基于TPCM的服务器可信PXE启动方法

PXE 启动机制通过网络下载操作系统文件并启动操作系统，广泛应用于服务器网络启动。通过可信计算技术保障PXE启动过程的安全可信，防止PXE启动文件被恶意篡改，确保服务器的安全可信运行。网络安全等级保护标准要求基于可信根对服务器设备的系统引导程序、系统程序等进行可信验证。根据等级保护标准要求，提出一种基于TPCM的服务器可信PXE启动方法，保障服务器的BIOS固件、PXE启动文件、Linux系统文件的安全可信。在服务器进行PXE启动时，由TPCM度量BIOS固件，由BIOS启动环境度量PXE启动文件，由PXE启动环境度量Linux系统文件。以TPCM为信任根逐级度量、逐级信任，建立信任链，建立可信的服务器运行环境。所提方法在国产自主可控申威服务器上进行了实验，实验结果表明所提方法是可行的。

TPCM-based trusted PXE boot method for servers

The PXE startup mechanism downloads operating system files through the network and starts the operating system,which is widely used in server network startup.It is widely used in server network startup.The PXE boot process is secured and trusted through trusted computing technology to prevent the PXE boot file from being tampered with maliciously,ensuring the safe and reliable operation of the server.The cyber security classified protection standard requires that the system boot program and system program of the server device be trusted and verified based on the trusted root.A TPCM-based server trusted PXE boot method based on the requirements of classified protection standard was proposed to ensure the security and trust of the server's BIOS firmware,PXE bootfiles,and Linux system files.When the server performs PXE boot,TPCM measured BIOS firmware,BIOS boot environment measured PXE boot files,and PXE boot environment measured Linux system files.Taking TPCM as the root of trust,one level of measurement,one level of trust,and a chain of trust were established to achieve a trusted server operating environment.The proposed method was tested on a domestically-controlled,self-controllable Shenwei server.The experimental results show that the proposed method is feasible.