustworthiness of a host with external cards and a host.

[0005] In a first aspect, this disclosure provides a method for measuring the trustworthiness of a host computer with external expansion cards.

[0006] Specifically, the trust measurement method for the host with external cards includes:

[0007] Obtain the trust measurement result of the motherboard of the host;

[0008] Obtain the trusted measurement result of the external board, wherein the external board is connected to the motherboard;

[0009] Based on the trust measurement results of the motherboard and the external card, a combined measurement result is obtained, which is used to perform trust measurement on the host.

[0010] In conjunction with the first aspect, in the first implementation of the first aspect of this disclosure, obtaining a combined measurement result based on the trust measurement result of the motherboard and the trust measurement result of the external board includes:

[0011] The trusted measurement result of the external card is transmitted from the external card to the motherboard via the PCIe bus. Based on the trusted measurement result of the motherboard and the trusted measurement result of the external card, the combined measurement result is obtained by the motherboard.

[0012] The trusted measurement results of the motherboard are transmitted from the motherboard to the external card via the PCIe bus. Based on the trusted measurement results of the motherboard and the trusted measurement results of the external card, the combined measurement result is obtained through the external card.

[0013] In conjunction with the first aspect, in the second implementation of the first aspect, wherein:

[0014] The process of obtaining a combined measurement result based on the trusted measurement results of the motherboard and the trusted measurement results of the external board includes performing a summary calculation on the trusted measurement results of the motherboard and the trusted measurement results of the external board to obtain the combined measurement result.

[0015] The trusted measurement results of the motherboard include trusted measurement results for any one or more of the following measurement objects on the motherboard: basic input / output system firmware, operating system loader code, operating system kernel code, operating system service code, and application code;

[0016] The measurement object of the trust measurement result of the external board includes the firmware on the external board.

[0017] In conjunction with the second implementation of the first aspect, in the third implementation of the first aspect of this disclosure, the step of obtaining a combined measurement result by performing a digest calculation on the trust measurement results of the motherboard and the trust measurement results of the external board includes:

[0018] One or more trusted measurement results of the motherboard and one or more trusted measurement results of the external board are used as a whole to calculate a digest. The digest, the trusted measurement results of the motherboard that are not involved in the digest calculation, and the trusted measurement results of the external board that are not involved in the digest calculation are used together as the combined measurement result.

[0019] In conjunction with the second implementation of the first aspect, in the fourth implementation of the first aspect of this disclosure, the step of obtaining a combined measurement result by performing a digest calculation on the trust measurement results of the motherboard and the trust measurement results of the external board includes:

[0020] The trusted measurement result of the first external card is transmitted from the first external card to the motherboard via the PCIe bus;

[0021] Based on the trusted measurement results of the first external board and the trusted measurement results of the motherboard, an intermediate measurement result is obtained. This includes calculating a first digest by treating one or more trusted measurement results of the motherboard and one or more trusted measurement results of the first external board as a whole, and using the first digest, the trusted measurement results of the motherboard that are not involved in the digest calculation, and the trusted measurement results of the first external board that are not involved in the digest calculation together as the intermediate measurement result.

[0022] The intermediate measurement results are transmitted to the second external board via the PCIe bus;

[0023] The combined measurement result is obtained by using the second external board based on the intermediate measurement result and the trusted measurement result of the second external board. This includes calculating a second digest by taking one or more of the first digest from the intermediate measurement result, the trusted measurement result of the motherboard that did not participate in the digest calculation, and the trusted measurement result of the first external board that did not participate in the digest calculation, together with one or more trusted measurement results of the second external board. The second digest, the item in the intermediate measurement result that did not participate in the digest calculation, and the trusted measurement result of the second external board that did not participate in the digest calculation are then used together as the combined measurement result.

[0024] In conjunction with the first aspect, in the fifth implementation of the first aspect, obtaining the trusted measurement result of the motherboard of the host includes obtaining the trusted measurement result of the motherboard through a trusted computing module set on the motherboard;

[0025] The process of obtaining the trusted measurement result of the external board includes obtaining the trusted measurement result of the external board through a trusted computing module set on the external board.

[0026] In conjunction with the first aspect, in the sixth implementation of the first aspect, wherein:

[0027] The process of obtaining the trusted measurement result of the external board includes reading the firmware code of the external board through a trusted computing module set on the motherboard, and obtaining the trusted measurement result of the external board based on the firmware code.

[0028] The combined measurement result is obtained based on the trusted measurement results of the motherboard and the trusted measurement results of the external board. This includes obtaining the combined measurement result through the motherboard, based on the trusted measurement results of the motherboard and the trusted measurement results of the external board.

[0029] In conjunction with the first aspect, the seventh implementation of the first aspect further includes:

[0030] The credibility measurement results and the combined measurement results are saved in the log;

[0031] The combined metric result is sent to a designated server, wherein the designated server performs a trust metric on the host based on the combined metric result;

[0032] When the trusted measurement of the host fails, the untrusted measurement object is determined based on the log.

[0033] Secondly, this disclosure provides a host computer, including:

[0034] Motherboard;

[0035] An external expansion card is connected to the motherboard;

[0036] The trusted computing module on the motherboard is configured to obtain the trusted measurement results of the motherboard.

[0037] The trusted computing module on the external board is configured to obtain the trusted measurement result of the external board;

[0038] The PCIe bus between the motherboard and the external card is configured to transmit the trusted measurement result between the motherboard and the external card;

[0039] The trusted measurement results of the motherboard and the trusted measurement results of the external card are used to generate a combined measurement result, which is used to perform a trusted measurement on the host.

