[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN118036017A - Control method and device and electronic equipment - Google Patents

Control method and device and electronic equipment Download PDF

Info

Publication number
CN118036017A
CN118036017A CN202410232992.4A CN202410232992A CN118036017A CN 118036017 A CN118036017 A CN 118036017A CN 202410232992 A CN202410232992 A CN 202410232992A CN 118036017 A CN118036017 A CN 118036017A
Authority
CN
China
Prior art keywords
terminal
information
target
mode
program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410232992.4A
Other languages
Chinese (zh)
Inventor
欧阳师
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Beijing Ltd
Original Assignee
Lenovo Beijing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Beijing Ltd filed Critical Lenovo Beijing Ltd
Priority to CN202410232992.4A priority Critical patent/CN118036017A/en
Publication of CN118036017A publication Critical patent/CN118036017A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/4401Bootstrapping
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/4401Bootstrapping
    • G06F9/4416Network booting; Remote initial program loading [RIPL]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2105Dual mode as a secondary aspect

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Stored Programmes (AREA)

Abstract

The application discloses a control method, a control device and electronic equipment, wherein the control method comprises the following steps: obtaining a target signal, wherein the target signal represents that a first system of a first terminal operates to a target stage; transmitting first information to a second terminal through a target connection, wherein the target connection is established by the first terminal based on a target program and the second terminal, and the target program and the first information are generated when the first system is created; and receiving second information fed back by the second terminal aiming at the first information, and controlling the first system to enter a first mode if the second information meets a target condition.

