Lpc bus security access method, system, terminal and storage medium

CN115221549BActive Publication Date: 2026-07-07INSPUR SUZHOU INTELLIGENT TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
INSPUR SUZHOU INTELLIGENT TECH CO LTD
Filing Date
2022-05-20
Publication Date
2026-07-07

AI Technical Summary

Technical Problem

In existing technologies, the operating system running on the CPU can control the BMC through LPC-based IPMI without obtaining any additional permissions, which poses a security risk.

Method used

By setting an LPC bus access key pair, including a public key and a private key, in the BIOS, the BIOS receives the operating system's encryption request, decrypts it using the private key, and initializes the LPC bus according to the request, ensuring identity recognition and access control.

Benefits of technology

It improves server security, prevents malicious requests from tampering with the BMC, and enhances identity recognition and control over LPC bus access.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115221549B_ABST
    Figure CN115221549B_ABST
Patent Text Reader

Abstract

The application relates to the technical field of servers, and specifically provides an LPC bus safe access method, system, terminal and storage medium, which comprises the following steps: setting a BIOS to not initialize an LPC bus in a default state; setting an LPC bus access key pair in the BIOS, wherein the key pair comprises a public key and a private key; the BIOS receiving an encryption request sent by a server operating system, wherein the encryption request is encrypted by using the public key, the encryption request is decrypted by using the private key to obtain an LPC bus opening request; the BIOS initializing the LPC bus according to the LPC bus opening request, and writing an initialized LPC address into a specified address, so that the server operating system synchronously reads the LPC address and accesses the LPC bus based on the LPC address. The application changes the LPC initialization process, adds a step of identifying a CPU request in the LPC initialization process, thereby avoiding other malicious requests from logging in and tampering with the BMC, and improving the security performance of the server.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of server technology, and specifically to an LPC bus secure access method, system, terminal, and storage medium. Background Technology

[0002] In addition to the CPU, the server runs a system called BMC, which is independent of the CPU. The BMC is used to monitor the server's motherboard and provides external interfaces, which mainly include IPMI and other forms.

[0003] IPMI can provide services externally via network, LPC, and I2C. Currently, LPC is the most common method for communication between the BMC and the CPU. The LPC bus (Low Pin Count Bus) is used in IBM PC compatibles to connect low-bandwidth devices and "legacy" devices to the CPU. Common low-speed devices include: BIOS, serial ports, parallel ports, PS / 2 keyboards and mice, floppy disk controllers, and newer devices such as the Trusted Platform Module. The LPC bus is typically physically connected to the Southbridge on the motherboard. On the IBM PC AT platform, the Southbridge usually connects a series of "legacy" devices, such as two programmable interrupt controllers, programmable timers, and two ISA DMA controllers.

[0004] In existing LPC-based communication schemes, the operating system running on the CPU can control the BMC through LPC-based IPMI without obtaining any additional permissions, which poses a security risk. Summary of the Invention

[0005] To address the security risks posed by existing technologies where the operating system running on the CPU can control the BMC via LPC-based IPMI without obtaining any additional permissions, this invention provides an LPC bus secure access method, system, terminal, and storage medium to solve the aforementioned technical problems.

[0006] In a first aspect, the present invention provides a secure access method for an LPC bus, comprising:

[0007] Configure the BIOS to not initialize the LPC bus by default;

[0008] Configure an LPC bus access key pair in the BIOS, the key pair including a public key and a private key;

[0009] The BIOS receives an encryption request sent by the server operating system. The encryption request is encrypted using the public key, and the encryption request is decrypted using the private key to obtain an LPC bus enable request.

[0010] The BIOS initializes the LPC bus according to the LPC bus enable request and writes the initialized LPC address to a specified address so that the server operating system can synchronously read the LPC address and access the LPC bus based on the LPC address.

[0011] Furthermore, configure the LPC bus access key pair within the BIOS, including:

[0012] The BIOS sets up a project-specific digital certificate for each project, and the digital certificate includes a key pair consisting of a public key and a private key.

