Computer System and Method for Performing Integrity Detection on the Same

US 20090300415A1
Filed: 03/15/2006
Published: 12/03/2009
Est. Priority Date: 10/19/2005
Status: Active Grant

First Claim

Patent Images

1. A computer system capable of performing an integrity detection, comprising an EFI storage unit, which is characterized in it further comprises:

a running mode unit including an integrity detection initiating control parameter, wherein in the PEI stage, after the basic initialization of the CPU, chipsets, and main board is finished, it is determined that whether or not to initialize an integrity detection initiating mode by judging the running mode unit;

said EFI storage unit comprises;

an EFI integrity detection unit, for performing the integrity detection on the EFI image codes in the integrity detection initiating mode;

said EFI integrity detection unit comprises an integrity metric value, for after the EFI integrity detection unit performs the integrity detection on the EFI image codes to generate an EFI integrity calculated value, comparing the metric value and the calculated value to determine the integrity of the EFI image codes.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention proposes a computer system and a method capable of performing integrity detection, comprising: a running mode unit which comprises an integrity detection boot variable to determine whether or not to initiate an integrity detection boot mode by judging said running mode unit; an EFI integrity detection unit (5), which is used for performing an integrity detection on EFI image codes in the integrity detection boot mode, and comprises an integrity metric value for being compared with an EFI integrity calculated value generated after the EFI integrity detection unit performs the integrity detection on the EFI image codes, to determine the integrity of the EFI image codes; an operating system integrity detection unit (6); and an integrity management unit. The present invention is based on the EFI BIOS to perform the integrity detection on the operating system during the pre-boot stage, having better reliability and security.

231 Citations

30 Claims

1. A computer system capable of performing an integrity detection, comprising an EFI storage unit, which is characterized in it further comprises:
- a running mode unit including an integrity detection initiating control parameter, wherein in the PEI stage, after the basic initialization of the CPU, chipsets, and main board is finished, it is determined that whether or not to initialize an integrity detection initiating mode by judging the running mode unit;
  
  said EFI storage unit comprises;
  
  an EFI integrity detection unit, for performing the integrity detection on the EFI image codes in the integrity detection initiating mode;
  
  said EFI integrity detection unit comprises an integrity metric value, for after the EFI integrity detection unit performs the integrity detection on the EFI image codes to generate an EFI integrity calculated value, comparing the metric value and the calculated value to determine the integrity of the EFI image codes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The computer system according to claim 1, wherein the running mode unit is stored in a hardware unit.
  - 3. The computer system according to claim 1, wherein an FV_RECOVERY unit in said EFI storage unit is a read-only code unit.
  - 4. The computer system according to claim 1, further comprising:
    - an EFI image code recovery unit, for invoking an EFI image recovery code in said EFI image code recovery unit to recover the EFI image code when the EFI integrity detection unit performs the integrity detection on the EFI image code and determines that the EFI image code is not integral.
  - 5. The computer system according to claim 4, further comprising:
    - an operating system integrity detection unit, for forcibly performing an operating system integrity detection before initiating an operating system;
      
      wherein said operating system integrity detection unit comprises a credible file detection unit, for invoking the operating system integrity detection method to perform the integrity detection on every credible files, comparing and determining whether every credible files are tampered, generating a credible files calculated value for every files in turn, and performing the integrity detection on the files of the operating system;
      