Description

Control method and device and electronic equipment
Technical Field
The application belongs to the technical field of computers, and particularly relates to a control method, a control device and electronic equipment.
Background
The BIOS (Basic Input Output System ) comprises a set of programs that are curable onto a computer motherboard ROM (Read-Only memory) chip, the main function of which is to provide the lowest, most direct hardware setup and control for the computer.
The manufacturer Mode (MFG) is an application Mode of the BIOS, and is used to provide the device manufacturer with the highest application authority for the BIOS to meet the production requirements of the factory environment. The related art generally unlocks (opens) the manufacturer mode of the BIOS of the electronic device by opening a tool that can be used to open the manufacturer mode of the BIOS of the electronic device to a related person, however, this method is easy to leak due to the tool, so that different persons can open the manufacturer mode of the BIOS of the electronic device at will, and thus the device is easy to be in an unsafe state.
Disclosure of Invention
Therefore, the application discloses the following technical scheme:
A control method, comprising:
obtaining a target signal; the target signal characterizes a first system of the first terminal to run to a target stage;
Sending first information to a second terminal through target connection; the target connection is established by the first terminal with the second terminal based on a target program, the target program and the first information being generated when the first system is created;
and receiving second information fed back by the second terminal aiming at the first information, and controlling the first system to enter a first mode if the second information meets a target condition.
Optionally, the establishing manner of the target connection further includes:
Under a target environment, the first terminal establishes the target connection with the second terminal based on a target program; the target environment at least characterizes that the first terminal accesses the second terminal through a physical network port authorized by the second terminal.
Optionally, the obtaining the target signal includes:
Responding to the basic input and output system of the first terminal to run to a power-on self-checking stage, and obtaining the target signal; the first system comprises the basic input and output system, and the target stage comprises a power-on self-checking stage of the basic input and output system.
Optionally, the target program includes one of:
The target program is an interface program which is created when the basic input output system is created and stored in a binary file of the basic input output system, and the target program is triggered to execute and guide the first terminal to access the second terminal when the basic input output system runs to a power-on self-checking stage;
The target program is a network bootstrap program and a corresponding network link, wherein the network bootstrap program is created when the basic input and output system is created, the network bootstrap program is stored in the second terminal, the network link is stored in a binary file of the basic input and output system, and the first terminal is accessed to the second terminal based on the network link and the network bootstrap program when the basic input and output system runs to a power-on self-checking stage.
Optionally, the target condition characterizes that the first terminal has the right to run the first mode of the first system.
Optionally, after receiving the second information fed back by the second terminal for the first information, the control method further includes:
If the second information does not meet the target condition, controlling the first system to enter a second mode;
The application authority provided by the second mode for the first system is lower than the application authority provided by the first mode for the first system.
Optionally, sending the first information to the second terminal through the target connection includes:
Reading the first information from the first system, encrypting the first information in a first mode or a second mode, and then sending the first information to the second terminal, so that the second terminal decrypts the received information in the first mode or the second mode to obtain the second information;
and if the second information meets the target condition, controlling the first system to enter a first mode, wherein the method comprises the following steps:
and if the second information is consistent with the first information stored in the first terminal, determining that the second information meets a target condition, and controlling the first system to enter a first mode.
Optionally, the control method further includes one of the following:
if the second information is inconsistent with the first information stored by the first terminal, determining that the second information does not meet a target condition;
And if the second information is not fed back by the second terminal, determining that the second information does not meet a target condition.
A control apparatus comprising:
The acquisition module is used for acquiring a target signal; the target signal characterizes a first system of the first terminal to run to a target stage;
The sending module is used for sending the first information to the second terminal through the target connection; the target connection is established by the first terminal with the second terminal based on a target program, the target program and the first information being generated when the first system is created;
the receiving module is used for receiving second information fed back by the second terminal aiming at the first information;
and the detection and control module is used for controlling the first system to enter a first mode under the condition that the second information is detected to meet the target condition.
An electronic device, comprising:
A memory for storing at least one set of computer instructions;
a processor for implementing a control method as claimed in any one of the preceding claims by executing the set of instructions stored in the memory.
As can be seen from the above scheme, the present application discloses a control method, a device and an electronic device, wherein the control method includes: obtaining a target signal, wherein the target signal represents that a first system of a first terminal operates to a target stage; transmitting first information to a second terminal through a target connection, wherein the target connection is established by the first terminal based on a target program and the second terminal, and the target program and the first information are generated when the first system is created; and receiving second information fed back by the second terminal aiming at the first information, and controlling the first system to enter a first mode if the second information meets a target condition.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the related art, the drawings that are required to be used in the embodiments or the related technical descriptions will be briefly described, and it is apparent that the drawings in the following description are only embodiments of the present application, and other drawings may be obtained according to the provided drawings without inventive effort for those skilled in the art.
FIG. 1 is a schematic flow chart of a control method provided by the application;
FIG. 2 is an example of an application of the present application for mode control of a BIOS of a client device;
FIG. 3 is a schematic flow chart of another control method according to the present application;
FIG. 4 is a block diagram of a control device according to the present application;
fig. 5 is a component configuration diagram of an electronic device provided by the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The application provides a control method, a control device and electronic equipment, which are used for solving the problem of poor equipment safety in a mode of unlocking (starting) a manufacturer mode of an electronic equipment BIOS by opening a tool which can be used for starting the manufacturer mode of the electronic equipment BIOS to related personnel. The disclosed control methods are applicable to a wide variety of general-purpose or special-purpose computing device environments or electronic devices in a configuration, such as: personal computers, hand-held or portable devices, tablet devices, multiprocessor devices, and the like.
Referring to a control method flowchart shown in fig. 1, the control method provided by the embodiment of the application at least includes the following processing steps:
Step 101, obtaining a target signal; the target signal characterizes a first system operation of the first terminal to a target phase.
Alternatively, the first terminal is a client device, and may specifically be, but not limited to, a personal computer, a handheld device or portable device, a tablet device, a multiprocessor apparatus, or an electronic device that can be used as a client. And optionally, the first system is a basic input output system of the first terminal, i.e. BIOS.
