Design And Research Of Security Architecture Based On EFI And Dual-Core

Recently, the legacy BIOS successor EFI and dual-core technology have developedrapidly, and also have made fairly great progress and reached important results, but there stillexist many problems under investigation. Meanwhile, with the development of informationtechnology and the growing popularity of computers, the real world increasingly depends oncomputer system and increasing importance of the security of the operating system. Secureoperating system should provide confidentiality and integrity assurances. Furthermore, cur-rent researches for platform security mechanism focus on using the virtualization technologyto achieve dual system operating simultaneously, and to implement security strategy for op-erating system. In view of these aspects, this paper presented and designed efficient securitysystem architecture based on EFI and dual-core, named as DESA (Dual-core and EFI-basedSecurity Architecture). The architecture adopts dual-core to run EFI and operating systemsimultaneously in physical way, and each CPU core is independent in charge of a systemplatform. Especially, DESA architecture provides hardware partition for whole platform toachieve physical isolation. Moreover, in order to protect and enhance the security of com-puter platform, EFI environment executes security strategy services for whole platform asthe Trusted Computing Base in DESA architecture.In DESA architecture, EFI provides a secure domain which is physically and logicallyseparated from operating system, and it also performs several security components servicessuch as real-time monitoring, co-processing and auditing etc. Thus, some basic knowledgewas described brie?y at first, such as EFI architecture overview, concept and booting phaseof EFI framework. At the same time, security analysis and research of EFI and its frameworkwere proposed to provide theoretical support for the design of the DESA architecture: EFIspecification provides a secure and standard environment for booting an operating system ifthere is a chain-of-trust model for the platform. After that, some features and technologiesof dual-core were described. Next we designed the architecture DESA, and presented its framework and design prin-ciples. We also discussed the functions and features of various modules in DESA, and stud-ied secure boundary's concept, lists component in dynamic boundary after platform post up,and brief analyzed DESA's security feature. The main ideas of design elements were dis-cussed and researched under DESA architecture, and implementation of the solution wasgiven along with some technical difficulties that were overcome, such as the dual-core sup-port by EFI, EFI multithreading simulation, shared memory communication mechanism andthe cryptographic engine design, etc. In addition, it proposes that introduce Trusted PlatformModule (TPM) into DESA architecture with respect to platform security's enhancement.Finally, we designed and implemented a prototype for virtual disk's real-time monitorand secure access based on DESA architecture. The purpose of this experiment is to achievemonitoring operating system and secure control USB disk such that it can not be accessed byuntrust operating system under DESA. Through security analysis and efficiency test of theexperiment prove that DESA architecture can improve the platform and system's securityand also has a good performance, it can enhance security services for operating system withlow performance cost.