      said computer system further comprises a credible file metric value which is compared with the calculated value to determine the integrity of an individual file to thereby determine the integrity of all the files of the operating system, after the operating system integrity detection unit performs the integrity detection on every credible files, compares and determines whether every credible files are tampered, and generates the credible files calculated value for every files in turn.
  - 6. The computer system according to claim 5, wherein said operation integrity detection unit further comprises a magnetic disk parameter data detection unit, for reading out a magnetic disk parameter data, detecting whether the magnetic disk parameter data is integral, and then invoking the credible file detection unit to perform the integrity detection on the individual credible file;
    - said computer system further comprises a magnetic disk parameter metric value which is compared with the calculated value to determine the integrity of the operating system after the operating system integrity detection unit performs the magnetic disk parameter integrity detection on the magnetic disk on which the files of the operating system are stored and generates a magnetic disk parameter integrity calculated value.
  - 7. The computer system according to claim 5, further comprising a magnetic disk parameter data recovery unit, for invoking the magnetic disk parameter data in said magnetic disk parameter data recovery unit to forcibly recover the magnetic disk data when the magnetic disk parameter data detection unit detects that the magnetic disk parameter is not integral.
  - 8. The computer system according to claim 6, further comprising a credible file list, for looking up and comparing, after the magnetic parameter data detection is finished, system credible file names, detecting whether all the credible files are present to ensure the integrity of the operating system credible files, and then invoking the credible file detection unit to perform the integrity detection on the individual credible file.
  - 9. The computer system according to claim 8, further comprising an operating system credible file recovery unit, for invoking the pre-saved operating system credible recovery files to recover the credible files forcibly, when said operating system credible file recovery unit determines that the operating system credible files are not integral or are tampered after the operating system integrity detection unit compares the operating system credible files through the credible file list or the credible file metric value and performing the integrity detection, thereby recovering the entire operating system environment.
  - 10. The computer system according to claim 9, wherein the credible file metric value, the magnetic disk parameter metric value, the credible file list, the EFI image code recovery unit, the magnetic disk parameter data recovery unit and the operating system credible file recovery unit are stored into an EFI security storage component.
  - 11. The computer system according to claim 10, wherein said EFI security storage component is a local security storage component or an external security storage component.
  - 12. The computer system according to claim 11, wherein when said external security storage component is a remote security component, said operating system credible file recovery unit is stored in the remote security storage component;
    - said computer system further comprises a simple network driver and a simple TCP Socket driver, for being invoked to connect to the remote security storage component through the network, downloading the operating system credible recovery files stored in the remote security storage component into local, and recovering the operating system files, when the operating system files are determined to be not integral.
  - 13. The computer system according to claim 5, further comprising an integrity management unit, for setting whether an integrity detection boot mode is needed to be performed when booting the EFI, and allowing a user to customize the operating system credible files related to the operating system according to the requirement of the system running, and to regenerate the magnetic disk parameter metric value, a credible file list and the credible file metric value.
  - 14. The computer system according to claim 13, wherein said integrity management unit comprises:
    - a security level setting unit, for setting the boot mode of said computer system;
      
      an integrity presetting unit, for customizing the operating system credible files and regenerating a magnetic disk parameter metric value, credible file list, the credible file metric value and the operating system credible files, and performing the integrity detection on the operating system according to the new comparison reference when the system performs the integrity detection again; and
      
      an EFI integrity presetting unit, for running the EFI integrity presetting unit to generate a new EFI integrity metric value when the user selects the EFI integrity presetting management.

15. A method for performing computer system integrity detection, which is characterized in comprising an EFI integrity detection, comprising steps of:
- STEP A;
  
  the system is powered on to run a PEI stage, after basic initializations of CPU, chipset and the main board are finished, it is determined whether to initiate an integrity detection boot mode or not;
  
  if yes, STEP B is performed;
  
  otherwise the computer system is booted in a conventional boot mode;
  
  STEP B;
  
  an EFI integrity detection unit is invoked to calculate an EFI integrity calculated value when an EFI BIOS is booted in the integrity detection boot mode;
  
  STEP C;
  
  a current EFI integrity metric value and the calculated value are compared with each other and it is judged whether they are equal or not;
  
  if they are equal, which means that an EFI image code is integral, the subsequent process of the EFI BIOS boot is performed.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 16. The method for performing computer system integrity detection according to claim 15, wherein said EFI integrity detection further comprises a step of:
    - STEP D;
      
      when the EFI image code is not integral, the user selects whether to invoke an EFI image file recovery code in an EFI image file recovery unit or not;
      
      if yes, the EFI image code recovery is performed to finish the EFI integrity detection and an EFI subsequent process is performed;
      
      otherwise, it is terminated.
  - 17. The method for performing computer system integrity detection according to claim 16, further comprising an operating system integrity detection, i.e., comprising steps of:
    - STEP E;
      
      after the EFI integrity detection is finished, a flow of a DXE stage is performed and a DXE dispatches an operating system integrity detection unit to be loaded into an internal memory;
      
      STEP F;
      
      it enters an BDS stage, and if a running mode is an integrity detection setting, said operating system integrity detection unit in STEP E is invoked;
      