The application modes of the first system of the first terminal comprise different modes such as a first mode and a second mode, and the application authority provided by the second mode on the first system is lower than the application authority provided by the first mode on the first system. Optionally, the first mode is a manufacturer mode of the BIOS and the second mode is a user mode of the BIOS. The manufacturer mode is used for providing the highest application authority to the terminal BIOS for equipment manufacturers so as to meet the production requirements of factory environments. The user mode is used for providing the user with the conventional use function of the terminal BIOS, and the application authority of the user mode to the BIOS is lower than that of the user mode to the BIOS in the manufacturer mode.
The control method of the embodiment of the application is mainly used for carrying out safe mode control on the first system of the first terminal.
102, Sending first information to a second terminal through target connection; the target connection is established by the first terminal with the second terminal based on a target program, the target program and the first information being generated at the time of creation of the first system.
Optionally, the object program is configured to guide the first terminal to access the second terminal, and specifically may be configured to guide the BIOS of the first terminal to the operating system of the second terminal, for the case that the first system of the first terminal is the BIOS, which essentially functions to establish a communication connection between the first terminal and the second terminal by guiding the BIOS of the first terminal to the operating system of the second terminal.
The second terminal may be a server, and in particular may be a management server for managing (e.g. mode managing) the first system of the first terminal (e.g. the BIOS of the client device).
In the embodiment of the application, the role of the first information mainly comprises two aspects, namely, the role is mainly used for the first terminal to perform a mode request on the second terminal so as to request the first terminal to enter a first mode of the first system, and the role is used for performing the credibility verification on the second terminal so as to enable the first terminal to obtain the authority of operating the first mode of the first system under the condition that the credibility of the second terminal is verified (only if the second terminal correspondingly represents that the second terminal is the credible second terminal through the credibility verification, the second terminal only has the management authority of the first system of the first terminal, and the first terminal can correspondingly obtain the authority of operating the first mode of the first system, so that the first system of the first terminal can be correspondingly controlled to enter the first mode.
Both the object and the first information are generated at the time of creation of the first system.
For the case that the first system is the BIOS, the target program (or the network link that can be used to locate the target program) and the first information can be burned onto the chip of the first terminal together when the BIOS is burned onto the chip of the first terminal, so that the target program or the first information can be used as required when the method of the present application is executed.
When the basic input and output system of the first terminal runs to a target stage, the target program is triggered to execute the operation of guiding the first terminal to access the second terminal, so that the target connection between the first terminal and the second terminal is established.
The first terminal further transmits first information to the second terminal through the target connection on the basis of establishing the target connection between the first terminal and the second terminal.
Step 103, receiving second information fed back by the second terminal aiming at the first information.
The first terminal can specifically receive second information fed back by the second terminal aiming at the first information through the target connection.
And 104, if the second information meets the target condition, controlling the first system to enter a first mode.
After receiving second information fed back by the second terminal aiming at the first information, the first terminal verifies whether the second terminal is credible by judging whether the second information meets a target condition.
The target condition characterizes the first terminal having the right to run said first mode of the first system, e.g. specifically characterizes the client device having the right to run the manufacturer mode of the BIOS.
Based on the set target condition, the first terminal can specifically verify whether the second information meets the target condition after receiving the second information fed back by the second terminal aiming at the first information, if so, the second terminal is characterized as a trusted second terminal, and the first terminal is characterized as obtaining the authority of the trusted second terminal for operating the first mode of the first system, so that the first system of the first terminal can be controlled to enter the first mode.
Subsequently, when the first terminal is restarted, in a target stage of the first system, the first mode of the first system is automatically restored to the off state, i.e., to the unopened state (so as to avoid automatically entering the first mode of the first system when the first terminal is started next time), and whether to control the first system of the first terminal to enter the first mode again can be determined according to the actual interaction and verification conditions of the first terminal and the second terminal in the target stage.
For example, when the client device such as a notebook computer runs to a target stage of the BIOS, the client device sends first information to the server based on the target connection, and after receiving second information fed back by the server, determines whether the received second information meets a target condition, if yes, the server is characterized as a trusted server, and the client device is characterized as obtaining authority of the trusted server for running the manufacturer mode of the BIOS, so that the BIOS of the client device can be controlled to enter the manufacturer mode.
Alternatively, the BIOS of the client device may be specifically controlled to enter the manufacturer mode by setting an information bit of the manufacturer mode of the BIOS to an enabled state through SMI (SYSTEM MANAGEMENT Interrupt), for example, setting Manufacture Mode bit to an enabled state through SMI. When the system of the client device is restarted, the BIOS will initialize Manufacture Mode bit again to disable state (i.e. restore to the state of not starting the manufacturer mode) at the target stage, and can determine whether to set Manufacture Mode bit of BIOS to enable state at the current startup according to the actual interaction and verification condition of the client device and the server at the target stage.
It is easy to understand that the first terminal does not control the first system to enter the first mode if the second information does not meet the target condition.
The related art unlocks (opens) the manufacturer mode of the BIOS of the electronic device by opening a tool for opening the manufacturer mode of the BIOS of the electronic device to a related person, which is easy to cause the tool to leak, so that different persons can open the manufacturer mode of the BIOS of the electronic device at will, thereby putting the device in an unsafe state. That is, in this manner, the manufacturer mode of the BIOS is passive with respect to the BIOS, and tool leakage may allow any person obtaining the tool to turn on this manufacturer mode at will, thereby affecting device security.
In the control method provided by the embodiment of the application, a first terminal firstly obtains a target signal representing that a first system of the first terminal operates to a target stage, after obtaining the target signal, sends first information to a second terminal through target connection, receives second information fed back by the second terminal aiming at the first information, and controls the first system to enter a first mode under the condition that the second information meets target conditions.
It can be seen that, in the embodiment of the present application, after the first terminal needs to operate in the first system to the target stage and obtain the target signal indicating that the first system of the first terminal operates in the target stage, first information is sent to the second terminal based on the target connection, so as to request to enter the first mode of the first system (for example, request to enter the manufacturer mode of the BIOS) to the second terminal, and at the same time, verify whether the second terminal is trusted, and then, when second information fed back by the second terminal for the first information is obtained and it is determined that the second information meets the target condition and correspondingly indicates that the second terminal is trusted, control the first system of the first terminal to enter the first mode (for example, control the BIOS to enter the manufacturer mode). Through the control process, the first system of the first terminal, such as the BIOS, can determine whether the first terminal can be opened in a first mode such as a manufacturer mode (the first terminal can be opened under the condition that the second terminal is trusted and cannot be opened under the condition that the second terminal is not trusted) and the opening time, so that for the first system of the BIOS and the like, the opening of the first mode is the active action of the first system, and is not required to be opened passively by related personnel, and correspondingly, tools for opening the first mode of the first system (such as the manufacturer mode of the BIOS) are not required to be opened to related personnel, so that tool leakage is avoided, the problem that equipment safety is influenced due to tool leakage is solved, and the equipment safety of the first terminal is improved.