[0040] In conjunction with the second aspect, in a first implementation of the second aspect, the PCIe bus is configured to transmit the trusted measurement result of the external board from the external board to the motherboard;

[0041] The trusted computing module on the motherboard is configured to compute a digest by taking one or more trusted measurement results of the motherboard and one or more trusted measurement results of the external board as a whole, and to take the digest, the trusted measurement results of the motherboard that did not participate in the digest calculation, and the trusted measurement results of the external board that did not participate in the digest calculation together as the combined measurement result.

[0042] The trusted computing module on the motherboard is configured to save the trusted measurement results and the combined measurement results in a log.

[0043] The trusted computing module on the motherboard is configured to send the combined measurement results to a designated server, wherein the designated server performs a trusted measurement on the host based on the combined measurement results.

[0044] In conjunction with the second aspect, in a second implementation of the second aspect of this disclosure, the PCIe bus is configured to transmit the trusted measurement results of the motherboard from the motherboard to the external card;

[0045] The trusted computing module on the external board is configured to compute a digest by taking one or more trusted measurement results of the motherboard and one or more trusted measurement results of the external board as a whole, and to take the digest, the trusted measurement results of the motherboard that did not participate in the digest calculation, and the trusted measurement results of the external board that did not participate in the digest calculation together as the combined measurement result.

[0046] The trusted computing module on the external board is configured to save the trusted measurement results and the combined measurement results in a log.

[0047] The trusted computing module on the external board is configured to send the combined measurement results to a designated server, wherein the designated server performs a trusted measurement on the host based on the combined measurement results.

[0048] In conjunction with the second aspect, in a third implementation of the second aspect, the PCIe bus is configured to transmit the trusted measurement result of the first external board from the first external board to the motherboard.

[0049] The trusted computing module on the motherboard is configured to calculate a first digest by taking one or more trusted measurement results of the motherboard and one or more trusted measurement results of the first external board as a whole, and take the first digest, the trusted measurement results of the motherboard that are not involved in the digest calculation, and the trusted measurement results of the first external board that are not involved in the digest calculation as an intermediate measurement result.

[0050] The PCIe bus is configured to transmit the intermediate measurement results to a second external board.

[0051] The trusted computing module on the second external board is configured to calculate a second digest by taking one or more of the first digest in the intermediate measurement result, the trusted measurement result of the motherboard that did not participate in the digest calculation, and the trusted measurement result of the first external board that did not participate in the digest calculation, together with one or more trusted measurement results of the second external board, and take the second digest, the item in the intermediate measurement result that did not participate in the digest calculation, and the trusted measurement result of the second external board that did not participate in the digest calculation as the combined measurement result;

[0052] The trusted computing module on the second external board is configured to save the intermediate measurement result, the trusted measurement result of the second external board, and the combined measurement result in a log.

[0053] The trusted computing module on the second external board is configured to send the combined measurement result to a designated server, wherein the designated server performs a trusted measurement on the host based on the combined measurement result.

[0054] Thirdly, this disclosure provides a host, including:

[0055] Motherboard;

[0056] An external expansion card is connected to the motherboard;

[0057] The trusted computing module on the motherboard is configured to obtain the trusted measurement results of the motherboard.

[0058] The SPI bus between the motherboard and the external board allows the trusted computing module on the motherboard to read the firmware code of the external board and obtain the trusted measurement result of the external board based on the firmware code.

[0059] The trusted measurement results of the motherboard and the trusted measurement results of the external card are used to generate a combined measurement result, which is used to perform a trusted measurement on the host.

[0060] In conjunction with the third aspect, in the first implementation of the third aspect of this disclosure, the trusted computing module on the motherboard is configured to compute a digest by taking one or more trusted measurement results of the motherboard and one or more trusted measurement results of the external board as a whole, and to take the digest, the trusted measurement results of the motherboard that did not participate in the digest calculation, and the trusted measurement results of the external board that did not participate in the digest calculation together as the combined measurement result, so as to save the trusted measurement result and the combined measurement result in a log;

[0061] The trusted computing module on the motherboard is configured to send the combined measurement results to a designated server, wherein the designated server performs a trusted measurement on the host based on the combined measurement results.

[0062] According to the technical solution provided in this disclosure, by obtaining the trusted measurement results of the host's motherboard and external cards, and based on the trusted measurement results of the motherboard and the external cards, a combined trusted measurement result for the host is obtained. This solves the technical problem that currently, a trusted chain cannot be built for the underlying firmware of external cards and custom cards installed on servers, thus preventing the construction of an overall trusted measurement startup. In this technical solution, trusted measurement of the firmware is introduced into the external cards, and the trusted measurement results of the external cards are extended to the trusted chain of the server host, realizing seamless transfer of the trust chain between the external cards and the host, and enabling the construction of an overall trusted measurement of the host and external cards.

[0063] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and are not intended to limit this disclosure. Attached Figure Description

[0064] Other features, objects, and advantages of this disclosure will become more apparent from the following detailed description of non-limiting embodiments, taken in conjunction with the accompanying drawings. In the drawings:

[0065] Figure 1A This diagram illustrates a traditional approach to implementing trust measurement during host startup.

[0066] Figure 1B This illustrates a server host system with external expansion cards;

[0067] Figure 2 A flowchart illustrating a trust measurement method for a host with external cards according to an embodiment of the present disclosure;

[0068] Figure 3A A schematic diagram illustrating how combined metric results are obtained through the motherboard is shown.

[0069] Figure 3B A schematic diagram illustrating how combined measurement results are obtained through the motherboard and external cards or through external cards;

[0070] Figure 4 This diagram illustrates how the trusted computing module and SPI interface on the motherboard are used to obtain the trusted measurement results of an external board.