[0013] The BIOS sends the public key of the built-in digital certificate for the LPC initialization project to the operating system.

[0014] Furthermore, the BIOS receives an encryption request sent by the server operating system. This encryption request is encrypted using the public key, and decrypted using the private key to obtain an LPC bus enable request, including:

[0015] The BIOS pre-stores the encryption / decryption algorithms and key pairs corresponding to each item in the request parsing list;

[0016] After receiving an encryption request from the operating system, the BIOS searches the request parsing list for the corresponding encryption / decryption algorithm and private key to decrypt the encryption request.

[0017] Furthermore, the method also includes:

[0018] The BIOS synchronously sends the project public key and project code to the operating system, so that the operating system can use the project code to mark the encrypted request generated based on the project public key;

[0019] The BIOS extracts the item code from the encryption request and looks up the corresponding encryption / decryption algorithm and private key from the request parsing list based on the item code. The request parsing list stores the item code, encryption / decryption algorithm, and private key in a mapping manner.

[0020] Furthermore, the BIOS initializes the LPC bus according to the LPC bus enable request and writes the initialized LPC address to a specified address, so that the server operating system can synchronously read the LPC address and access the LPC bus based on the LPC address, including:

[0021] The BIOS invokes the function item to initialize the LPC bus based on the LPC bus enable request, and performs the initialization of the LPC bus.

[0022] The BIOS reads the LPC address after the LPC bus initialization is complete;

[0023] The BIOS refreshes the LPC address to the registers of the advanced configuration and power management interface.

[0024] Furthermore, after the BIOS refreshes the LPC address to the registers of the advanced configuration and power management interface, the method further includes:

[0025] The operating system creates a monitoring thread to monitor whether the register has been updated.

[0026] If the monitoring thread detects that the register has been updated, it reads the updated LPC address from the register.

[0027] The operating system reinitializes the BMC interface layer driver based on the LPC address to obtain permission to access the LPC.

[0028] In a second aspect, the present invention provides an LPC bus secure access system, comprising:

[0029] The default settings unit is used to configure the BIOS to not initialize the LPC bus by default.

[0030] An encryption setting unit is used to set an LPC bus access key pair within the BIOS, the key pair including a public key and a private key;

[0031] The request parsing unit is used for the BIOS to receive an encryption request sent by the server operating system. The encryption request is encrypted using the public key, and the encryption request is decrypted using the private key to obtain an LPC bus enable request.

[0032] The request execution unit is used by the BIOS to initialize the LPC bus according to the LPC bus enable request, and write the initialized LPC address to a specified address so that the server operating system can synchronously read the LPC address and access the LPC bus based on the LPC address.

[0033] Furthermore, the encryption setting unit includes:

[0034] The key generation module is used by the BIOS to set up project-specific digital certificates for different projects. The digital certificate includes a key pair consisting of a public key and a private key.

[0035] The public key distribution module is used by the BIOS to send the public key of the built-in digital certificate of the LPC initialization project to the operating system.

[0036] Furthermore, the request parsing unit includes:

[0037] The information storage module is used by the BIOS to pre-store the encryption and decryption algorithms and key pairs corresponding to each item in the request parsing list;

[0038] The information lookup module is used by the BIOS to look up the corresponding encryption / decryption algorithm and private key from the request parsing list after receiving an encryption request from the operating system, and then decrypt the encryption request.

[0039] Furthermore, the system also includes:

[0040] The request tagging module is used by the BIOS to synchronously send the project public key and project code to the operating system, so that the operating system can use the project code to tag encrypted requests generated based on the project public key;

[0041] The tag parsing module is used by the BIOS to extract the item code from the encryption request and look up the corresponding encryption / decryption algorithm and private key from the request parsing list based on the item code. The request parsing list stores the item code, encryption / decryption algorithm and private key in a mapping manner.