In an alternative embodiment, the target phase includes a power-on self-test phase of the basic input output system. Step 101 in the method disclosed in the embodiment of the present application may be specifically implemented as: and responding to the basic input and output system of the first terminal to run to a power-on self-checking stage, and obtaining the target signal.
The target signal is obtained when the basic input and output system is operated to the power-on self-checking stage, so that the first terminal can control whether the first mode of the basic input and output system is started or not by executing the subsequent steps of the control method disclosed by the application in the power-on self-checking stage of the basic input and output system, for example, the control whether the manufacturer mode of the BIOS is started or not is realized, and the equipment safety of the first terminal is ensured.
In an alternative embodiment, the first information may be stored in a binary file of the first system, for example in a binary file of the BIOS, in particular when the first system is created and compiled.
The first information may be, but is not limited to, a random number in particular.
Optionally, the first information sent by the first terminal to the second terminal through the target connection is encrypted first information.
The encryption operation of the first information may be performed in real time by the first terminal when the first information needs to be sent to the second terminal, or may be performed in advance by the device for creating the first system when the first system is created, which is not limited, for example, when the BIOS is created and compiled, the operation of generating the first information and encrypting the random number is completed in advance by the device currently used for creating and compiling the BIOS. In the former embodiment, the first system, such as the binary file of the BIOS, stores first information that is not encrypted, such as an unencrypted random number; in the latter embodiment, the first system, for example, the binary file of the BIOS, stores encrypted first information, for example, an encrypted random number, and in addition, stores unencrypted first information, for example, an unencrypted original random number, to be used as a verification basis for performing subsequent verification on the second information fed back by the second terminal.
For the former embodiment of performing the encryption operation on the first information, that is, the real-time encryption manner, the first terminal may specifically read the first information from the binary file of the first system thereof, encrypt the first information in the first manner or the second manner, and then send the encrypted first information (simply referred to as "encrypted first information") to the second terminal through the target connection, so that the second terminal decrypts the received information in the first manner or the second manner.
In the latter embodiment of the encryption operation on the first information, that is, the pre-encryption manner, on the basis of establishing the target connection between the first terminal and the second terminal, the first terminal may specifically read the first information encrypted based on the first manner or the second manner from the binary file of the first system thereof, and send the first information encrypted based on the first manner or the second manner to the second terminal through the target connection, so that the second terminal decrypts the received information according to the first manner or the second manner.
Optionally, the first mode is a symmetric encryption mode, and the second mode is an asymmetric encryption mode.
The symmetric encryption method uses the same key when the encryption end encrypts and the decryption end decrypts, in which the first information is encrypted based on the shared key with the second terminal by the encryption end such as the first terminal (corresponding to real-time encryption) or the terminal creating the first system (corresponding to pre-encryption). And in an asymmetric encryption mode, a public key and a private key are used for pairing, wherein the public key is used for encrypting information, and the private key is used for decrypting information. Under the asymmetric encryption mode, the first terminal can encrypt the first information by using the public key of the trusted second terminal, and send the obtained encrypted first information to the second terminal through the target connection, and the subsequent second terminal needs to decrypt the first information by using the private key.
After receiving the encrypted first information sent by the first terminal based on the target connection, the second terminal decrypts the encrypted first information by adopting a decryption mode consistent with the encryption mode of the first information to obtain second information. Wherein the second terminal decrypts the first information based on the first mode if the first information is encrypted in the first mode, and decrypts the second information based on the second mode if the first information is encrypted in the second mode.
Specifically, if the first information is encrypted in a symmetric encryption manner, the second terminal needs to decrypt the received encrypted first information based on the shared key with the encryption terminal; if the first information is encrypted in an asymmetric encryption mode, the second terminal needs to decrypt the received encrypted first information based on a private key matched with the public key of the encryption end, namely, the private key of the trusted second terminal.
In the embodiment of the present application, creating the first system may refer to creating the first system initially, that is, creating the first system newly, or updating the first system based on the initial creation of the first system due to reasons such as upgrade, bug fix, etc.
The second terminal is configured to decrypt the encrypted first information sent by the first terminal based on the first mode or the second mode, where the first information sent by the first terminal through the target connection to the second terminal is specifically encrypted first information, and the second information fed back by the second terminal for the first information is information obtained by decrypting the encrypted first information sent by the first terminal based on the first mode or the second mode. For example, the second terminal decrypts the encrypted first information based on the same key as the encryption terminal, or decrypts the encrypted first information based on a private key matched with the public key of the encryption terminal.
For the situation that the first terminal sends the encrypted first information to the second terminal and correspondingly receives the second information obtained by decrypting the encrypted first information by the second terminal, the target condition can be specifically set to be consistent with the second information.
The second information is identical to the first information, specifically, the second information is identical to the first information.
Based on the set target condition, after receiving the second information fed back by the second terminal through decrypting the encrypted first information, the first terminal can specifically verify whether the second information is consistent with the first information stored by the first terminal, if so, the second information is determined to meet the target condition, the second terminal is correspondingly characterized as a trusted second terminal, and meanwhile, the first terminal is characterized as obtaining the authority granted by the trusted second terminal for operating the first mode of the first system, so that the first system of the first terminal can be controlled to enter the first mode.
According to the method, the device and the system, the first terminal sends the encrypted first information to the second terminal, and receives the second information obtained by decrypting the encrypted first information by the second terminal, so that the reliability verification of the second terminal can be realized based on the comparison result of whether the second information is consistent with the first information, the first system of the first terminal can be controlled to be started in the first mode or not based on the reliability verification of the second terminal, the operation safety of the first system on the first terminal is effectively guaranteed, and the equipment safety of the first terminal is improved.
In an alternative embodiment, the object program is an interface program created at the time of creating the bios and stored in a binary file of the bios.