[0071] Figure 5 A host is shown according to an embodiment of the present disclosure;

[0072] Figure 6 Another host is shown according to an embodiment of this disclosure. Detailed Implementation

[0073] In the following, exemplary embodiments of the present disclosure will be described in detail with reference to the accompanying drawings to enable those skilled in the art to readily implement them. Furthermore, for clarity, portions unrelated to the description of exemplary embodiments have been omitted from the drawings.

[0074] In this disclosure, it should be understood that terms such as “comprising” or “having” are intended to indicate the presence of features, figures, steps, behaviors, components, parts or combinations thereof disclosed in this specification, and are not intended to exclude the possibility of the presence or addition of one or more other features, figures, steps, behaviors, components, parts or combinations thereof.

[0075] It should also be noted that, unless otherwise specified, the embodiments and features described in this disclosure can be combined with each other. This disclosure will now be described in detail with reference to the accompanying drawings and embodiments.

[0076] In this disclosure, the acquisition of user information or user data is done with the user's authorization or confirmation, or by the user's active choice.

[0077] As mentioned above, with the development of cloud computing, 5G, artificial intelligence, and the Internet of Things (IoT) technologies, and the demand for massive computing services, new computing service models such as heterogeneous and edge computing are being widely adopted. The general-purpose mainframes traditionally used in internet infrastructure are increasingly equipped with external cards, such as Field-Programmable Gate Arrays (FPGAs), Graphics Processing Units (GPUs), Network Processing Units (NPUs), or customized cards for specific application scenarios, to provide specialized computing services. With increasing system complexity, the construction of trusted and secure systems is receiving more attention and emphasis. The strength of security capabilities is determined by the "weakest link" in system security protection, and the security of the underlying firmware of external cards on the mainframe is the key and challenge of overall system security. External cards are typically detachably connected to the motherboard via slots or other connecting devices. Currently, when performing trust measurements, only the trust chain of the mainframe itself can be established, while a trust chain cannot be built for the underlying firmware of external cards and other components on the mainframe. Therefore, it is impossible to construct an overall trust measurement, and consequently, the security of the underlying firmware of external cards and other components on the mainframe cannot be guaranteed.

[0078] In this embodiment, the trusted measurement refers to adding trusted verification to the system and applications to reduce the possibility of attacks due to the use of unknown or tampered firmware, operating systems, or applications. Trusted measurement can be divided into static measurement and dynamic measurement. Static measurement typically refers to the measurement of the image during initial installation or restart of the runtime environment. At this time, the measurement is performed hierarchically, usually by the software / hardware that starts first measuring the software / hardware that starts later. Successful verification of the measurement value signifies the successful transmission of the trusted chain from the previous software / hardware to the next. Dynamic measurement refers to dynamically acquiring the system's operational characteristics during runtime and analyzing and determining whether the system is operating normally based on rules or models.

[0079] Trusted computing modules are used to implement trusted measurement of a host. Currently, mainstream trusted computing modules are divided into three categories: Trusted Platform Module (TPM), Trusted Cryptography Module (TCM), and Trusted Platform Control Module (TPCM). A trusted computing module includes a trusted computing chip and registers, such as the Program Control Register (PCR). The trusted computing chip acquires the measurement results for each measurement object in the host and stores these results in registers. The measurement results in the registers are compared with pre-stored reference results to determine whether each measurement object on the host has been tampered with. If the comparison results match, the measurement object is considered tamper-free and trustworthy; otherwise, if the comparison results do not match, the measurement object is considered tampered with and untrustworthy. Reference results can be stored locally on the host or on a remote server used for trusted measurement. When reference results are stored on a remote server, the measurement results stored in the registers can be sent to the remote server for trusted measurement.

[0080] In this embodiment, the host can be a server host or a personal computer host. The host includes a motherboard and external expansion cards, such as general-purpose cards like GPUs and NPUs, or custom cards tailored to specific applications. It may also include peripheral devices. This disclosure primarily focuses on the reliability measurement of the motherboard and external expansion cards.

[0081] Figure 1A This diagram illustrates a traditional approach to implementing trust metrics during host startup.

[0082] The motherboard of the host computer is equipped with a trusted computing module for implementing trusted measurement of the motherboard. Specifically, during host startup, the trusted computing module first calculates a digest of the root of trust using, for example, a hash algorithm, and stores this digest in PCR0. Then, it calculates a digest for the root of trust digest in PCR0 and the code of the first firmware in the Basic Input / Output System (BIOS), and stores this digest as the trusted measurement result of the first firmware in PCR1. Next, it calculates a digest for the trusted measurement result of the first firmware in PCR1 and the code of the second firmware in the BIOS, and stores this digest as the trusted measurement result of the second firmware in PCR2, and so on. After the trusted measurement results of each firmware in the BIOS are calculated, a digest is calculated for the trusted measurement result of the last firmware in the BIOS and the operating system code, and this digest is stored as the trusted measurement result of the operating system (OS) in the corresponding PCR. If trusted measurement of applications is required, a digest can be calculated for the trusted measurement result of the operating system (OS) and the application code, and stored in the corresponding PCR. Then, the result in the PCR register is sent to a remote server for trusted verification. The remote server can determine whether the firmware and software code on the motherboard have been tampered with by comparing the result in the PCR register with the pre-stored reference result, thereby achieving trusted authentication of the motherboard.

[0083] Figure 1B This illustrates a server host system with external expansion cards.

[0084] like Figure 1B As shown, external boards 1, 2, and 3 are connected to the motherboard via the PCIe bus. In traditional solutions, trust measurement can only be performed on the host motherboard, but not on the board firmware, thus making it impossible to determine the security of the entire system, including the board firmware.