[0042] Furthermore, the request execution unit includes:

[0043] The function execution module is used by the BIOS to call the function item for initializing the LPC bus based on the LPC bus enable request, and to perform the initialization of the LPC bus;

[0044] The address reading module is used by the BIOS to read the LPC address after the LPC bus initialization is complete.

[0045] The address refresh module is used by the BIOS to refresh the LPC address to the registers of the advanced configuration and power management interface.

[0046] Furthermore, the request execution unit also includes:

[0047] The thread creation module is used by the operating system to create a monitoring thread, which monitors whether the register has been updated.

[0048] The address acquisition module is used to read the updated LPC address from the register if the monitoring thread detects that the register has been updated.

[0049] The permission acquisition module is used by the operating system to reinitialize the BMC interface layer driver based on the LPC address in order to obtain permission to access the LPC.

[0050] Thirdly, a terminal is provided, including:

[0051] Processor, memory, among which,

[0052] This memory is used to store computer programs.

[0053] The processor is used to retrieve and run the computer program from memory, causing the terminal to perform the terminal method described above.

[0054] Fourthly, a computer storage medium is provided, wherein instructions are stored therein, which, when executed on a computer, cause the computer to perform the methods described in the above aspects.

[0055] The beneficial effects of this invention are that the LPC bus secure access method, system, terminal, and storage medium provided by this invention, by configuring the BIOS to not initialize the LPC bus by default, and then sending a public-key encrypted request to the BIOS when the operating system needs to enable LPC, the BIOS decrypts the request using a matching private key, identifies the request, and performs LPC bus initialization accordingly. This invention, by modifying the LPC initialization process by adding a step to identify CPU requests, prevents other malicious requests from logging into and tampering with the BMC, thereby improving server security.

[0056] Furthermore, the design principle of this invention is reliable, the structure is simple, and it has a very wide range of application prospects. Attached Figure Description

[0057] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, for those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0058] Figure 1 This is a schematic flowchart of a method according to an embodiment of the present invention.

[0059] Figure 2 This is another illustrative flowchart of a method according to an embodiment of the present invention.

[0060] Figure 3 This is a schematic block diagram of a system according to an embodiment of the present invention.

[0061] Figure 4 This is a schematic diagram of the structure of a terminal provided in an embodiment of the present invention. Detailed Implementation

[0062] To enable those skilled in the art to better understand the technical solutions of this invention, the technical solutions of the embodiments of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this invention, and not all embodiments. Based on the embodiments of this invention, all other embodiments obtained by those skilled in the art without creative effort should fall within the scope of protection of this invention.

[0063] The key terms used in this invention will be explained below.

[0064] BMC, short for Baseboard Management Controller, is a remote server management controller. It allows for operations such as firmware upgrades and device monitoring even when the machine is not powered on. Fully implementing IPMI functionality in a BMC requires a powerful 16-bit or 32-bit microcontroller, RAM for data storage, flash memory for non-volatile data storage, and firmware. It provides basic remote manageability for secure remote reboots, secure power-on, LAN alerts, and system health monitoring. In addition to basic IPMI and system monitoring functions, the mBMC can also enable fast BIOS component selection and protection by utilizing one of the two flash memories to store the previous BIOS. For example, if the system fails to boot after a remote BIOS upgrade, remote administrators can switch back to the previous BIOS image to boot the system. Once the BIOS is upgraded, the BIOS image can also be locked to effectively prevent virus attacks.

[0065] BIOS is an abbreviation for "Basic Input Output System." On IBM PC-compatible systems, it's an industry-standard firmware interface. It's a set of programs embedded in a ROM chip on the computer's motherboard. It stores the computer's most important basic input / output programs, power-on self-test (POST) programs, and system startup programs. It can read and write specific system settings from the CM (System Configuration File) operating system. Its main function is to provide the lowest-level, most direct hardware settings and control for the computer. In addition, the BIOS provides some system parameters to the operating system. Changes to system hardware are hidden by the BIOS; programs use BIOS functions rather than directly controlling the hardware. Modern operating systems often bypass the abstraction layer provided by the BIOS and directly control hardware components.

