Research And Implementation Of Computer Remote Trusted Startup Based On UEFI

With the rapid development of science and technology,informatization has become a major trend in the current era.Informatization provides people with convenience and speed,and its security is also facing new challenges.The national standard "Information Security Technology-Baseline for Classified Protection of Cybersecurity" puts forward the requirement that important systems need to provide credible verification.Currently,many important national-level information systems have implemented grade protection in accordance with this standard.In environments such as cloud computing and data centers,the installation of server operating systems is done through PXE technology.Compared with the traditional operating system startup method,this method can simultaneously deploy and install multiple computer operating systems.No matter what kind of operating system startup method is,it is inseparable from the support of the underlying firmware.UEFI is currently the most mainstream firmware type.As a substitute for BIOS,UEFI has been significantly enhanced in development efficiency and scalability,but there are also new security risks.Trusted startup as the basis of trusted verification,its security mechanism has always been a hotspot of people's research.At present,there is a sophisticated solution for the trusted startup of UEFI-based computers in a single-machine environment,and the security solution for remote startup of network-based computers is still to be studied.Therefore,it is of great significance to study the remote trusted startup of computers based on UEFI.The main work of this article is as follows:(1)Aiming at the security threats existing in the remote boot process of the UEFI system computer,through the research of various stages of UEFI system startup and PXE technology,combined with the theory of trusted computing,the overall framework of UEFI-based computer remote trusted boot is proposed,safe and reliable power-on and platform initialization to remote loading of the operating system is achieved.(2)In view of the current security problems of the UEFI system computer,by studying the specific implementation of the firmware system and the attacker's principle of attacking the file system,this study takes the first stage after the UEFI system startup and the custom driver module as the root of trust,a security measurement mechanism for the firmware system is introduced to ensure the securityof the client firmware file system before PXE starts.(3)In view of the security problems existing in the process of file transmission between the server and the client in the PXE technology,this study analyzes the UEFI network protocol stack and ensures the security of the file transmission by the PXE server at the UEFI system level through digital signature technology.Meanwhile,a correspondence way is built between the PXE server and the client to solve the problem that the client cannot report the operating system startup status to the PXE server.Finally,an attack is designed to test the security of the computer based on the security scheme during the remote startup process,the experimental results show that,in terms of function,the security of the computer based on the security scheme during the remote startup process is greatly enhanced;in terms of performance,the boot time has increased by an average of 39% since the driver module was introduced during the startup process.Therefore,the security scheme not only improves the security but also reduces the startup efficiency of the computer to a certain extent.