      STEP G;
      
      a credible file detection unit in the operating system integrity detection unit invokes an operating system integrity detection method to perform an integrity detection on each credible file, to compare and judge whether each credible file is tampered, to generate a credible file calculated value for each file in turn, and to detect the integrity of the operating system files;
      
      STEP H;
      
      the integrity of each individual credible file is determined according to the comparison between the credible file metric value and the calculated value, and thereby determining the integrity of all the credible files of the operating system.
  - 18. The method for performing computer system integrity detection according to claim 17, wherein said operating system integrity detection further comprises steps of:
    - STEP I;
      
      when the operating system credible files are tampered, a user is informed that an operating system credible file recovery may be performed;
      
      if the user selects “
      
      Not Recover”
      
      , it stops loading the operating system, and if the user selects “
      
      Recover”
      
      , it goes to the next step;
      
      STEP J;
      
      it detects whether the files of the operating system coincide with the corresponding operating system credible files or not;
      
      if yes, it loads and runs the operating system;
      
      otherwise, it goes to the next step;
      
      STEP K;
      
      the user is informed whether to perform the recovery;
      
      if the user selects “
      
      Not Recover”
      
      , it stops loading the operating system; and
      
      if the user selects “
      
      Recover”
      
      , the corresponding operating system credible files are copied to cover the corresponding files, the operating system is loaded and run.
  - 19. The method for performing computer system integrity detection according to claim 18, wherein said STEP G further comprises a step of:
    - STEP G1;
      
      the operating system integrity detection unit first invokes a magnetic disk parameter data detection unit to read out an magnetic disk parameter MBR, an active partition, and partition table information, to calculate calculated value of the MBR, the active partition, and the partition table information by a hash algorithm, to compare the calculated value with a magnetic disk metric value to detect whether the magnetic disk parameter is integral, then it invokes the credible file detection unit in the operating system integrity detection unit to perform the integrity detection on the individual credible file.
  - 20. The method for performing computer system integrity detection according to claim 19, wherein said STEP G1 comprises a step of:
    - STEP G11;
      
      when the magnetic disk parameter data detection unit detects that the magnetic disk parameter is not integral, the magnetic disk parameter data in a magnetic disk parameter data recovery unit is invoked to forcibly recover a magnetic disk data.
  - 21. The method for performing computer system integrity detection according to claim 20, wherein said STEP G further comprises a step of:
    - STEP G2;
      
      after the detection on the magnetic disk parameter data is finished, it performs an operating system credible file list detection, looks up and compares names of the operating system credible files, detects whether all the credible files are present to ensure the integrity of the operating system credible files, then it invokes the credible file detection unit to perform the integrity detection on the individual files.
  - 22. The method for performing computer system integrity detection according to claim 21, wherein said STEP G2 further comprises a step of:
    - STEP G21;
      
      when the operating system credible file list has been detected that the operating system credible file is not present, it invokes an operation credible file recovery unit to forcibly recover said operating system credible file.
  - 23. The method for performing computer system integrity detection according to claim 17, wherein said operating system integrity detection further comprises steps of:
    - STEP I;
      
      when the operating system files are not integral, it informs a user that the operating system credible file recovery can be performed;
      
      if the user selects “
      
      Not Recover”
      
      , it stops loading the operating system; and
      
      if the user selects “
      
      Recover”
      
      , it invokes a simple network driver and a simple TCP Socket driver to connect to a remote network;
      
      STEP J;
      
      it detects whether the files of the operating system coincide with the corresponding operating system credible files or not;
      
      if yes, it disconnects a bottom level network connection, loads and runs the operating system;
      
      otherwise, it goes to the next step;
      
      STEP K;
      
      it informs the user whether to recover or not;
      
      if the user selects “
      
      Not Recover”
      
      , it stops loading the operating system; and
      
      if the user selects “
      
      Recover”
      