[0066] The CPU (Central Processing Unit) is the core of a computer system for computation and control, and is the final execution unit for information processing and program execution.

[0067] ACPI stands for Advanced Configuration and Power Management Interface. For Windows 2000, ACPI defines a new working interface between Windows 2000, the BIOS, and system hardware. These new interfaces include mechanisms that allow Windows 2000 to control power management and device configuration. The Advanced Configuration and Power Interface (ACPI) was jointly developed by Intel, Microsoft, and Toshiba in 1997 to provide operating system applications with all power management interfaces. Currently, ACPI's power management features have expanded from being applicable only to portable computers (such as laptops) to desktop computers, workstations, and servers. For example, the system may enter a very low-power consumption state. These are the "sleep" and "hibernate" settings available on most desktop computers. Sleep and hibernation states can be woken up by moving the mouse, pressing a keyboard key, receiving a message from another computer (if connected to a local area network), or a major system error. If ACPI is implemented in the BIOS and other system hardware, it can be invoked (triggered) by the operating system. ACPI enables functions including: system power management, device power management, processor power management, device and processor performance management, configuration / plug and play, system events, battery management, thermal management, embedded controllers, and SMBus controllers. Windows 98 was the first Microsoft operating system to support ACPI. FreeBSD v5.0 was the first UNIX operating system to support ACPI. Linux, NetBSD, and OpenBSD all have at least some degree of ACPI support.

[0068] Figure 1 This is a schematic flowchart illustrating a method according to an embodiment of the present invention. Wherein, Figure 1 The executing entity can be an LPC bus secure access system.

[0069] like Figure 1 As shown, the method includes:

[0070] Step 110: Configure the BIOS to not initialize the LPC bus by default.

[0071] Step 120: Configure an LPC bus access key pair in the BIOS, the key pair including a public key and a private key;

[0072] Step 130: The BIOS receives an encryption request sent by the server operating system. The encryption request is encrypted using the public key and decrypted using the private key to obtain the LPC bus enable request.

[0073] Step 140: The BIOS initializes the LPC bus according to the LPC bus enable request and writes the initialized LPC address to a specified address so that the server operating system can synchronously read the LPC address and access the LPC bus based on the LPC address.

[0074] Specifically, the method includes: a) the BIOS does not initialize the LPC bus by default; b) when the server operating system needs to enable LPC, it first encrypts the control command using the BIOS's public key and passes it to the BIOS; c) the BIOS decrypts the command, enables the LPC bus after successful decryption, and refreshes the ACPI; d) the server operating system monitors the ACPI, and reinitializes the IPMI_SI driver after changes. This method sets the BIOS to not initialize the LPC bus by default, and then sends a public-key encrypted request to the BIOS when the operating system needs to enable LPC. The BIOS decrypts the request using the matching private key, identifies the request, and performs LPC bus initialization accordingly. This invention modifies the LPC initialization process by adding a step to identify CPU requests, thereby preventing malicious requests from logging into and tampering with the BMC, and improving server security.

[0075] To facilitate understanding of the present invention, the LPC bus secure access method provided by the present invention will be further described below, based on the principle of the LPC bus secure access method of the present invention and in conjunction with the process of secure access to the LPC bus in the embodiments.

[0076] In existing solutions, the BIOS initializes the LPC bus during boot and passes it to the operating system via ACPI. The operating system reads the LPC address from ACPI and then begins initializing the BIOS interface layer driver. After initialization, the operating system can access the BMC normally through LPC. Clearly, in existing technology, the operating system can control the BMC via LPC-based IPMI without obtaining any additional privileges.