The interface program may be referred to as an interface program of a basic input output system.
Alternatively, specifically, when the BIOS is created and compiled, the above-mentioned interface program may be created and stored in the binary file of the BIOS after the completion of the compiling.
When the BIOS operates to the power-on self-checking stage, the interface program is triggered to execute and guide the first terminal to access the second terminal, the communication connection between the first terminal and the second terminal is established by guiding the first terminal to access the second terminal based on the interface program, for example, the BIOS of the client device is guided to access the operating system of the server, the communication connection between the BIOS of the client device and the operating system of the server is established, further support is provided for information communication (such as interaction of first information and second information) between the first terminal and the second terminal, mode control of the first terminal to the first system based on the second terminal is correspondingly supported, and device safety of the first terminal is ensured.
In an alternative embodiment, the target program is a network bootstrap program (Network Boot Program, NBP) and a corresponding network link, which are created when the bios is created, the network bootstrap program is stored in the second terminal, the network link is stored in a binary file of the bios, and the first terminal is accessed to the second terminal based on the network link and the network bootstrap program when the bios runs to a power-on self-checking stage, so as to establish a communication connection between the first terminal and the second terminal.
The network link may specifically be a URL (Uniform Resource Locator ) of a network bootstrap program.
In this embodiment, optionally, the URL of the network bootstrap program may be specifically stored in the binary file of the first system of the first terminal. Subsequently, when the first system of the first terminal is running to the target stage, the URL of the network boot program may be read from the binary file of the first system, the network boot program in the second terminal may be located through the URL, and the first terminal may be booted to access the second terminal (for example, the BIOS of the first terminal is booted to the operating system of the second terminal) based on the network boot program, so as to establish the target connection between the first terminal and the second terminal, so as to support communication between the first terminal and the second terminal.
One example of mode control of the BIOS of the client device based on the present embodiment is provided below.
Referring to fig. 2, in this example, when the BIOS is created and compiled, the URL of the network boot program set on the server is saved into the BIOS binary file.
And in the subsequent power-on self-checking stage of the BIOS of the client device, the URL is read, and based on the read URL, the URL is positioned to a network bootstrap program on a server through a designated physical network port and through HTTPS (Hypertext TransferProtocol Secure, hypertext transfer safety protocol), so that the connection between the client device and the server is established based on the network bootstrap program. After the connection establishment is completed, the client device may send the encrypted random number based on the Public Key (Public Key) of the trusted server to the server over the connection to decrypt the encrypted random number by the server based on its private Key (PRIVATE KEY) and return the decrypted random number to the client device. After receiving the random number returned by the server, the client device compares the random number with the random number stored in the client device, if the random number and the random number are the same, the Manufacture Mode bit of the BIOS is set as enable through the SMI, so that the BIOS of the client device is controlled to enter a manufacturer mode based on the setting result. Otherwise, if the two are different, or the client device does not receive information feedback of the server, controlling the BIOS of the client device to enter a user mode.
Through the control process, the first system of the first terminal, such as the BIOS, can determine whether the first terminal can be opened in a first mode (can be opened under the condition that the second terminal is trusted, cannot be opened under the condition that the second terminal is not trusted) and the opening time, so that for the first system of the first terminal, such as the BIOS, the opening of the first mode is an active action of the first system, and is not required to be passively opened by related personnel, and correspondingly, tools for opening the first mode of the first system (such as the manufacturer mode of the BIOS) are not required to be opened to related personnel, thereby avoiding tool leakage, simultaneously overcoming the problem that the safety of equipment is affected due to tool leakage, and improving the safety of the equipment of the first terminal.
In addition, by storing the target program such as the network boot program in the second terminal and storing the network link of the target program only in the first system of the first terminal, the storage space requirement of the first terminal can be further reduced, so that the storage resource occupation amount of the first terminal is saved.
In an alternative embodiment, referring to a flowchart of a control method shown in fig. 3, after receiving second information fed back by the second terminal for the first information, the control method provided in the embodiment of the present application may further include the following processing:
and step 105, if the second information does not meet the target condition, controlling the first system to enter a second mode.
Optionally, the second information does not meet the target condition may mean that the first terminal receives second information fed back by the second terminal for the first information, and the second information is inconsistent with the first information stored by the first terminal, that is, the second information is different from the first information stored by the first terminal.
In this embodiment, the first terminal may specifically verify whether the received second information is consistent with the first information stored in the first terminal, and if the second information is inconsistent with the first information stored in the first terminal, determine that the second information does not meet the target condition, and correspondingly characterize that the second terminal is an untrusted second terminal, and simultaneously characterize that the first terminal does not obtain the authority granted by the trusted second terminal to operate the first mode of the first system, where the first system of the first terminal is controlled to enter the second mode.
The second mode provides lower application rights to the first system than the first mode.
For example, after receiving the random number fed back by the server, the client device such as a notebook computer compares the received random number with the random number stored by the client device to determine whether the received random number and the random number are the same, if the received random number and the random number are different, the server is represented as an untrusted server, and the client device is represented as not obtaining the authority of the manufacturer mode of running the BIOS granted by the trusted server.
But not limited to the above case, the second information does not satisfy the target condition, which may also mean that the second terminal does not feedback the second information, for example, the first terminal does not receive any feedback information of the second terminal within a set timeout period, where it is also determined that the second information (in this case, the second information may be regarded as null information) does not satisfy the target condition, and accordingly, the first system of the first terminal is controlled to enter the second mode.
In practice, it is determined that the second information does not satisfy the target condition when any of the above conditions is satisfied.
In this embodiment, the second information fed back by the second terminal (the second information may be regarded as null information when the second terminal does not feed back the second information) is verified, and the first system of the first terminal is controlled to enter the second mode when the second information does not meet the target condition, so that the open control of the untrusted second terminal to the first mode of the first system on the first terminal is effectively avoided, the operation safety of the first mode of the first system on the first terminal is ensured, and the equipment safety of the first terminal is correspondingly ensured.
In an alternative embodiment, the establishment manner of the target connection may be further implemented as: and under a target environment, the first terminal establishes the target connection with the second terminal based on the target program.
The target environment at least characterizes that the first terminal accesses the second terminal through a physical network port authorized by the second terminal. More specifically, the target environment at least characterizes that the first terminal accesses the trusted second terminal through a physical network port authorized by the trusted second terminal.
