[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN115033933A - BIOS-based port management and control method and system - Google Patents

BIOS-based port management and control method and system Download PDF

Info

Publication number
CN115033933A
CN115033933A CN202210523819.0A CN202210523819A CN115033933A CN 115033933 A CN115033933 A CN 115033933A CN 202210523819 A CN202210523819 A CN 202210523819A CN 115033933 A CN115033933 A CN 115033933A
Authority
CN
China
Prior art keywords
layer
port
bios
control
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210523819.0A
Other languages
Chinese (zh)
Inventor
陈小春
张超
朱立森
孙亮
樊晨
张家定
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kunlun Taike Beijing Technology Co ltd
Original Assignee
Kunlun Taike Beijing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kunlun Taike Beijing Technology Co ltd filed Critical Kunlun Taike Beijing Technology Co ltd
Priority to CN202210523819.0A priority Critical patent/CN115033933A/en
Publication of CN115033933A publication Critical patent/CN115033933A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses a port management and control method and a system based on a BIOS (basic input output System). the port management and control at a BIOS layer is realized by a double-layer management and control method of the BIOS layer and an OS layer under the condition of lacking hardware or other mechanism support. The system of the invention only has the administrator to open or close the port in the BIOS layer, and the ordinary user can not change the port state under the unauthorized condition. After the BIOS layer closes the port, even an operating system administrator cannot open the port under the operating system, the BIOS layer is still required to open the port. When the hardware layer supports, directly pulling the corresponding GPIO control port through the hardware layer; when the hardware layer does not support, the BIOS layer port information transmission module collects the port information of the BIOS layer port control module, and reports the port information to the OS layer information receiving module through a unified communication interface between the BIOS and the operating system, so that the synchronization of the OS layer to the port control is realized.