[0077] In existing solutions, the OS running on the CPU can control the BMC via LPC-based IPMI without obtaining any additional privileges, posing a security risk. To address this issue, this application provides a secure LPC bus access method; for details, please refer to [link to relevant documentation]. Figure 2 The method includes:

[0078] S1. Configure the BIOS to not initialize the LPC bus by default.

[0079] Update the BIOS initial configuration to disable the LPC bus initialization function by default. Restart the server for the configuration to take effect; the modified BIOS will no longer initialize the LPC bus during boot.

[0080] S2. Configure an LPC bus access key pair in the BIOS. The key pair includes a public key and a private key.

[0081] The BIOS sets up a project-specific digital certificate for each project, and the digital certificate includes a key pair consisting of a public key and a private key; the BIOS sends the public key of the built-in digital certificate of the LPC initialization project to the operating system.

[0082] Specifically, to enhance BIOS security, dedicated built-in digital certificates can be set for important functions. These certificates consist of a public and a private key pair. The BIOS sends the public key to the target interface that needs to invoke the function. For example, the BIOS sends the public key from the built-in digital certificate of the LPC bus initialization function to the operating system, which saves the received public key in the LPC initialization request storage module. Furthermore, if multiple functions need to send keys to the operating system, the public keys must be differentiated. In this case, each function uses a different key pair to avoid the leakage of all function key pairs due to the leakage of one key pair. To distinguish between functions, a project code is generated for each function; for example, code 001 represents the LPC bus initialization function. The project code is then bound to the public key and sent to the operating system.

[0083] The security of the private key is ensured by generating a built-in digital certificate for the feature item and storing the public and private keys in the digital certificate.

[0084] S3. The BIOS receives an encryption request sent by the server operating system. The encryption request is encrypted using the public key, and the encryption request is decrypted using the private key to obtain an LPC bus enable request.

[0085] The BIOS pre-stores the encryption / decryption algorithms and key pairs corresponding to each item in a request parsing list. Upon receiving an encryption request from the operating system, the BIOS retrieves the corresponding encryption / decryption algorithm and private key from the request parsing list to decrypt the request. Specifically, the BIOS synchronously sends the item public key and item code to the operating system, allowing the operating system to use the item code to mark encryption requests generated based on the item public key. The BIOS extracts the item code from the encryption request and retrieves the corresponding encryption / decryption algorithm and private key from the request parsing list based on the item code. The request parsing list stores the item code, encryption / decryption algorithm, and private key in a mapping manner.

[0086] After the BIOS binds the project code with the public key and sends it to the operating system, the operating system encrypts the LPC initialization request using the public key and RSA encryption algorithm when sending the LPC initialization request, resulting in an encrypted request. The project code is written into the header of the encrypted request. Upon receiving the encrypted request from the operating system, the BIOS extracts the project code from the request header and confirms that it is a request for the LPC bus initialization function item. It then reads the private key from the built-in digital certificate of the LPC bus initialization function item and uses the private key to decrypt the encrypted request, thus obtaining the LPC initialization request.

[0087] S4. The BIOS initializes the LPC bus according to the LPC bus enable request and writes the initialized LPC address to the specified address so that the server operating system can synchronously read the LPC address and access the LPC bus based on the LPC address.

[0088] The BIOS invokes the function item to initialize the LPC bus based on the LPC bus enable request, and performs LPC bus initialization. After the LPC bus initialization is complete, the BIOS reads the LPC address. The BIOS then refreshes the LPC address to the registers of the Advanced Configuration and Power Management interface. The operating system creates a monitoring thread to monitor whether there are any data updates in the registers. If the monitoring thread detects that there are data updates in the registers, it reads the updated LPC address from the registers. The operating system reinitializes the BMC interface layer driver based on the LPC address to obtain access to the LPC.

[0089] After sending an encryption request to the BIOS, the operating system creates a monitoring thread to monitor the data updates of the registers in the advanced configuration and power management interfaces in real time, so as to obtain the LPC address in a timely manner. The operating system can then reinitialize the IPMI_SI driver based on the LPC address. After initialization, the operating system can communicate normally with the BMC via the LPC bus.