Based on the embodiment, the first terminal needs to access the trusted second terminal through the physical network port authorized by the trusted second terminal, and then establishes the target connection with the trusted second terminal based on the target program on the premise of accessing the trusted second terminal through the authorized physical network port.
For example, on the premise that the client device accesses the trusted server through the physical network port authorized by the trusted server, when the BIOS of the client device runs to the power-on self-checking stage, an interface program in the BIOS binary file is triggered to execute an operation of guiding the first terminal to access the second terminal, so that a communication connection between the first terminal and the second terminal is established.
According to the method and the device, the first terminal can be established based on the target program and the second terminal under the condition that the first terminal is required to be accessed to the trusted second terminal through the physical network port authorized by the trusted second terminal under the target environment, so that the first mode of the first system on the first terminal is controlled to be started or not from the constraint level of software combined with hardware, the first mode can be effectively prevented from being automatically started due to the fact that the first system (such as a basic input output system) is automatically guided into a server end after the first terminal is shipped, and further normal use of the user mode of the first system on the first terminal is prevented from being influenced after the first terminal is shipped, and meanwhile the equipment safety of the first terminal is guaranteed.
Corresponding to the above control method, the embodiment of the present application further provides a control device, whose composition structure is shown in fig. 4, at least including:
An acquisition module 401, configured to acquire a target signal; the target signal characterizes a first system of the first terminal to run to a target stage;
A sending module 402, configured to send first information to a second terminal through a target connection; the target connection is established by the first terminal with the second terminal based on a target program, the target program and the first information being generated when the first system is created;
A receiving module 403, configured to receive second information fed back by the second terminal for the first information;
The detection and control module 404 is configured to control the first system to enter a first mode if the second information is detected to meet a target condition.
In an optional implementation manner, the establishing manner of the target connection further includes:
Under a target environment, the first terminal establishes the target connection with the second terminal based on a target program; the target environment at least characterizes that the first terminal accesses the second terminal through a physical network port authorized by the second terminal.
In an alternative embodiment, the obtaining module 401 is specifically configured to: responding to the basic input and output system of the first terminal to run to a power-on self-checking stage, and obtaining the target signal; the first system comprises the basic input and output system, and the target stage comprises a power-on self-checking stage of the basic input and output system.
In an alternative embodiment, the target program includes one of the following:
The target program is an interface program which is created when the basic input output system is created and stored in a binary file of the basic input output system, and the target program is triggered to execute and guide the first terminal to access the second terminal when the basic input output system runs to a power-on self-checking stage;
The target program is a network bootstrap program and a corresponding network link, wherein the network bootstrap program is created when the basic input and output system is created, the network bootstrap program is stored in the second terminal, the network link is stored in a binary file of the basic input and output system, and the first terminal is accessed to the second terminal based on the network link and the network bootstrap program when the basic input and output system runs to a power-on self-checking stage.
In an alternative embodiment, the target condition characterizes that the first terminal has the right to run the first mode of the first system.
In an alternative embodiment, the detection and control module 404 is further configured to: if the second information is detected not to meet the target condition, controlling the first system to enter a second mode;
The application authority provided by the second mode for the first system is lower than the application authority provided by the first mode for the first system.
In an alternative embodiment, the sending module 402 is specifically configured to: reading the first information from the first system, encrypting the first information in a first mode or a second mode, and then sending the first information to the second terminal, so that the second terminal decrypts the received information in the first mode or the second mode to obtain the second information;
the control module 404 is specifically configured to, when determining that the second information meets the target condition, control the first system to enter the first mode:
and if the second information is consistent with the first information stored in the first terminal, determining that the second information meets a target condition, and controlling the first system to enter a first mode.
In an alternative embodiment, the detection and control module 404 is further configured to perform one of the following:
if the second information is inconsistent with the first information stored by the first terminal, determining that the second information does not meet a target condition;
And if the second information is not fed back by the second terminal, determining that the second information does not meet a target condition.
The control device disclosed in the embodiment of the present application corresponds to the control method disclosed in the embodiment of the method, so that the description is relatively simple, and the relevant similarities are only required to refer to the description of the embodiment of the method, and are not described in detail herein.
The embodiment of the application also discloses an electronic device, and the composition structure of the electronic device, as shown in fig. 5, at least comprises:
a memory 10 for storing a set of computer instructions;
The set of computer instructions may be implemented in the form of a computer program.
A processor 20 for implementing a control method as disclosed in any of the method embodiments above by executing a set of computer instructions.
The processor 20 may be a central processing unit (Central Processing Unit, CPU), application-specific integrated circuit (ASIC), digital Signal Processor (DSP), application-specific integrated circuit (ASIC), field-programmable gate array (FPGA), neural Network Processor (NPU), deep learning processor (DPU), or other programmable logic device, etc.
The electronic device is provided with a display device and/or a display interface, and can be externally connected with the display device.
Optionally, the electronic device further includes a camera assembly, and/or an external camera assembly is connected thereto.
In addition, the electronic device may include communication interfaces, communication buses, and the like. The memory, processor and communication interface communicate with each other via a communication bus.
The communication interface is used for communication between the electronic device and other devices. The communication bus may be a peripheral component interconnect standard (PERIPHERAL COMPONENT INTERCONNECT, PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc., and may be classified as an address bus, a data bus, a control bus, etc.
It should be noted that, in the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described as different from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other.
For convenience of description, the above system or apparatus is described as being functionally divided into various modules or units, respectively. Of course, the functions of each element may be implemented in the same piece or pieces of software and/or hardware when implementing the present application.
From the above description of embodiments, it will be apparent to those skilled in the art that the present application may be implemented in software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present application may be embodied essentially or inventive contributing portions thereof in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the embodiments or portions of the embodiments of the present application.
Finally, it is further noted that relational terms such as first, second, third, fourth, and the like are used herein to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application, which are intended to be comprehended within the scope of the present application.

