基于UEFI的固件级硬盘安全保护机制
|
摘要
为提高硬盘的安全性和可靠性,提出一种基于统一可扩展固件接口(unified extensible firmware interface,UEFI)的固件级硬盘安全保护机制。该机制可以由硬盘厂商在硬盘的受保护空间内预置固件级安全运行环境和硬盘安全保护功能模块,实现身份认证、全盘加密、硬盘固件度量等安全功能。基于该机制,设计并实现了原型系统,并利用该原型系统进行芯片密码算法接口调用实验和硬盘读写效率测试。实验结果表明,在硬盘保护区内预置固件级安全模块,能够在操作系统启动前对用户身份进行认证,实现全盘加解密,提升了硬盘的安全性,且不影响加密硬盘的算法性能。
In this paper, a firmware-level hard disk security protection mechanism based on UEFI(unified extensible firmware interface) is proposed to improve the security and reliability of the hard disk. The UEFI-based mechanism can be used by the hard disk manufacturer to pre-install the firmware-level safe operational environment and hard disk security protection function modules in the protected space of the hard disk, and realize security functions such as identity authentication, full-disk encryption, and hard disk firmware measurement, etc. Based on this mechanism, a prototype system was designed and implemented, and then used for the invocation experiment with the chip cryptographic algorithm interface and the efficiency test of hard disk reading and writing.The experimental results show that the firmware-level security module in the hard disk protection area can authenticate the users identity before the operating system starts, realize the encryption and decryption of the entire hard disk, and improve the security of the hard disk without affecting the algorithm performance of the encrypted hard disk.
In this paper, a firmware-level hard disk security protection mechanism based on UEFI(unified extensible firmware interface) is proposed to improve the security and reliability of the hard disk. The UEFI-based mechanism can be used by the hard disk manufacturer to pre-install the firmware-level safe operational environment and hard disk security protection function modules in the protected space of the hard disk, and realize security functions such as identity authentication, full-disk encryption, and hard disk firmware measurement, etc. Based on this mechanism, a prototype system was designed and implemented, and then used for the invocation experiment with the chip cryptographic algorithm interface and the efficiency test of hard disk reading and writing.The experimental results show that the firmware-level security module in the hard disk protection area can authenticate the users identity before the operating system starts, realize the encryption and decryption of the entire hard disk, and improve the security of the hard disk without affecting the algorithm performance of the encrypted hard disk.
引文
[1]周建军,陈莉.网络环境下硬盘数据的安全威胁与防护[J].计算机安全,2009(6):116-117.ZHOU J J,CHEN L.Storage safety threats and protection of hard disk under network environment[J].Computer Security,2009(6):116-117(Ch).
[2]新明.“方程式组织”网络武器泄露事件及启示[J].信息安全与通信保密,2017(1):46-51.XIN M.Cyberweapons leakage incident of“Equation organization”and enlightenments[J].Information Security and Communications Privacy,2017(1):46-51(Ch).
[3]蒋华龙,夏龄.大容量硬盘逻辑分区的隐藏与恢复[J].四川理工学院学报(自然科学版),2004,17(3-4):57-61.JIANG H L,XIA L.Hiding and recovering on logical partition of large capacity hard disk[J].Journal of Sichuan University of Science&Engineering(Natural Science Edition),2004,17(3-4):57-61(Ch).
[4]王晓亮.一种简易的硬盘子目录加密软件[J].计算机应用,1992(4):60-62.WANG X L.A simple hard disk subdirectory encryption software[J].Journal of Computer Applications,1992(4):60-62(Ch).
[5]谷双双,夏鲁宁,贾世杰.一种加密硬盘的身份鉴别和密钥保护方案[J].密码学报,2016,3(2):126-136.DOI:10.13868/j.cnki.jcr.000115.GU S S,XIA L N,JIA S J.A program of authentication and key protection for hard disk encryption[J].Journal of Cryptologic Research,2016,3(2):126-136.DOI:10.13868/j.cnki.jcr.000115(Ch).
[6]陈景亮,张金石,陈晨.基于BitLocker加密技术的数据安全驱动器[J].山东师范大学学报(自然科学版),2017,32(3):48-52.DOI:10.3969/j.issn.1001-4748.2017.03.008.CHEN J L,ZHANG J S,CHEN C.Data security driver based on BitLocker encryption[J].Journal of Shandong Normal University(Natural Science),2017,32(3):48-52.DOI:10.3969/j.issn.1001-4748.2017.03.008(Ch).
[7]田洪亮,张勇,许信辉,等.可信固态硬盘:大数据安全的新基础[J].计算机学报,2016,39(1):154-168.DOI:10.11897/SP.J.1016.2016.00154.TIAN H L,ZHANG Y,XU X H,et al.Trusted SSD:New foundation for big data security[J].Chinese Journal of Computers,2016,39(1):154-168.DOI:10.11897/SP.J.1016.2016.00154(Ch).
[2]新明.“方程式组织”网络武器泄露事件及启示[J].信息安全与通信保密,2017(1):46-51.XIN M.Cyberweapons leakage incident of“Equation organization”and enlightenments[J].Information Security and Communications Privacy,2017(1):46-51(Ch).
[3]蒋华龙,夏龄.大容量硬盘逻辑分区的隐藏与恢复[J].四川理工学院学报(自然科学版),2004,17(3-4):57-61.JIANG H L,XIA L.Hiding and recovering on logical partition of large capacity hard disk[J].Journal of Sichuan University of Science&Engineering(Natural Science Edition),2004,17(3-4):57-61(Ch).
[4]王晓亮.一种简易的硬盘子目录加密软件[J].计算机应用,1992(4):60-62.WANG X L.A simple hard disk subdirectory encryption software[J].Journal of Computer Applications,1992(4):60-62(Ch).
[5]谷双双,夏鲁宁,贾世杰.一种加密硬盘的身份鉴别和密钥保护方案[J].密码学报,2016,3(2):126-136.DOI:10.13868/j.cnki.jcr.000115.GU S S,XIA L N,JIA S J.A program of authentication and key protection for hard disk encryption[J].Journal of Cryptologic Research,2016,3(2):126-136.DOI:10.13868/j.cnki.jcr.000115(Ch).
[6]陈景亮,张金石,陈晨.基于BitLocker加密技术的数据安全驱动器[J].山东师范大学学报(自然科学版),2017,32(3):48-52.DOI:10.3969/j.issn.1001-4748.2017.03.008.CHEN J L,ZHANG J S,CHEN C.Data security driver based on BitLocker encryption[J].Journal of Shandong Normal University(Natural Science),2017,32(3):48-52.DOI:10.3969/j.issn.1001-4748.2017.03.008(Ch).
[7]田洪亮,张勇,许信辉,等.可信固态硬盘:大数据安全的新基础[J].计算机学报,2016,39(1):154-168.DOI:10.11897/SP.J.1016.2016.00154.TIAN H L,ZHANG Y,XU X H,et al.Trusted SSD:New foundation for big data security[J].Chinese Journal of Computers,2016,39(1):154-168.DOI:10.11897/SP.J.1016.2016.00154(Ch).