[0085] In view of the above, this disclosure proposes a trust measurement method for a host with external expansion cards. By obtaining the trust measurement results of the host's motherboard and external expansion cards, and based on these results, a combined measurement result for trust measurement of the host is obtained. This solves the technical problem that current methods cannot perform trust measurement on the underlying firmware of external expansion cards and other components mounted on servers, thus making it impossible to determine the security of the entire system, including the expansion card firmware. In this technical solution, firmware trust measurement is introduced into the external expansion cards. Based on the trust measurement results of the motherboard and the external expansion cards, the host's trust measurement is performed, thus determining the security of the entire system, including the expansion card firmware. The host's trust measurement and the external expansion card's trust measurement can be executed in parallel to reduce the impact of the external expansion card's trust measurement on the host's boot speed. Alternatively, the host's trust measurement and the external expansion card's trust measurement can be executed according to a preset order to adapt to the specific requirements of different application scenarios.

[0086] Figure 2 A flowchart illustrating a trust measurement method for a host with an external card according to an embodiment of the present disclosure is shown. Figure 2 As shown, the trust measurement method for the host with external cards includes the following steps S210–S230:

[0087] In step S210, the trust measurement result of the motherboard of the host is obtained;

[0088] In step S220, the reliability measurement result of the external board is obtained, wherein the external board is connected to the motherboard;

[0089] In step S230, a combined measurement result is obtained based on the trust measurement result of the motherboard and the trust measurement result of the external board. The combined measurement result is used to perform trust measurement on the host.

[0090] In this embodiment of the disclosure, the external board refers to an external device that can be connected to the motherboard of the host, including various general-purpose or custom external boards that are plugged into the motherboard of the host and communicate with the motherboard of the host through corresponding interfaces.

[0091] In this embodiment of the disclosure, obtaining the trusted measurement result of the host's motherboard can be achieved by using a trusted computing module installed on the motherboard. The trusted computing module installed on the motherboard can be a TPM, TCM, and / or TPCM installed on the motherboard.

[0092] The trusted measurement result of the motherboard is obtained through the trusted computing module on the motherboard. This involves calculating the trusted measurement result of one or more measurement objects on the motherboard based on the trusted computing module, and storing the trusted measurement result in one or more registers within the trusted computing module. Specifically, the trusted measurement result can be calculated based on the root of trust in the trusted computing module on the motherboard and the feature values ​​of one or more measurement objects on the motherboard.

[0093] In this embodiment of the disclosure, the trusted measurement result of the external board can be obtained either through a trusted computing module installed on the external board or through a trusted computing module installed on the motherboard. The external board is connected to the motherboard, and the trusted computing module installed on the external board or the motherboard can be a TPM, TCM, and / or TPCM installed on the external board or the motherboard.

[0094] In this embodiment of the disclosure, obtaining the trust measurement result of the external board through the trusted computing module disposed on the external board may involve calculating the trust measurement result of one or more measurement objects on the external board through the trusted computing module disposed on the external board, and storing the trust measurement result in one or more corresponding PCR registers. Specifically, the trust measurement result may be calculated based on the root of trust in the trusted computing module on the external board and the feature values ​​of one or more measurement objects on the external board.

[0095] In this embodiment of the disclosure, obtaining the trust measurement result of the external board through the trusted computing module disposed on the motherboard may involve reading the firmware code of the external board through the trusted computing module disposed on the motherboard, obtaining the trust measurement result of the external board based on the firmware code, and storing the trust measurement result in one or more corresponding PCR registers. Specifically, the trust measurement result may be calculated based on the root of trust in the trusted computing module on the motherboard and the firmware code.

[0096] In this embodiment of the disclosure, obtaining the combined measurement result based on the trusted measurement results of the motherboard and the external board can be achieved by using the motherboard and / or the external board to obtain the combined measurement result based on the trusted measurement results of the motherboard and the external board. Specifically, the combined measurement result can be obtained by calculating a summary of the trusted measurement results of the motherboard and the external board using the motherboard and / or the external board. When there are multiple trusted measurement results of the motherboard, the summary can be calculated based on all the measurement results of the multiple trusted measurement results and the trusted measurement results of the external board, or the summary can be calculated based on some of the measurement results of the multiple trusted measurement results and the trusted measurement results of the external board. Similarly, when there are multiple external boards, the summary can be calculated based on all the measurement results of the multiple external boards and all or some of the trusted measurement results of the motherboard, or the summary can be calculated based on some of the trusted measurement results of the multiple external boards and all or some of the trusted measurement results of the motherboard.

[0097] According to embodiments of this disclosure, a digest of the trusted measurement results of the motherboard and the external board can be calculated using a digest algorithm, such as a hash algorithm, based on the trusted measurement results of the motherboard and the external board, and used as a combined measurement result. Specifically, one or more trusted measurement results of the motherboard and one or more trusted measurement results of the external board can be used as a whole to calculate a digest, and the digest, the trusted measurement results of the motherboard that were not involved in the digest calculation, and the trusted measurement results of the external board that were not involved in the digest calculation are used together as the combined measurement result. In another implementation, a first digest can be calculated first by combining one or more trusted measurement results from the motherboard and one or more trusted measurement results from the first external board as a whole. The first digest, the trusted measurement results from the motherboard that were not involved in the digest calculation, and the trusted measurement results from the first external board that were not involved in the digest calculation are then used as the intermediate measurement result. This intermediate measurement result is then transmitted to the second external board via the PCIe bus. Finally, the second external board combines one or more of the first digest from the intermediate measurement result, the trusted measurement results from the motherboard that were not involved in the digest calculation, and the trusted measurement results from the first external board that were not involved in the digest calculation, along with one or more trusted measurement results from the second external board, as a whole to calculate a second digest. The second digest, the items from the intermediate measurement result that were not involved in the digest calculation, and the trusted measurement results from the second external board that were not involved in the digest calculation are then used as the combined measurement result. The combined measurement result contains information about the trusted measurement results from both the motherboard and the external board, allowing for the verification of the trusted measurement results from both the motherboard and the external board. The combined measurement results can be stored in the trusted computing module's PCR (Programmable Logic Packet) on the motherboard or in the PCR of an external card. Since various permutations and combinations of the trusted measurement results from the motherboard and the external card can be performed using a digest algorithm, a limited number of PCRs in the trusted computing module responsible for obtaining the combined measurement results based on the motherboard's and the external card's trusted measurement results can be used to store an indefinite number of trusted measurement results, thus conveniently realizing trusted measurement for an indefinite number of external cards.

