In recent years, an information processing terminal (information processing apparatus) including a security chip (security function module), such as a TPM, for an improved security level, has been well-known.
A TPM is a security chip, as a security control unit compliant with the standard defined by the Trusted Computing Group (TCG), i.e., a standardization organization. A TPM is integrated into a motherboard (system board) of an information processing apparatus, and is configured to include a non-volatile memory storing an encryption key (core encryption key) and the like used for secure communications and a special-purpose microprocessor for encryption processing, for example.
The information processing apparatus, upon its startup, checks by means of the TMP, whether its hardware or software has been tampered, and aborts the startup if some sort of unauthorized activity is found, for realizing a security management in a hardware level.
FIG. 10 is a diagram schematically illustrating the configuration of a conventional personal computer (PC); FIG. 11 is a diagram schematically illustrating connections for a TPM in an information processing apparatus; and FIG. 12 is a diagram illustrating containing of a platform configuration registers (PCR) value in a conventional PC.
A PC 1001, i.e., an information processing apparatus, is disclosed in FIG. 10. The PC includes an operating system (OS) 1002, an OS loader 1003, firmware 1004, a central processing units (CPUs) 1005 as computation units, I/O cards 1006, and a TPM 1007.
The TPM 1007 includes a PCR 1008 and a hash engine 1011 (see FIG. 12). The hash engine 1011 is adapted to convert configuration information (binary code) of the PC 1001 into a unique value, known as a hash value, using a mathematical technique, known as a hash algorithm, and is implemented by a microprocessor, for example.
The configuration information may include, the code and settings of the firmware 1004, the code and settings of firmware of the extension cards 1006, and the code and settings of the OS loader 1003, for example.
These pieces of configuration information are hashed by the hash engine 1011 in the TPM 1007 provided in a system board SB #00 (see FIG. 12), and the resultant hash is stored in the PCR 1008 as a PCR value.
The PCR1008 is a register for storing information on the platform, and retains a hash value (PCR value) and the like generated by the hash engine 1011 described above. The PCR 1008 is embodied by a storage circuit, such as a memory device.
In the example depicted in FIG. 12, five storage areas of PCR 0 to PCR 5 are depicted in the PCR 1008, and a hashed value of the code of the firmware 1004 is stored in the PCR [0]. Similarly, a hashed value of the settings of the firmware 1004 is stored in the PCR [1], a hashed value of the code of the firmware of the extension cards 1006 is stored in the PCR [2], and a hashed value of the settings of the extension cards 1006 is stored in the PCR [3]. Furthermore, a hashed value of the code of the OS loader 1003 is stored in the PCR [4], and a hashed value of the settings of the OS loader 1003 is stored in the PCR [5].
The firmware 1004 collects the configuration information of the platform upon startup of the PC 1001, converts the configuration information to a PCR value (hash value, configuration measurement value) using the hash engine in the TPM 1007, and stores it in the PCR 1008.
Upon storing the PCR value to the PCR 1008, a hash of a PCR value that has been previously stored in the PCR 1008 and the value of the configuration information to be added is stored. The PCR value is hashed together with the value that was previously written, which makes tampering of the PCR value to a certain value difficult.
The TPM 1007 is connected to a south bridge 1009 in the PC 1001, as depicted in FIG. 11, such that the OS 1002 and the like can read a PCR value stored in the PCR 1008 in the TPM 1007 via the south bridge 1009.
In the PC 1001, whether or not the configuration of the platform is modified is detected using the PCR value read from the PCR 1008. Hereinafter, such a function for detecting whether the configuration is modified using the PCR value is referred as “configuration lock function”.
With the configuration lock function, upon startup of the PC 1001, the firmware 1004 stores configuration information of the system board into the TPM 1007. The configuration information is hashed by the hash engine 1011 in the TPM 1007, and the resultant hash is stored in the PCR 1008 as a PCR value.
The configuration lock function can assume two states: the locked and unlocked states. When the PC 1001 starts in the unlocked state, the OS 1002 reads the PCR value stored in the PCR 1008 in the TPM 1007 and saves it into a hard disk drive (HDD) 1010 (see Arrow A in FIG. 11). The unlocked state is the state wherein whether the configuration is modified is not checked upon startup of the PC 1001.
In contrast, when the PC 1001 starts in the locked state, the OS 1002 reads the PCR value stored in the HDD 1010 and compares the PCR value stored in the HDD 1010 with the PCR value stored in the PCR 1008 in the TPM 1007 (see Arrow B in FIG. 11). The locked state refers to the state wherein whether the configuration is modified is checked upon startup of the PC 1001.
In the locked state, if the PCR value stored in the PCR 1008 in the TPM 1007 match the PCR value stored in the HDD 101, the OS 1002 determines that the configuration of the PC 1001 has not been modified and starts the PC 1001 normally. Otherwise, if the PCR values do not match, the OS 1002 determines that the configuration of the PC 1001 has been modified and aborts any subsequent processing (startup processing) of the OS 1002 or issues a warning to an operator, for example.
The processing upon startup of the conventional PC 1001 will be described with reference to the flowchart (steps A10 to A100) depicted in FIG. 13.
When the PC 1001 is powered on, the firmware 1004 stores configuration information in the TPM 1007. The configuration information is hashed by the hash engine 1011 in the TPM 1007, and the resultant hash is stored in a PCR 1008 as a PCR value (Step A10).
In the unlocked state, the OS 1002 reads the PCR value from the PCR 1008 in the TPM 1007 and saves it into the HDD 1010 (Step A20).
The OS 1002 changes the PC 1001 from the unlocked state to the locked state (Step A30), and the PC 1001 is rebooted (Step A40).
During this reboot process, the firmware 1004 stores the configuration information in the TPM 1007. The configuration information is hashed by the hash engine 1011 in the TPM 1007, and the resultant hash is stored in a PCR 1008 as a PCR value (Step A50).
The OS 1002, in the locked state, reads the PCR value from the PCR 1008 in the TPM 1007 (Step A60), and compares the PCR value read from the TPM 1007 with the PCR value stored in the HDD 1010 (Step A70).
More specifically, the OS 1002 determines whether the PCR value stored in the HDD 1010 matches the PCR values read from the TPM 1007 (Step A80). If the PCR values do not match (see the NO route in Step A80), the OS 1002 determines that the configuration of the PC 1001 has been modified and aborts the startup of the PC 1001 or issues a warning to an operator (Step A100).
In contrast, if the PCR values match (see the YES route in Step A80), the OS 1002 starts the PC 1001 normally by continuing execution of the subsequent startup processing (Step A90).
Let's assume the case wherein a system board including a TPM as described above is applied to a server system having multiple system boards.
In server systems used in a backbone system, higher availability and operations with flexible allocation of resources (hardware resources) are required. As a technique to achieve such high availability and flexible allocation of resources, a function has been used in a server system in which a single system is divided into multiple domains (partitions), and a respective operating system is executed on each of the domains. Such a function is known as “multi partition function”.
In operation of server systems in mission critical applications, it is required that processing can be continued even when any of multiple system boards experiences an error (failure), without causing any relay in the business operations.
In order to meet such a requirement, a technique is known wherein system boards are swapped if an error occurs in one system board. More specifically, upon a subsequent reboot of a partition including the failed system board, the failed system board is swapped with a spare system board of a similar configuration.
Since this spare system board includes firmware of the same version and the hardware (such as a CPU and memory) in the same configuration as those in the system boards being operated, the configuration within the partition is maintained even after the system boards are swapped.
However, TPMs are provided uniquely to the respective system boards, and each hash engine generates a hash value using a hash that is unique to each TMP. Accordingly, even if the same configuration information is passed from the firmware, the respective TPMs generate different PCR values.
More specifically, since the TPMs provided in system boards are also swapped during swapping of the system boards, a different PCR value will be stored in the PCR 1008 although the system board has the same configuration and the same configuration information is input.
Accordingly, in a conventional server, when the configuration lock function of the TPMs is enabled, the OS is not started on a spare system board after a system board experiencing some sort of error is swapped with the spare system board. This may have negative impact on operations of the server system. On the other hand, if the configuration lock function is disabled for operating the server system smoothly, the TPM function for detecting tampering and the like of the platform is not exploited, making improvement in the reliability of the system difficult.
Patent Reference 1: Japanese Laid-open Patent Publication No. 2006-323814
Patent Reference 2: Japanese Laid-open Patent Publication No. 2005-301550