[0090] Compared to existing LPC bus initialization methods, this application ensures the identification of objects logging into the BMC, preventing malicious requests to log into the BMC via the LPC bus or even tampering with the BMC.

[0091] like Figure 3 As shown, the system 300 includes:

[0092] The default setting unit 310 is used to configure the BIOS not to initialize the LPC bus by default.

[0093] The encryption setting unit 320 is used to set an LPC bus access key pair in the BIOS, the key pair including a public key and a private key;

[0094] The request parsing unit 330 is used for the BIOS to receive an encryption request sent by the server operating system. The encryption request is encrypted using the public key and decrypted using the private key to obtain an LPC bus enable request.

[0095] The request execution unit 340 is used by the BIOS to initialize the LPC bus according to the LPC bus enable request, and write the LPC address after initialization to a specified address so that the server operating system can synchronously read the LPC address and access the LPC bus based on the LPC address.

[0096] Optionally, as an embodiment of the present invention, the encryption setting unit includes:

[0097] The key generation module is used by the BIOS to set up project-specific digital certificates for different projects. The digital certificate includes a key pair consisting of a public key and a private key.

[0098] The public key distribution module is used by the BIOS to send the public key of the built-in digital certificate of the LPC initialization project to the operating system.

[0099] Optionally, as an embodiment of the present invention, the request parsing unit includes:

[0100] The information storage module is used by the BIOS to pre-store the encryption and decryption algorithms and key pairs corresponding to each item in the request parsing list;

[0101] The information lookup module is used by the BIOS to look up the corresponding encryption / decryption algorithm and private key from the request parsing list after receiving an encryption request from the operating system, and then decrypt the encryption request.

[0102] Optionally, as an embodiment of the present invention, the system further includes:

[0103] The request tagging module is used by the BIOS to synchronously send the project public key and project code to the operating system, so that the operating system can use the project code to tag encrypted requests generated based on the project public key;

[0104] The tag parsing module is used by the BIOS to extract the item code from the encryption request and look up the corresponding encryption / decryption algorithm and private key from the request parsing list based on the item code. The request parsing list stores the item code, encryption / decryption algorithm and private key in a mapping manner.

[0105] Optionally, as an embodiment of the present invention, the request execution unit includes:

[0106] The function execution module is used by the BIOS to call the function item for initializing the LPC bus based on the LPC bus enable request, and to perform the initialization of the LPC bus;

[0107] The address reading module is used by the BIOS to read the LPC address after the LPC bus initialization is complete.

[0108] The address refresh module is used by the BIOS to refresh the LPC address to the registers of the advanced configuration and power management interface.

[0109] Optionally, as an embodiment of the present invention, the request execution unit further includes:

[0110] The thread creation module is used by the operating system to create a monitoring thread, which monitors whether the register has been updated.

[0111] The address acquisition module is used to read the updated LPC address from the register if the monitoring thread detects that the register has been updated.

[0112] The permission acquisition module is used by the operating system to reinitialize the BMC interface layer driver based on the LPC address in order to obtain permission to access the LPC.

[0113] Figure 4 This is a schematic diagram of the structure of a terminal 400 provided in an embodiment of the present invention. The terminal 400 can be used to execute the LPC bus secure access method provided in the embodiment of the present invention.

[0114] The terminal 400 may include a processor 410, a memory 420, and a communication unit 430. These components communicate via one or more buses. Those skilled in the art will understand that the server structure shown in the figure does not constitute a limitation of the present invention. It may be a bus topology or a star topology, and may include more or fewer components than shown, or combine certain components, or have different component arrangements.

[0115] The memory 420 can be used to store the execution instructions of the processor 410. The memory 420 can be implemented by any type of volatile or non-volatile memory terminal or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic disk, or optical disk. When the execution instructions in the memory 420 are executed by the processor 410, the terminal 400 is able to perform some or all of the steps in the above method embodiments.