[0098] According to the technical solution provided in this disclosure, by obtaining the trust measurement results of the motherboard and external cards of the host, and based on the trust measurement results of the motherboard and the external cards, a combined trust measurement result for the host is obtained, solving the technical problem that current methods cannot perform trust measurement on the underlying firmware such as external cards mounted on servers. In this technical solution, firmware trust measurement is introduced into the external cards, and the trust measurement results of the external cards are combined with the trust measurement results of the host to construct an overall trust measurement of the host and external cards.

[0099] Figure 3A This illustration demonstrates an example where the host is the server and the trust metric is implemented using TPM. It shows how a combined metric result is obtained based on the trust metric results of the motherboard and the external cards. Figure 3A As shown, firstly, the trusted measurement result of the external board is transmitted from the external board to the motherboard via the PCIe bus; then, based on the trusted measurement result of the motherboard and the trusted measurement result of the external board, the combined measurement result is obtained through the motherboard. The external board can be... Figure 3A The board can be any one or more of board 1 to board 3, and those skilled in the art can add external boards as needed.

[0100] Figure 3B This example illustrates a method for obtaining a combined measurement result based on the trust measurement results of the motherboard and the external board, using the host as the server and the trust measurement results of the external board as an example. Figure 3B As shown, firstly, the trusted measurement result of the first external card is transmitted from the first external card to the motherboard via the PCIe bus; then, based on the trusted measurement result of the first external card and the trusted measurement result of the motherboard, an intermediate measurement result is obtained via the motherboard; next, the intermediate measurement result is transmitted to the second external card via the PCIe bus; finally, based on the intermediate measurement result and the trusted measurement result of the second external card, the combined measurement result is obtained via the second external card. Wherein, the first external card is... Figure 3B Board 2 and / or board 3 in the middle, the second external board is Figure 3B Board 1 in the middle. Similarly, although Figure 3B The diagram shows a configuration with two first external cards and one second external card, but in practice, the number of first and second external cards can be set to one or more as needed.

[0101] Furthermore, if set Figure 3B The number of the first external cards is zero, that is, when cards 2 and 3 are not present, it can be shown that, taking the host as the server and the trust measurement as a trust measurement based on TPM, the implementation method of obtaining the combined measurement result based on the trust measurement result of the motherboard and the trust measurement result of the external cards is as follows: First, the trust measurement result of the motherboard is transmitted from the motherboard to the external cards via the PCIe bus; then, the combined measurement result is obtained based on the trust measurement result of the motherboard and the trust measurement result of the external cards. Wherein, the external cards are... Figure 3B Board 1 in the middle. Similarly, those skilled in the art can also set the number of external boards to one or more according to actual needs.

[0102] According to the technical solution provided in this disclosure, the transfer of trusted measurement results between the host and the external board is realized based on the inherent PCIe bus between the host and the external board, without the need for additional hardware modification or addition, making it convenient and low-cost to implement. Furthermore, the technical solution provided in this disclosure can configure either the host or the external board as the trusted measurement management module, thus making it applicable to various application scenarios such as heterogeneous computing.

[0103] In the embodiments disclosed herein, such as Figure 3A and 3B As shown, the combined measurement results can also be sent to a designated server for trusted measurement via a trusted verification management interface. The designated server compares the combined measurement results with pre-stored reference results and performs trusted measurement on the host based on the comparison results. Performing trusted measurement through a designated server eliminates the need for local storage of verification information such as reference results, saving local resources and enabling parallel processing of verification of multiple measurement results. Furthermore, it allows system administrators to comprehensively understand the security status of each server host and promptly identify and fix security vulnerabilities. Alternatively, reference results can be stored locally on the host for trusted measurement. This method saves communication resources and time, prevents the trusted measurement results from being tampered with during transmission, and further improves verification security.

[0104] Figure 4 This illustration demonstrates an implementation method that uses the host as the server and a trust measurement based on TPM to obtain the trust measurement results of an external board, taking this as an example. Figure 4 As shown, the step of reading the firmware code of the external board through the trusted computing module set on the motherboard and obtaining the trusted measurement result of the external board based on the firmware code can be performed on the server motherboard and the external board, such as... Figure 4Any one or more of the external boards 1-3 are connected via a Serial Peripheral Interface (SPI). The server motherboard reads the firmware code of the external boards based on the SPI protocol. The trusted computing module on the server motherboard obtains the trusted measurement result of the external boards based on the firmware code. At this time, the combined measurement result obtained based on the trusted measurement result of the motherboard and the trusted measurement result of the external boards is obtained through the motherboard. Similarly, although... Figure 4 The example shown has three external cards, but those skilled in the art can set the number of external cards to one or more according to actual needs.

[0105] According to the technical solution provided in this disclosure, the firmware code of the external board is read by a trusted computing module set on the motherboard, and the trusted measurement result of the external board is obtained based on the firmware code. Therefore, it is not necessary to set a trusted computing module in the external board, which further reduces the implementation cost and complexity while ensuring the security of the external board.