      , the corresponding operating system credible files in the remote server are copied and sent to local to cover the corresponding files, then it disconnects a bottom level network connection, loads and runs the operating system.
  - 24. The method for performing computer system integrity detection according to claim 23, wherein said STEP G further comprises a step of:
    - STEP G1;
      
      the operating system integrity detection unit first invokes a magnetic disk parameter data detection unit to read out a magnetic disk parameter MBR, an active partition, and partition table information, to calculate a calculated value of the MBR, the active partition, and the partition table information by a hash algorithm, to compare the calculated value with an magnetic disk metric value to detect whether the magnetic disk parameter is integral, then it invokes the credible file detection unit in the operating system integrity detection unit to perform the integrity detection on the individual credible file.
  - 25. The method for performing computer system integrity detection according to claim 24, wherein said STEP G1 comprises a step of:
    - STEP G11;
      
      when the magnetic disk parameter data detection unit detects that the magnetic disk parameter is not integral, the magnetic disk parameter data in a magnetic disk parameter data recovery unit is invoked to forcibly recover an magnetic disk data.
  - 26. The method for performing computer system integrity detection according to claim 25, wherein said STEP G further comprises a step of:
    - STEP G2;
      
      after the detection on the magnetic disk parameter data is finished, it performs an operating system credible file list detection, looks up and compares names of the operating system credible files, detects whether all the credible files are present to ensure the integrity of the operating system credible files, then it invokes the credible file detection unit to perform the integrity detection on the individual file.
  - 27. The method for performing computer system integrity detection according to claim 26, wherein said STEP G2 further comprises steps of:
    - STEP G21;
      
      when the operating system credible file list has been detected that the operating system credible file is not present, it informs the user that the operating system credible files can be recovered;
      
      if the user selects “
      
      Not Recover”
      
      , it stops loading the operating system; and
      
      if the user selects “
      
      Recover”
      
      , it invokes a simple network driver and a simple TCP Socket driver to connect to a remote network;
      
      STEP G22;
      
      it detects whether the files of the local operating system coincide with the corresponding operating system credible files or not;
      
      if yes, it disconnects a bottom level network connection and returns to perform the operating system credible file list detection;
      
      otherwise, it goes to the next step;
      
      STEP G23;
      
      it informs the user whether to recover or not;
      
      if the user selects “
      
      Not Recover”
      
      , it stops loading the operating system; and
      
      if the user selects “
      
      Recover”
      
      , the corresponding operating system files in the remote server are copied and sent to local to cover the corresponding files, then it disconnects a bottom level network connection and returns to perform the operating system credible file list detection.
  - 28. The method for performing computer system integrity detection according to claim 17, further comprising an integrity management configuration, which comprises steps of:
    - STEP L;
      
      after the user passes through the operating system integrity detection, it is selected whether to enter an operating system integrity management unit;
      
      STEP M;
      
      if the user does not select to enter the operating system integrity management unit, it directly initiates the operating system; and
      
      when the user selects to enter the operating system integrity management unit, it displays an operating system management interface, and the user performs management configurations on the operating system integrity.
  - 29. The method for performing computer system integrity detection according to claim 28, wherein said STEP M comprises steps of:
    - STEP M1;
      
      when the user selects to perform a security level management, it runs a security level setting unit to set a current computer system security level;
      
      STEP M2;
      
      when the user selects an operating system integrity file presetting management, an operating system integrity file presetting unit is run, and the user customizes the operating system credible files.STEP M3;
      
      when the user selects an EFI code integrity presetting management, an EFI integrity presetting unit is run to generate a new EFI integrity metric value.
  - 30. The method for performing computer system integrity detection according to claim 29, wherein said STEP M2 comprises steps of:
    - STEP M21;
      
      the operating system integrity presetting unit is run and the user is informed to select to either add or reduce the operating system credible files;
      
      STEP M22;
      
      it regenerates a magnetic disk parameter metric value, a credible file list, a credible file metric value and the related operating system credible files, according to the operating system credible files selected by the user;
      
      STEP M23;
      
      it stores the regenerated magnetic disk parameter metric value, credible file list, credible file metric value and the related operating system credible files into a security storage memory;
      
      STEP M24;
      
      it returns to the operating system integrity management unit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lenovo (Beijing) Limited (Lenovo Group Ltd.)
Original Assignee
Lenovo (Beijing) Limited (Lenovo Group Ltd.)
Inventors
Zhang, Yi, Zhou, Jian, Tian, Hongping, Xi, Zhenxin

Granted Patent

US 8,468,342 B2
Time in Patent Office

Days
Field of Search
US Class Current

714/19
CPC Class Codes

G06F 11/2284 by power-on test, e.g. powe...

G06F 21/577 Assessing vulnerabilities a...

Computer System and Method for Performing Integrity Detection on the Same

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

231 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Computer System and Method for Performing Integrity Detection on the Same

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

231 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links