[0116] The processor 410 serves as the control center of the storage terminal, connecting various parts of the electronic terminal via various interfaces and lines. It executes software programs and / or modules stored in the memory 420, and calls data stored in the memory to perform various functions of the electronic terminal and / or process data. The processor can be composed of integrated circuits (ICs), such as a single packaged IC or multiple packaged ICs with the same or different functions connected together. For example, the processor 410 may consist only of a central processing unit (CPU). In this embodiment of the invention, the CPU may have a single processing core or include multiple processing cores.

[0117] The communication unit 430 is used to establish a communication channel, enabling the storage terminal to communicate with other terminals. It can receive user data sent by other terminals or send user data to other terminals.

[0118] The present invention also provides a computer storage medium, wherein the computer storage medium may store a program, which, when executed, may include some or all of the steps provided in the embodiments of the present invention. The storage medium may be a magnetic disk, an optical disk, read-only memory (ROM), or random access memory (RAM), etc.

[0119] Therefore, this invention configures the BIOS to not initialize the LPC bus by default. Then, when the operating system needs to enable LPC, it sends a public-key encrypted request to the BIOS. The BIOS decrypts the request using a matching private key, identifies the request, and performs LPC bus initialization accordingly. This invention modifies the LPC initialization process by adding a step to identify CPU requests, thereby preventing malicious requests from logging into and tampering with the BMC, thus improving server security. The technical effects achieved by this embodiment are described above and will not be repeated here.

[0120] Those skilled in the art will clearly understand that the techniques in the embodiments of the present invention can be implemented using software plus necessary general-purpose hardware platforms. Based on this understanding, the technical solutions in the embodiments of the present invention, or the parts that contribute to the prior art, can be embodied in the form of a software product. This computer software product is stored in a storage medium such as a USB flash drive, a portable hard drive, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, or any other medium capable of storing program code. It includes several instructions to cause a computer terminal (which may be a personal computer, a server, or a second terminal, a network terminal, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention.

[0121] The same or similar parts between the various embodiments in this specification can be referred to mutually. In particular, the terminal embodiments are basically similar to the method embodiments, so the description is relatively simple, and the relevant parts can be referred to the description in the method embodiments.

[0122] In the embodiments provided by this invention, it should be understood that the disclosed systems and methods can be implemented in other ways. For example, the system embodiments described above are merely illustrative. For instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between systems or units may be electrical, mechanical, or other forms.

[0123] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.

[0124] In addition, the functional units in the various embodiments of the present invention can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit.

[0125] Although the present invention has been described in detail with reference to the accompanying drawings and preferred embodiments, the invention is not limited thereto. Various equivalent modifications or substitutions can be made to the embodiments of the invention by those skilled in the art without departing from the spirit and essence of the invention, and such modifications or substitutions should all be within the scope of the invention. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in the invention should also be covered within the protection scope of the invention. Therefore, the protection scope of the invention should be determined by the scope of the claims.