[0106] In this embodiment of the disclosure, the trusted measurement result of the motherboard includes trusted measurement results for any one or more of the following measurement objects on the motherboard: basic input / output system firmware, operating system loader code, operating system kernel code, operating system service code, and application code. The trusted measurement result of the external board includes the firmware on the external board.

[0107] According to the technical solutions provided in the embodiments of this disclosure, the overall trust measurement of one or more objects in the host and the external board firmware can be realized, which is simple to implement and has a wide range of applications.

[0108] In this embodiment of the disclosure, the trust measurement result and the combined measurement result can also be stored in a log, and the combined measurement result can be sent to a designated server, wherein the designated server performs a trust measurement on the host based on the combined measurement result. Thus, when the trust measurement of the host fails, the untrusted measurement object can be determined based on the log.

[0109] According to the technical solution provided in the embodiments of this disclosure, in the process of generating a combined measurement result based on the trusted measurement result, after calculating a digest as a whole from multiple trusted measurement results, the digest can be used as an intermediate measurement result and combined with trusted measurement results that did not participate in the digest calculation as a whole to recalculate the digest. Alternatively, after calculating multiple digests, the multiple digests can be used as an intermediate measurement result and combined with trusted measurement results that did not participate in the digest calculation as a whole to recalculate the digest, or the multiple digests can be used as an intermediate measurement result and combined with trusted measurement results that did not participate in the digest calculation as a whole to recalculate the digest. The above digest calculation can be iterated multiple times as needed, that is, multiple intermediate measurement results are generated, and the final digest is used as an intermediate measurement result and combined with trusted measurement results that did not participate in the calculation as a combined measurement result. According to the embodiments of this disclosure, the trusted measurement result for each measurement object, each intermediate measurement result obtained in the process of generating a combined measurement result based on the trusted measurement result, and the combined measurement result can be stored in the log. By storing the trusted measurement result, combined measurement result, and intermediate measurement result in the log, when the trusted measurement fails, the untrusted measurement object can be identified by reverse lookup based on the log, thereby enabling timely confirmation or repair.

[0110] Figure 5 A host is shown according to an embodiment of the present disclosure.

[0111] like Figure 5 As shown, the host 500 includes a motherboard 510 and external cards 5201 and 5202, which are connected to the motherboard 510. The motherboard 510 has a trusted computing module 530 configured to acquire trusted measurement results from the motherboard 510. The external card 5201 has a trusted computing module 5401 configured to acquire trusted measurement results from the external card 5201. The external card 5202 has a trusted computing module 5402 configured to acquire trusted measurement results from the external card 5202. A PCIe bus 550 is provided between the motherboard 510 and the external cards 5201 and 5202, configured to transmit the trusted measurement results between the motherboard 510 and the external cards. The trusted measurement results of the motherboard and the trusted measurement results of the external board are used to generate a combined measurement result, which is used to perform a trusted measurement on the host 500.

[0112] According to the technical solution provided in this disclosure, by obtaining the trusted measurement results of the host's motherboard and external cards, and based on the trusted measurement results of the motherboard and the external cards, a combined trusted measurement result for the host is obtained. This solves the technical problem that currently, a trusted chain cannot be built for the underlying firmware of external cards and custom cards installed on servers, thus preventing the construction of an overall trusted measurement startup. In this technical solution, trusted measurement of the firmware is introduced into the external cards, enabling the construction of an overall trusted measurement of the host and external cards.

[0113] In this embodiment, the PCIe bus 550 can be configured to transmit the trusted measurement results of the external cards 5201 and 5202 from the external cards 5201 and 5202 to the motherboard 510. The trusted computing module 530 on the motherboard can be configured to obtain the combined measurement result based on the trusted measurement results of the motherboard 510 and the trusted measurement results of the external cards 5201 and 5202. The trusted computing module 530 on the motherboard can also be configured to store the trusted measurement result and the combined measurement result in a log. The trusted computing module 530 on the motherboard can also be configured to send the combined measurement result to a designated server 560, wherein the designated server 560 performs a trusted measurement on the host based on the combined measurement result.

[0114] In this embodiment of the disclosure, the PCIe bus 550 can be configured to transmit the trusted measurement result of the motherboard 510 from the motherboard 510 to the external board 5201 or 5202. The trusted computing module on the external board can be configured to obtain the combined measurement result based on the trusted measurement result of the motherboard 510 and the trusted measurement result of the external board. The trusted computing module on the external board can also be configured to store the trusted measurement result and the combined measurement result in a log. The trusted computing module on the external board can also be configured to send the combined measurement result to a designated server 560, wherein the designated server 560 performs a trusted measurement on the host based on the combined measurement result.

[0115] In this embodiment of the disclosure, the PCIe bus 550 can be configured to transmit the trusted measurement result of the first external board 5201 from the first external board 5201 to the motherboard 510; the trusted computing module 530 on the motherboard can be configured to obtain an intermediate measurement result based on the trusted measurement result of the first external board 5201 and the trusted measurement result of the motherboard 510; the PCIe bus 550 can also be configured to transmit the intermediate measurement result to the second external board 5202; the trusted computing module 5402 on the second external board 5202 can be configured to obtain the combined measurement result based on the intermediate measurement result and the trusted measurement result of the second external board 5202. The trusted computing module 5402 on the second external board can also be configured to save the trusted measurement result and the combined measurement result in a log; the trusted computing module 5402 on the second external board can also be configured to send the combined measurement result to a designated server 560, wherein the designated server 560 performs a trusted measurement on the host based on the combined measurement result.

[0116] According to the technical solution provided in this disclosure, the transfer of trusted measurement results between the host and the external board is realized based on the inherent PCIe bus between the host and the external board, without the need for additional hardware modification or addition, making it convenient and low-cost to implement. Furthermore, the technical solution provided in this disclosure can configure either the host or the external board as the trusted measurement management module, thus making it applicable to various application scenarios such as heterogeneous computing.

[0117] Figure 6 Another host is shown according to an embodiment of this disclosure.

[0118] like Figure 6 As shown, the host 600 includes a motherboard 610 and an external board 620, with the external board 620 connected to the motherboard 610. The motherboard 610 has a trusted computing module 630 configured to acquire trusted measurement results from the motherboard 610. An SPI bus 640 connects the motherboard 610 and the external board 620. The trusted computing module 630 on the motherboard reads the firmware code of the external board 620 via the SPI bus 640 and acquires the trusted measurement results of the external board 620 based on the firmware code. The trusted measurement results from the motherboard 610 and the external board 620 are used to generate a combined measurement result, which is used to perform a trusted measurement on the host 600.

[0119] According to the technical solution provided in this disclosure, by obtaining the trusted measurement results of the host's motherboard and external cards, and based on the trusted measurement results of the motherboard and the external cards, a combined trusted measurement result for the host is obtained. This solves the technical problem that currently, a trusted chain cannot be built for the underlying firmware of external cards and custom cards installed on servers, thus preventing the overall trusted measurement. In this technical solution, trusted measurement of the firmware is introduced into the external cards, enabling the construction of an overall trusted measurement of the host and external cards.

[0120] In this embodiment of the disclosure, the trusted computing module 630 on the motherboard can be configured to store the trusted measurement result and the combined measurement result in a log. The trusted computing module 630 on the motherboard can also be configured to send the combined measurement result to a designated server 650, wherein the designated server 650 performs a trusted measurement on the host based on the combined measurement result.

[0121] According to the technical solution provided in this disclosure, a trusted computing module installed on the motherboard reads the firmware code of the external board and obtains the trusted measurement result of the external board based on the firmware code. Therefore, it is unnecessary to install a trusted computing module in the external board, which further reduces the implementation cost and complexity while ensuring the security of the external board. Furthermore, according to the technical solution provided in this disclosure, by storing the trusted measurement result, combined measurement result, and intermediate measurement result in a log, when a trusted measurement fails, the untrusted measurement object can be identified based on the log, thereby enabling timely confirmation or repair.

[0122] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this disclosure. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

[0123] The units or modules described in the embodiments of this disclosure can be implemented in software or programmable hardware. The described units or modules can also be located in a processor, and the names of these units or modules do not necessarily constitute a limitation on the unit or module itself.

[0124] The above description is merely a preferred embodiment of this disclosure and an explanation of the technical principles employed. Those skilled in the art should understand that the scope of the invention involved in this disclosure is not limited to technical solutions formed by specific combinations of the above-described technical features, but should also cover other technical solutions formed by arbitrary combinations of the above-described technical features or their equivalents without departing from the inventive concept. For example, technical solutions formed by substituting the above-described features with (but not limited to) technical features disclosed in this disclosure that have similar functions.

Claims

1. A method for trust measurement of a host with external expansion cards, comprising: Obtain the trust measurement result of the motherboard of the host; The trusted measurement result of the external board is obtained by a trusted computing module set on the external board, wherein the external board is connected to the motherboard; Based on the trust measurement results of the motherboard and the trust measurement results of the external card, a combined measurement result is obtained, which is used to perform trust measurement on the host. The process of obtaining a combined measurement result based on the trusted measurement results of the motherboard and the external board includes: transmitting the trusted measurement results of the external board from the external board to the motherboard via the PCIe bus; and obtaining the combined measurement result based on the trusted measurement results of the motherboard and the external board via the motherboard; or The trusted measurement results of the motherboard are transmitted from the motherboard to the external card via the PCIe bus. Based on the trusted measurement results of the motherboard and the trusted measurement results of the external card, the combined measurement result is obtained through the external card.

2. The method according to claim 1, wherein: The process of obtaining a combined measurement result based on the trusted measurement results of the motherboard and the trusted measurement results of the external board includes performing a summary calculation on the trusted measurement results of the motherboard and the trusted measurement results of the external board to obtain the combined measurement result. The trusted measurement results of the motherboard include trusted measurement results for any one or more of the following measurement objects on the motherboard: basic input / output system firmware, operating system loader code, operating system kernel code, operating system service code, and application code; The measurement object of the trust measurement result of the external board includes the firmware on the external board.

3. The method of claim 2, wherein, The combined measurement result is obtained by summarizing the trust measurement results of the motherboard and the external board, including: One or more trusted measurement results of the motherboard and one or more trusted measurement results of the external board are used as a whole to calculate a digest. The digest, the trusted measurement results of the motherboard that are not involved in the digest calculation, and the trusted measurement results of the external board that are not involved in the digest calculation are used together as the combined measurement result.

4. The method of claim 2, wherein, The combined measurement result is obtained by summarizing the trust measurement results of the motherboard and the external board, including: The trusted measurement result of the first external card is transmitted from the first external card to the motherboard via the PCIe bus; Based on the trusted measurement results of the first external board and the trusted measurement results of the motherboard, an intermediate measurement result is obtained. This includes calculating a first digest by treating one or more trusted measurement results of the motherboard and one or more trusted measurement results of the first external board as a whole, and using the first digest, the trusted measurement results of the motherboard that are not involved in the digest calculation, and the trusted measurement results of the first external board that are not involved in the digest calculation together as the intermediate measurement result. The intermediate measurement results are transmitted to the second external board via the PCIe bus; The combined measurement result is obtained by using the second external board based on the intermediate measurement result and the trusted measurement result of the second external board. This includes calculating a second digest by taking one or more of the first digest from the intermediate measurement result, the trusted measurement result of the motherboard that did not participate in the digest calculation, and the trusted measurement result of the first external board that did not participate in the digest calculation, together with one or more trusted measurement results of the second external board. The second digest, the item in the intermediate measurement result that did not participate in the digest calculation, and the trusted measurement result of the second external board that did not participate in the digest calculation are then used together as the combined measurement result.