Description

BIOS-based port management and control method and system
Technical Field
The invention relates to the technical field of computer firmware, in particular to a port management and control method and system based on a Basic Input Output System (BIOS).
Background
The bios (basic Input Output system), i.e., the basic Input Output system, is a boot program deployed on the ROM chip of the motherboard. The BIOS is responsible for a Self-Test (POST) and a system Self-boot program, and is the first program after the computer system is booted. The BIOS is stored in a ROM (read only memory) chip and can still maintain the original settings after power is turned off.
At present, port management and control are important means for preventing data leakage, and a port is closed at a BIOS layer by utilizing the nonvolatile characteristic of BIOS, so that a channel for data leakage transmission can be effectively closed at a computer bottom layer. However, at present, part of domestic computers do not support BIOS port management and control, even if the port is closed in a BIOS layer, the port is still opened in an OS (operating system) layer, that is, ports such as onboard USB, SATA and network need to be controlled under the BIOS to control the functional use of the ports under the BIOS and the OS, so that the port management and control have vulnerabilities.
The existing BIOS port management and control method has two problems: firstly, a part of computers have device controllers which do not support port control realized through a configuration register; secondly, the hardware environment does not make relevant support for the BIOS control port. Therefore, a port control method that is not affected by the register and hardware environment is needed.
Disclosure of Invention
In view of this, the present invention provides a port management and control method and system based on BIOS, which can implement port control through configuration of a BIOS layer without being affected by a register and a hardware environment, and can still perform port control through the BIOS layer without the presence of a register.
In order to achieve the purpose, the technical scheme of the invention is as follows:
a port management and control method based on BIOS is applied to a port management and control system comprising an OS layer information receiving module, an OS layer port control module, a BIOS layer port information transmission module, a BIOS layer port control module, a BIOS layer identity authentication module and a hardware layer, and comprises the following specific steps:
step one, electrifying a computer and entering a BIOS configuration interface.
And step two, the BIOS identity authentication module identifies the identity authority of the operator and determines whether to give the administrator authority.
And step three, the administrator inputs the port management and control request, and the BIOS port control module receives and judges whether a corresponding register exists.
And step four, the BIOS port information transmission module reports the port information to the OS layer information receiving module by utilizing a uniform communication interface between the BIOS and the operating system.
And fifthly, the OS layer information receiving module receives the port information reported by the BIOS layer port information transmission module and transmits the port information to the OS layer port control module.
And step six, the port control module of the OS layer controls the corresponding port through the hardware layer according to the port information.
Furthermore, the port management and control system also comprises an OS layer identity authentication module.
Further, the administrator authority specifically includes:
when the operation is performed by a first-layer administrator, the corresponding port control authority is opened, and then the selection of port switch control can be performed on a configuration interface; when the operation is not performed by the first-layer administrator, the port management and control authority is not given; and the OS layer identity authentication module gives the control authority to a corresponding port of a second layer administrator by identifying the identity of the second layer administrator, wherein the priority of the second layer administrator is higher than that of the first layer administrator.
Further, the third step further comprises:
when a corresponding register exists, the register is directly configured to realize the control of the port; when the corresponding register does not exist, judging whether the hardware layer has hardware support or not; if the hardware support exists, the BIOS port control module directly pulls or informs a hardware layer to pull a corresponding GPIO to control the port; and if the hardware support does not exist, entering the step four.
A port management and control system based on a BIOS aims at the method and comprises an OS layer, a BIOS layer and a hardware layer.
The OS layer comprises an OS layer information receiving module, an OS layer port control module and an OS layer identity authentication module; the BIOS layer comprises a BIOS layer port information transmission module, a BIOS layer port control module and a BIOS layer identity authentication module; the hardware layer includes a CPU, a port controller, and a port pull device.
In the hardware layer:
the port controller is used for directly controlling the ports; the port pulling device and the CPU together form hardware support for the port, and pull the corresponding GPIO to control the port under the control of the BIOS layer port control module.
In the BIOS layer:
the BIOS layer port control module is connected with the OS layer port control module, and the BIOS layer port control module and the OS layer port control module are connected with a CPU and a port controller of a hardware layer; the BIOS layer identity authentication module gives control authority to a corresponding port of a first layer administrator by identifying the identity of the first layer administrator, and meanwhile, other users cannot control the port; the BIOS layer port control module controls the state of the port by configuring a corresponding register for the port; the BIOS layer port information transmission module acquires the port information collected by the BIOS layer port control module and reports the information to the OS layer information receiving module through a uniform communication interface between the BIOS and the operating system; the BIOS port control module exerts control authority on the port to set the control authority range of the OS layer on the port.
In the OS layer:
the OS layer information receiving module receives the port information reported by the BIOS layer and issues an instruction to the OS layer port control module according to the port information; the OS layer port control module performs opening or closing operation on the port according to the issued instruction; the OS layer identity authentication module gives the management and control authority of a corresponding port to a second layer administrator by identifying the identity of the second layer administrator, and the priority of the second layer administrator is higher than that of the first layer administrator.
Has the advantages that:
1. the invention realizes the port management and control in the BIOS layer by a double-layer management and control method of the BIOS layer and the OS layer under the condition of lacking the support of hardware or other mechanisms.
2. The system of the invention only has the administrator to open or close the port in the BIOS layer, and the ordinary user can not change the port state under the unauthorized condition. After the BIOS layer closes the port, even an operating system administrator cannot open the port under the operating system, the BIOS layer is still required to open the port.
3. When the system is supported by a hardware layer, the system directly pulls a corresponding GPIO control port through the hardware layer; when the hardware layer does not support, the BIOS layer port information transmission module collects the port information of the BIOS layer port control module, and reports the information to the OS layer information receiving module through a unified communication interface between the BIOS and the operating system, so that the synchronization of the OS layer to the port control is realized. Once the BIOS port is closed, the port state is synchronously closed or locked immediately, so that the common user cannot open the port, and the closed state of the port is kept unified with the BIOS layer setting.
Drawings
FIG. 1 is a connection framework diagram of a BIOS layer, an OS layer, and a hardware layer.
FIG. 2 is a flow chart of the method of the present invention.
Detailed Description
The invention is described in detail below by way of example with reference to the accompanying drawings.
As shown in fig. 2, the present invention provides a port management and control method based on BIOS, which includes the following specific steps:
step one, electrifying a computer and entering a BIOS configuration interface;
secondly, the BIOS identity authentication module identifies the identity authority of an operator, opens the corresponding port control authority when the operator is operated by a first-layer administrator, and then can select port switch control on a configuration interface; when the operation is not performed by a first-layer administrator, no port management and control authority is given; the OS layer identity authentication module gives control authority to a corresponding port of a second layer administrator by identifying the identity of the second layer administrator, and the priority of the second layer administrator is higher than that of the first layer administrator;
thirdly, an administrator inputs a port control request, and a BIOS port control module receives and judges whether a corresponding register exists or not; when the port exists, the register is directly configured to realize the control of the port; when no corresponding register exists, judging whether the hardware layer has hardware support; if the hardware support exists, the BIOS port control module directly pulls or informs a hardware layer to pull a corresponding GPIO to control the port; if no hardware support exists, entering a step four;
fourthly, the BIOS port information transmission module reports the port information to the OS layer information receiving module by utilizing the unified communication interface specification between the BIOS and the operating system, such as SMBIOS; the state of the network in the Port controller is described by a specific network state flag bit, and the Port is not required to be controlled; the SATA controller in the PORT controller needs to be controlled to a PORT, the PORT state is represented by a specific PORT state flag bit, and when the whole controller is disabled, the value of a PORT Status is ignored; the USB in the PORT controller needs to be managed and controlled to PORT, the PORT state is represented by a specific PORT state flag bit, and when the whole controller is disabled, the value of the PORT Status is ignored;
step five, restarting the computer to enable the configuration from the step one to the step four to take effect;
the OS layer information receiving module receives the port information reported by the BIOS layer port information transmission module and transmits the port information to the OS layer port control module;
and step seven, the OS layer port control module controls the corresponding port through the hardware layer according to the port information.
As shown in fig. 1, the present invention provides a port management and control system based on BIOS, which is implemented by configuring registers of a controller when a BIOS configuration interface controls ports such as USB, SATA, and network by using switch options, and provides two solutions of hardware and software when such registers do not exist.
In the hardware scheme, the BIOS layer controls an electrical signal or a clock signal of a port through a GPIO signal line, and directly pulls the GPIO or the BIOS layer informs a port pull device (such as a TPCM card, an EC, and a CPLD, etc.) through a corresponding interface to pull the corresponding GPIO to control access to the interface. After the signal is sent, the machine can be restarted to be effective.
The software mode realizes port management and control, and when the port cannot be controlled by other hardware modes such as a register or a GPIO (general purpose input/output) under the condition of no hardware environment support, the BIOS layer needs to pass the software mode, such as non-enumeration and scanning of the corresponding port. Under the condition, the BIOS layer is required to transmit the corresponding port state to the OS layer through a unified communication interface between the BIOS and the operating system, the controllers of the same type are distinguished through specific equipment numbers, function numbers and other marks, and the controllers of different types are distinguished through equipment types of the controllers. The communication process blocks conform to a communication interface specification, such as SMBIOS (SMBIOS is a unified specification that a motherboard or system manufacturer needs to conform to display product management information in a standard format). And the OS layer judges the state of the port after receiving the data and then correspondingly controls the port. The BIOS layer applies port control authority to the associated device to prevent the port from being controlled privately under the OS layer.
As shown in fig. 1, a port management system based on BIOS includes an OS layer, a BIOS layer, and a hardware layer; the port controller includes USB, SATA and network. The OS layer information receiving module, the OS layer port control module and the OS layer identity authentication module are arranged in a kernel space of the OS.
The OS layer comprises an OS layer information receiving module, an OS layer port control module and an OS layer identity authentication module; the BIOS layer comprises a BIOS layer port information transmission module, a BIOS layer port control module and a BIOS layer identity authentication module; the hardware layer comprises a CPU, a port controller and a port pulling device;
in the hardware layer:
the port controller is used for directly controlling the ports; the port pulling device and the CPU together form hardware support for the port, and pull the corresponding GPIO to control the port under the control of the port control module of the BIOS layer;
in the BIOS layer:
the BIOS layer port control module is connected with the OS layer port control module, and the BIOS layer port control module and the OS layer port control module are connected with a CPU and a port controller of a hardware layer; the BIOS layer identity authentication module gives control authority to a corresponding port of a first layer administrator by identifying the identity of the first layer administrator, and meanwhile, other users cannot control the port; the BIOS layer port control module controls the port state by configuring a corresponding register for the port; the BIOS layer port information transmission module acquires the port information collected by the BIOS layer port control module, and reports the information to the OS layer information receiving module through a unified communication interface specification between the BIOS and the operating system, such as SMBIOS; the BIOS port control module applies control authority to the port to set the control authority range of the OS layer to the port;
in the OS layer:
the OS layer information receiving module receives the port information reported by the BIOS layer and issues an instruction to the OS layer port control module according to the port information; the OS layer port control module performs opening or closing operation on the port according to the issued instruction; the OS layer identity authentication module gives the management and control authority of a corresponding port to a second layer administrator by identifying the identity of the second layer administrator, and the priority of the second layer administrator is higher than that of the first layer administrator.
In summary, the above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (5)

1. A port management and control method based on BIOS is characterized in that the method is applied to a port management and control system comprising an OS layer information receiving module, an OS layer port control module, a BIOS layer port information transmission module, a BIOS layer port control module, a BIOS layer identity authentication module and a hardware layer, and the specific steps comprise:
step one, electrifying a computer and entering a BIOS configuration interface;
step two, the BIOS identity authentication module identifies the identity authority of the operator and determines whether to give the administrator authority;
thirdly, an administrator inputs a port management and control request, and a BIOS port control module receives and judges whether a corresponding register exists or not;
fourthly, the BIOS port information transmission module reports the port information to an OS layer information receiving module by utilizing a unified communication interface between the BIOS and the operating system;
fifthly, the OS layer information receiving module receives the port information reported by the BIOS layer port information transmission module and transmits the port information to the OS layer port control module;
and step six, the port control module of the OS layer controls the corresponding port through the hardware layer according to the port information.
2. The method of claim 1, wherein the port management system further comprises an OS-level identity authentication module.
3. The method according to claims 1-2, wherein the administrator privileges are specifically:
when the operation is performed by a first-layer administrator, the corresponding port control authority is opened, and then the selection of port switch control can be performed on a configuration interface; when the operation is not performed by the first-layer administrator, the port management and control authority is not given; and the OS layer identity authentication module gives the control authority to a corresponding port of a second layer administrator by identifying the identity of the second layer administrator, wherein the priority of the second layer administrator is higher than that of the first layer administrator.
4. The method of claim 1, wherein step three further comprises:
when a corresponding register exists, the register is directly configured to realize the control of the port; when the corresponding register does not exist, judging whether the hardware layer has hardware support or not; if the hardware support exists, the BIOS port control module directly pulls or informs a hardware layer to pull a corresponding GPIO to control the port; and if the hardware support does not exist, entering the step four.
5. A BIOS based port management system comprising an OS layer, a BIOS layer and a hardware layer for the method of claims 1-4;
the OS layer comprises an OS layer information receiving module, an OS layer port control module and an OS layer identity authentication module; the BIOS layer comprises a BIOS layer port information transmission module, a BIOS layer port control module and a BIOS layer identity authentication module; the hardware layer comprises a CPU, a port controller and a port pulling device;
in the hardware layer:
the port controller is used for directly controlling the ports; the port pulling device and the CPU together form hardware support for the port, and pull the corresponding GPIO to control the port under the control of the port control module of the BIOS layer;
in the BIOS layer:
the BIOS layer port control module is connected with the OS layer port control module, and the BIOS layer port control module and the OS layer port control module are connected with a CPU and a port controller of a hardware layer; the BIOS layer identity authentication module gives control authority to a corresponding port of a first layer administrator by identifying the identity of the first layer administrator, and meanwhile, other users cannot control the port; the BIOS layer port control module controls the port state by configuring a corresponding register for the port; the BIOS layer port information transmission module acquires the port information collected by the BIOS layer port control module and reports the information to the OS layer information receiving module through a unified communication interface between the BIOS and the operating system; the BIOS port control module applies control authority to the port to set the control authority range of the OS layer to the port;
in the OS layer:
the OS layer information receiving module receives the port information reported by the BIOS layer and issues an instruction to the OS layer port control module according to the port information; the OS layer port control module performs opening or closing operation on the port according to the issued instruction; the OS layer identity authentication module gives the management and control authority of a corresponding port to a second layer administrator by identifying the identity of the second layer administrator, and the priority of the second layer administrator is higher than that of the first layer administrator.
CN202210523819.0A 2022-05-13 2022-05-13 BIOS-based port management and control method and system Pending CN115033933A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210523819.0A CN115033933A (en) 2022-05-13 2022-05-13 BIOS-based port management and control method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210523819.0A CN115033933A (en) 2022-05-13 2022-05-13 BIOS-based port management and control method and system