Claims

1. A secure access method for an LPC bus, characterized in that, include: Configure the BIOS to not initialize the LPC bus by default; Configure an LPC bus access key pair in the BIOS, the key pair including a public key and a private key; The BIOS receives an encryption request sent by the server operating system. The encryption request is encrypted using the public key, and the encryption request is decrypted using the private key to obtain an LPC bus enable request. The BIOS initializes the LPC bus according to the LPC bus enable request and writes the initialized LPC address to the specified address so that the server operating system can synchronously read the LPC address and access the LPC bus based on the LPC address. Configure LPC bus access key pairs in the BIOS, including: The BIOS sets up a project-specific digital certificate for each project, and the digital certificate includes a key pair consisting of a public key and a private key. The BIOS sends the public key of the built-in digital certificate for the LPC initialization project to the operating system; The BIOS receives an encryption request sent by the server operating system. This encryption request is encrypted using the public key, and decrypted using the private key to obtain an LPC bus enable request, including: The BIOS pre-stores the encryption / decryption algorithms and key pairs corresponding to each item in the request parsing list; After receiving an encryption request from the operating system, the BIOS searches the request parsing list for the corresponding encryption / decryption algorithm and private key to decrypt the encryption request. Configure the BIOS to not initialize the LPC bus by default, including: configure the BIOS to not enable the LPC bus initialization function by default; The method further includes: The BIOS generates item codes for each LPC bus initialization function item; The BIOS synchronously sends the project public key and project code to the operating system, so that the operating system can use the project code to mark the encrypted request generated based on the project public key; The BIOS extracts the item code from the encryption request and looks up the corresponding encryption / decryption algorithm and private key from the request parsing list based on the item code. The request parsing list stores the item code, encryption / decryption algorithm, and private key in a mapping manner.

2. The method according to claim 1, characterized in that, The BIOS initializes the LPC bus according to the LPC bus enable request and writes the initialized LPC address to a specified address, so that the server operating system can synchronously read the LPC address and access the LPC bus based on the LPC address, including: The BIOS invokes the function item to initialize the LPC bus based on the LPC bus enable request, and performs the initialization of the LPC bus. The BIOS reads the LPC address after the LPC bus initialization is complete; The BIOS refreshes the LPC address to the registers of the advanced configuration and power management interface.

3. The method according to claim 2, characterized in that, After the BIOS refreshes the LPC address to the registers of the advanced configuration and power management interface, the method further includes: The operating system creates a monitoring thread to monitor whether the register has been updated. If the monitoring thread detects that the register has been updated, it reads the updated LPC address from the register. The operating system reinitializes the BMC interface layer driver based on the LPC address to obtain permission to access the LPC.

4. An LPC bus secure access system, characterized in that, include: The default settings unit is used to configure the BIOS to not initialize the LPC bus by default. An encryption setting unit is used to set an LPC bus access key pair within the BIOS, the key pair including a public key and a private key; The request parsing unit is used for the BIOS to receive an encryption request sent by the server operating system. The encryption request is encrypted using the public key, and the encryption request is decrypted using the private key to obtain an LPC bus enable request. The request execution unit is used by the BIOS to initialize the LPC bus according to the LPC bus enable request, and write the LPC address after initialization to a specified address so that the server operating system can synchronously read the LPC address and access the LPC bus based on the LPC address. The encryption setting unit includes: The key generation module is used by the BIOS to set up project-specific digital certificates for different projects. The digital certificate includes a key pair consisting of a public key and a private key. The public key distribution module is used by the BIOS to send the public key of the built-in digital certificate of the LPC initialization project to the operating system; Specifically, the BIOS receives an encryption request sent by the server operating system. This encryption request is encrypted using the public key, and then decrypted using the private key to obtain an LPC bus enable request, including: The BIOS pre-stores the encryption / decryption algorithms and key pairs corresponding to each item in the request parsing list; After receiving an encryption request from the operating system, the BIOS searches the request parsing list for the corresponding encryption / decryption algorithm and private key to decrypt the encryption request. The system is also configured to perform: The BIOS generates item codes for each LPC bus initialization function item; The BIOS synchronously sends the project public key and project code to the operating system, so that the operating system can use the project code to mark the encrypted request generated based on the project public key; The BIOS extracts the item code from the encryption request and looks up the corresponding encryption / decryption algorithm and private key from the request parsing list based on the item code. The request parsing list stores the item code, encryption / decryption algorithm, and private key in a mapping manner.

5. A terminal, characterized in that, include: processor; Memory used to store the processor's execution instructions; The processor is configured to perform the method according to any one of claims 1-3.

6. A computer-readable storage medium storing a computer program, characterized in that, When the program is executed by the processor, it implements the method as described in any one of claims 1-3.