5. The method according to claim 1, wherein: The step of obtaining the trusted measurement result of the host's motherboard includes obtaining the trusted measurement result of the motherboard through a trusted computing module installed on the motherboard.

6. The method according to claim 1, wherein: The process of obtaining the trusted measurement result of the external board includes reading the firmware code of the external board through a trusted computing module set on the motherboard, and obtaining the trusted measurement result of the external board based on the firmware code. The combined measurement result is obtained based on the trusted measurement results of the motherboard and the trusted measurement results of the external board. This includes obtaining the combined measurement result through the motherboard, based on the trusted measurement results of the motherboard and the trusted measurement results of the external board.

7. The method according to claim 1, further comprising: The credibility measurement results and the combined measurement results are saved in the log; The combined metric result is sent to a designated server, wherein the designated server performs a trust metric on the host based on the combined metric result; When the trusted measurement of the host fails, the untrusted measurement object is determined based on the log.

8. A host computer, comprising: Motherboard; An external expansion card is connected to the motherboard; The trusted computing module on the motherboard is configured to obtain the trusted measurement results of the motherboard. The trusted computing module on the external board is configured to obtain the trusted measurement result of the external board; The PCIe bus between the motherboard and the external card is configured to transmit the trusted measurement result between the motherboard and the external card; The trusted measurement results of the motherboard and the trusted measurement results of the external board are used to generate a combined measurement result, which is used to perform a trusted measurement on the host.

9. The host according to claim 8, wherein: The PCIe bus is configured to transmit the trusted measurement results of the external card from the external card to the motherboard; The trusted computing module on the motherboard is configured to compute a digest by taking one or more trusted measurement results of the motherboard and one or more trusted measurement results of the external board as a whole, and to take the digest, the trusted measurement results of the motherboard that did not participate in the digest calculation, and the trusted measurement results of the external board that did not participate in the digest calculation together as the combined measurement result. The trusted computing module on the motherboard is configured to save the trusted measurement results and the combined measurement results in a log. The trusted computing module on the motherboard is configured to send the combined measurement results to a designated server, wherein the designated server performs a trusted measurement on the host based on the combined measurement results.

10. The host according to claim 8, wherein: The PCIe bus is configured to transmit the trusted measurement results of the motherboard from the motherboard to the external card; The trusted computing module on the external board is configured to compute a digest by taking one or more trusted measurement results of the motherboard and one or more trusted measurement results of the external board as a whole, and to take the digest, the trusted measurement results of the motherboard that did not participate in the digest calculation, and the trusted measurement results of the external board that did not participate in the digest calculation together as the combined measurement result. The trusted computing module on the external board is configured to save the trusted measurement results and the combined measurement results in a log. The trusted computing module on the external board is configured to send the combined measurement results to a designated server, wherein the designated server performs a trusted measurement on the host based on the combined measurement results.

11. The host according to claim 8, wherein: The PCIe bus is configured to transmit the trusted measurement results of the first external card from the first external card to the motherboard; The trusted computing module on the motherboard is configured to calculate a first digest by taking one or more trusted measurement results of the motherboard and one or more trusted measurement results of the first external board as a whole, and take the first digest, the trusted measurement results of the motherboard that are not involved in the digest calculation, and the trusted measurement results of the first external board that are not involved in the digest calculation as an intermediate measurement result. The PCIe bus is configured to transmit the intermediate measurement results to a second external board. The trusted computing module on the second external board is configured to calculate a second digest by taking one or more of the first digest in the intermediate measurement result, the trusted measurement result of the motherboard that did not participate in the digest calculation, and the trusted measurement result of the first external board that did not participate in the digest calculation, together with one or more trusted measurement results of the second external board, and take the second digest, the item in the intermediate measurement result that did not participate in the digest calculation, and the trusted measurement result of the second external board that did not participate in the digest calculation as the combined measurement result; The trusted computing module on the second external board is configured to save the intermediate measurement result, the trusted measurement result of the second external board, and the combined measurement result in a log. The trusted computing module on the second external board is configured to send the combined measurement result to a designated server, wherein the designated server performs a trusted measurement on the host based on the combined measurement result.

12. A host computer, comprising: Motherboard; An external expansion card is connected to the motherboard; The trusted computing module on the external board is configured to obtain the trusted measurement result of the external board; The trusted computing module on the motherboard is configured to obtain the trusted measurement results of the motherboard. The SPI bus between the motherboard and the external board allows the trusted computing module on the motherboard to read the firmware code of the external board and obtain the trusted measurement result of the external board based on the firmware code. The trusted measurement results of the motherboard and the trusted measurement results of the external board are used to generate a combined measurement result, which is used to perform a trusted measurement on the host.

13. The host computer according to claim 12, wherein, The trusted computing module on the motherboard is configured to compute a digest by taking one or more trusted measurement results of the motherboard and one or more trusted measurement results of the external board as a whole, and to take the digest, the trusted measurement results of the motherboard that did not participate in the digest calculation, and the trusted measurement results of the external board that did not participate in the digest calculation together as the combined measurement result, and to save the trusted measurement result and the combined measurement result in a log. The trusted computing module on the motherboard is configured to send the combined measurement results to a designated server, wherein the designated server performs a trusted measurement on the host based on the combined measurement results.