基于EFI的可信虚拟机系统研究与实现

【作者】 杨明；

【导师】 佘堃；

【作者基本信息】 电子科技大学 ， 计算机软件与理论， 2012， 硕士

【摘要】 EFI(Extensible Firmware Interface)是Intel公司提出的下一代BIOS接口规范，由于其方便用户操作，并在功能上相当于一个小型操作系统，正在逐步取代传统BIOS。但是EFI并未解决传统BIOS所面临的安全隐患，加上其在底层支持网络通信和访问用硬盘数据等功能，使得它所面临的安全形势更加严重。而传统安全防御体系都是基于操作系统的，采取被动防御为手段，对像直接攻击系统硬件如CIH等病毒束手无策。另外，随着通信和互联网技术的高速发展，信息正处于井喷式的增长期，尤其是近几年云计算产业的飞速突起，全球信息产业在云计算带动下正在发生一个巨大的变革。在云计算时代，用户的数据和所享受的IT服务都依赖于云计算环境的虚拟层，只有确保计算机和虚拟机管理器的安全才能确保信息的安全。因此，如何确保EFI BIOS、操作系统和虚拟机管理器的安全，是信息安全领域一个亟待解决的问题。本论文通过对EFI规范的分析，并结合以主动防御为主线的可信计算技术，提出了一套由U盘作为引导设备从EFI开始到操作系统再到虚拟机的一条完整可信链的设计方案，同时研发可信管理中心对整个系统进行配置管理，从而改变传统安全技术建立在操作系统之上的不足，实现了从EFI到系统启动整个过程的可信，进而提高了数据信息的可信性和完整性。本论文的先进性表现在：(1)实现了基于EFI的签名验证算法，提出一套主动防御的方案，解决了传统基于OS的被动防御安全性差的问题；(2)提出基于便携式U盘作为可信引导设备，并结合上层配置管理模块，实现对多台PC机集中式管理，具有灵活、可扩展性好等优点。更多还原

【Abstract】 The EFI(Extensible Firmware Interface) is the next generation BIOS InterfaceSpecification developed by Intel. Because it is easy to use and is similar to an operationsystem, so EFI is gradually replacing the legacy BIOS. EFI does not solve the securityrisks faced by legacy BIOS, coupled with its support in the network communicationwithout operation system and accessing the harddisk data easily, it faces a very serioussecurity situation. Traditional security and defense systems are based on the operationsystem, taking a form of passive defense, so it is helpless while the virus attackinghardware, such as the CIH virus.In addition, with the rapid development of communication and Internet technology,the information is in a rapid growth in recent years. Especially, the cloud computingindustry is developing in a rapid speed, the global information industry is undergoing adramatic change driven by it. In the cloud computing era, the user’s data and IT servicesrely on the virual layer of cloud computing environment, we must ensure the security ofinformation by ensuring the security of computers and virtual machine manager.Therefore, how to ensure the safety of the EFI BIOS and operation system and virtualmachine manager is an urgent problem in the field of information security.In this thesis, we designed a safe program that formed a credible chain from EFI tooperation system and the virtual machine manager, using the U disk as a boot device,coupled with a trusted management center to configure and manage the entire system,we can solve the shortcoming of traditional security in base of operation system andrealize the credible system form EFI to the operation system. Thereby, the credibilityand integrity of the data is increased.Advanced expressed in this thesis:(1) The signature verification algorithm based on EFI is realized, designed a set ofactive defense program to solve the traditional security issuces base onoperation system;(2) Proposed a program with the portable U disk as a trusted boot device,combined with the upper configuration management module to manage more computers. So it has the advantages of flexibility and scalability.更多还原