Publications (1)

Publication Number Publication Date
CN115033933A true CN115033933A (en) 2022-09-09

Family

ID=83121695

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210523819.0A Pending CN115033933A (en) 2022-05-13 2022-05-13 BIOS-based port management and control method and system

Country Status (1)

Country Link
CN (1) CN115033933A (en)

Similar Documents

Publication Publication Date Title
AU2004223343B2 (en) Security system and method for computer operating systems
US8661235B2 (en) Firmware storage medium with customized image
US7904708B2 (en) Remote management of UEFI BIOS settings and configuration
US7228345B2 (en) Server with LAN switch that connects ports based on boot progress information
CA2490695C (en) Security system and method for computers
US8909940B2 (en) Extensible pre-boot authentication
US20090204965A1 (en) Usb port shared control method
US20030110351A1 (en) System and method supporting virtual local data storage
US20090319806A1 (en) Extensible pre-boot authentication
US20070028292A1 (en) Bus bridge security system and method for computers
WO2008106253A1 (en) Boot negotiation among multiple boot-capable devices
WO2017113879A1 (en) Method and device for controlling smart interface card
US8103828B2 (en) Virtualization method and storage apparatus for a storage system having external connectivity
US20190018966A1 (en) Selective enforcement of secure boot database entries in an information handling system
US20230342472A1 (en) Computer System, Trusted Function Component, and Running Method
CN108874700B (en) Electronic device
CN115033933A (en) BIOS-based port management and control method and system
EP3968170A1 (en) Smart device management method and apparatus, network device, and readable storage medium
KR100874409B1 (en) Double computer
US12072966B2 (en) System and method for device authentication using a baseboard management controller (BMC)
CN112181860B (en) Controller with flash memory simulation function and control method thereof
US6535933B1 (en) Information processing system device control method, information processing system device and software storage medium
WO2011107871A2 (en) Portable electronic device interfaceable with a computer
US20070033314A1 (en) Event generation for device hotplug
CN114265546A (en) Servo device and servo system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination