采用数字签名技术的可信启动方法研究

为保障嵌入式设备系统启动时的可信性,分析了现有可信启动技术对硬件模块严重依赖的现状,结合可信度量和可信链理论,提出了一套基于嵌入式Linux的可信启动方法。该方法以固件IROM作为信任根,利用数字签名和完整性验证技术检查启动实体的完整性和真实性,建立了一条从设备开机到内核启动的信任链。实验结果表明:该方法能有效地验证启动实体的完整性和真实性;与采用硬件模块保护启动实体预期度量值的方法比较,该方法无需增加任何硬件开销便可有效地保护预期度量值;同时保证实体更新时的可信检测。

Research on the Trusted-Boot Technology Using Digital Signature Technique

Device booting is a critical step and the foundation of trust for embedded systems. Through analyzing related work we find that most current trusted boot technologies rely heavily on the hardware modules such as trusted platform module (TPM). A new trusted boot method is proposed in this paper for embedded Linux system, which is based on the trusted measurement policy and trust chain mechanism. Firstly, this approach takes the firmware IROM as root of trust, which is used to check the integrity and authenticity of the next booting step like BootLoader. Then the BootLoader do the same to the Kernel. So the chain of trust is established from the top of booting to the Kernel. Using the technology of digital signature and Hash algorithm, we implemented the integrity and authenticity checking for each booting entity. The results show that this method can verify the integrity and authenticity of booting entity, and protect the expected metric easily and effectively without other hardware modules. Besides, it ensures the integrity and authenticity of booting entity when they are updated.