Claims (10)

1. A control method, comprising:
obtaining a target signal; the target signal characterizes a first system of the first terminal to run to a target stage;
Sending first information to a second terminal through target connection; the target connection is established by the first terminal with the second terminal based on a target program, the target program and the first information being generated when the first system is created;
and receiving second information fed back by the second terminal aiming at the first information, and controlling the first system to enter a first mode if the second information meets a target condition.
2. The control method according to claim 1, wherein the establishing manner of the target connection further includes:
Under a target environment, the first terminal establishes the target connection with the second terminal based on a target program; the target environment at least characterizes that the first terminal accesses the second terminal through a physical network port authorized by the second terminal.
3. The control method according to claim 1, the obtaining a target signal, comprising:
Responding to the basic input and output system of the first terminal to run to a power-on self-checking stage, and obtaining the target signal; the first system comprises the basic input and output system, and the target stage comprises a power-on self-checking stage of the basic input and output system.
4. A control method according to claim 3, said target program comprising one of:
The target program is an interface program which is created when the basic input output system is created and stored in a binary file of the basic input output system, and the target program is triggered to execute and guide the first terminal to access the second terminal when the basic input output system runs to a power-on self-checking stage;
The target program is a network bootstrap program and a corresponding network link, wherein the network bootstrap program is created when the basic input and output system is created, the network bootstrap program is stored in the second terminal, the network link is stored in a binary file of the basic input and output system, and the first terminal is accessed to the second terminal based on the network link and the network bootstrap program when the basic input and output system runs to a power-on self-checking stage.
5. The control method of claim 1, the target condition characterizing that the first terminal has the right to run the first mode of the first system.
6. The control method according to claim 1, further comprising, after receiving second information fed back by the second terminal for the first information:
If the second information does not meet the target condition, controlling the first system to enter a second mode;
The application authority provided by the second mode for the first system is lower than the application authority provided by the first mode for the first system.
7. The control method according to any one of claims 1 to 6, transmitting first information to the second terminal through the target connection, comprising:
Reading the first information from the first system, encrypting the first information in a first mode or a second mode, and then sending the first information to the second terminal, so that the second terminal decrypts the received information in the first mode or the second mode to obtain the second information;
and if the second information meets the target condition, controlling the first system to enter a first mode, wherein the method comprises the following steps:
and if the second information is consistent with the first information stored in the first terminal, determining that the second information meets a target condition, and controlling the first system to enter a first mode.
8. The control method of claim 7, the method further comprising one of:
if the second information is inconsistent with the first information stored by the first terminal, determining that the second information does not meet a target condition;
And if the second information is not fed back by the second terminal, determining that the second information does not meet a target condition.
9. A control apparatus comprising:
The acquisition module is used for acquiring a target signal; the target signal characterizes a first system of the first terminal to run to a target stage;
The sending module is used for sending the first information to the second terminal through the target connection; the target connection is established by the first terminal with the second terminal based on a target program, the target program and the first information being generated when the first system is created;
the receiving module is used for receiving second information fed back by the second terminal aiming at the first information;
and the detection and control module is used for controlling the first system to enter a first mode under the condition that the second information is detected to meet the target condition.
10. An electronic device, comprising:
A memory for storing at least one set of computer instructions;
A processor for implementing the control method according to any one of claims 1-8 by executing said set of instructions stored in said memory.
CN202410232992.4A 2024-02-29 2024-02-29 Control method and device and electronic equipment Pending CN118036017A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410232992.4A CN118036017A (en) 2024-02-29 2024-02-29 Control method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410232992.4A CN118036017A (en) 2024-02-29 2024-02-29 Control method and device and electronic equipment

Publications (1)

Publication Number Publication Date
CN118036017A true CN118036017A (en) 2024-05-14

Family

ID=91001962

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410232992.4A Pending CN118036017A (en) 2024-02-29 2024-02-29 Control method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN118036017A (en)

Similar Documents

Publication Publication Date Title
US11689516B2 (en) Application program as key for authorizing access to resources
US10735472B2 (en) Container authorization policies for network trust
US11843705B2 (en) Dynamic certificate management as part of a distributed authentication system
AU2018250465B2 (en) Secondary device as key for authorizing access to resources
US11212283B2 (en) Method for authentication and authorization and authentication server using the same for providing user management mechanism required by multiple applications
US20170161502A1 (en) Secure remote kernel module signing
KR101402542B1 (en) Persistent security system and method
EP2727040B1 (en) A secure hosted execution architecture
TWI627554B (en) Methods for blocking unauthorized applications and apparatuses using the same
US8250630B2 (en) Detecting unauthorized computer access
CN109831435B (en) Database operation method, system, proxy server and storage medium
US20070039054A1 (en) Computing system feature activation mechanism
CN112528268B (en) Cross-channel applet login management method and device and related equipment
US11909882B2 (en) Systems and methods to cryptographically verify an identity of an information handling system
WO2020143906A1 (en) Method and apparatus for trust verification
CN112468294B (en) Access method and authentication equipment of vehicle-mounted TBOX
US20060209328A1 (en) Systems and methods that facilitate selective enablement of a device driver feature(s) and/or application(s)
CN113127844A (en) Variable access method, device, system, equipment and medium
CN111783120A (en) Data interaction method, computing device, BMC chip and electronic device
CN118036017A (en) Control method and device and electronic equipment
KR101836236B1 (en) User authentication method and apparatus using authentication between applications, program therefor
US10826924B1 (en) Computer security and methods of use thereof
US12143403B2 (en) Computer security and methods of use thereof
US20240095336A1 (en) Generating token value for enabling a non-application channel to perform operation
GB2595590A (en) Trusted execution environment (TEE)-based password management method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination