1. Field of Invention
The present invention relates to computer systems, more particularly, to a computer system and a method for performing integrity detection on the system before booting the operating system.
2. Description of Prior Art
Currently, computer network technologies play a role in various aspects of individuals and corporations. The requirement for security of computers is increasing. And people expect to ensure that the system operates in a reliable operating system environment from booting. That a system is initialized from a secure and clean system is the basis of anti-virus operations and protection from virus' inbreak. If the current running operating system is an unreliable running environment which has been infected, the subsequent security measures will be invalid. Therefore, a computer system and a method for realizing integrity detection immediately before initializing the system is needed to ensure the initialized operating system environment to be a secure trustable operation environment.
Generally, the integrity detection on the operating system is performed in the external system before the operating system starts to run. Therefore, a solution to the problems mentioned above is descried as follows:
The integrity detection on the operating system by the switching method through the dual-mode operating system is utilized. The computer system is installed with two operating systems, that is, it is installed with an additional small operating system in addition to the main operating system. In the computer bottom firmware running (Pre-boot) stage, it chooses to enter the additional small operating system, in which the integrity detection on the main operating system is performed. After the detection is finished, a flag bit is set and the system is reboot. The computer system automatically enters into the main operating system according to the setting of the flag bit and runs.
The disadvantages of the method include:
Disadvantage 1: Users need to switch the computer working mode frequently, which is not convenient; the additional small operating system (even it is reduced) still occupies much storage spaces of the system, increasing the cost of the computer's storage spaces.Disadvantage 2: The method doesn't satisfy the strictness of the security and credibility chain. After the integrity detection on the main operating system is performed in the additional small operating system, the system must be reboot, resulting in that the security and credibility chain is broken and the security attack for the “additional operating system” also exists, and there is no scheme to ensure the reliability of the additional operating system.Disadvantage 3: A flag bit must be set in the control process of the scheme to distinguish whether the procedure needs to enter the “additional operating system” or the procedure needs to enter the main operating system after the detection is finished. This increases the cost and the complexity of the scheme. There is still a secure hold caused by setting a flag bit. An ineligible users can skip the integrity detection on the system by simulating the flag bit. Meanwhile, the system needs to be rebooted after the detection is finished. There is room for improving the experiences of the users in this regard.
It can be seen that only when the operating system integrity detection and reliability detection are finished in the computer bottom firmware running stage (that is Pre-boot stage), it can ensure the coherence and continuity of the security and credibility chain to satisfy the security requirements. The operating system can be directly booted after the detection is finished, avoiding the design of the operating system booting flag bit and obtaining good experience of the users. But it is complex to achieve the above mentioned functions on the conventional computer bottom firmware (i.e. on the BIOS level), because the functions of the conventional BIOS is finite. Particularly the access interfaces for the file system are insufficient. It is difficult to achieve the analyses on the files of the complex operating system. Therefore, it is difficult to achieve the above mentioned functions on the conventional BIOS. This affects the further development of the technologies.