CN103139221A - Dependable virtual platform and construction method thereof, data migration method among platforms - Google Patents

Abstract

The invention discloses a dependable virtual platform and a construction method thereof, a data migration method among platforms. The dependable virtual platform comprises a hardware security chip, a virtual machine monitor (VMM), an administrative domain, a user domain and a dependable serving domain (TSD), wherein an expanded trust chain is used by the TSD for users to establish dependable operating environment. The construction method includes: building the TSD; then establishing secure communication mechanisms between the managing domain and the TSD and between the managing domain and a domestic user domain; accomplishing calls of security application of the user domain to a dependable function by the user domain through interaction with the managing domain, accomplishing transmission and treatments of dependable orders by the managing domain through the interaction of the TSD; interacting a source platform migration engine and a goal platform migration engine; migrating migration data which is produced and based on the hardware security chip and the TSD to a goal platform, and recovering data on the goal platform, accomplishing quick migration of the TSD and a virtual machine. The dependable virtual platform and the construction method thereof, the data migration method among platforms are capable of improving safety of dependable service and providing flexible operation and deployment mechanisms for the platforms.

Description

A trusted virtual platform, its construction method, and data migration method between platforms

technical field

The invention relates to a trusted virtual platform and a construction method thereof, in particular to a trusted virtual platform based on a trusted service domain, a construction method thereof, and a data migration method between platforms, belonging to the technical field of information security.

Background technique

At present, the rapid development and application of cloud services based on virtualization technology has further promoted and used the virtualization platform, and its security issues have also become the focus of attention of users. In a new computing environment supported by virtualization technology (such as Infrastructure as a Service, facility as a service IaaS cloud), resources and services are provided in the form of virtual machines, and users lose control over their data and cannot use local resources like The same implementation of security management cannot ensure the reliability of its data and services. At the same time, the virtualization platform uses its isolation feature to support concurrent running of multiple virtual machines to save operating costs and improve resource utilization efficiency. However, there have been many attacks targeting this feature, resulting in user privacy data leakage. Therefore, it is urgent to solve the problem of building a trusted operating environment for virtualization platforms. Trusted computing technology is based on the hardware security chip TPM (Trusted Platform Module, Trusted Platform Module). By establishing a chain of trust from the underlying hardware to the upper application, and using trusted measurement and remote certification mechanisms to provide external trust proofs, it builds for users The trusted operating environment of the platform.

Therefore, using trusted computing technology to build a trusted operating environment for virtualization platforms is a current research hotspot. Considering the particularity of the virtualization platform architecture running multiple operating system instances concurrently, it is necessary to provide trust services for each user domain. Therefore, it is necessary to realize the virtualization of the root of trust to avoid conflicts in the use of hardware root of trust resources. On this basis Establish the binding relationship between the virtual root of trust and the hardware root of trust, and use the existing trusted computing mechanism to build a trusted virtual platform. According to different security application requirements, the specific implementation schemes of the trusted virtual platform may be varied. Zurich Institute of Technology in Switzerland proposed and realized the TPM emulator TPM emulator, which realized most of the functions of the TPM trusted chip in the form of software, and laid the foundation for the virtualization of TPM. Later, IBM proposed a trustworthy virtual platform implementation plan, implementing the virtual root of trust vTPM in the management domain of the virtualization platform. First, based on the hardware root of trust, a trust chain from the underlying hardware to the virtual root of trust is established, and then the virtual root of trust is used to serve multiple users. The virtual machine provides an independent root of trust instance, builds a complete trusted virtual platform, and provides a solution for vTPM migration and platform remote certification. On this basis, the Ruhr-University Bochum in Germany optimized the vTPM-based certification scheme, and proposed an attribute-based vTPM to improve the efficiency of remote certification for trusted virtual platforms. Domestic research institutions such as Wuhan University and Beijing University of Technology have also proposed many optimization schemes for the construction of trusted virtual platforms, mainly considering the mapping relationship between the virtual root of trust and the hardware root of trust and platform applications.

However, the existing methods for building trusted virtual platforms cannot meet the needs of large-scale applications in new computing environments (such as cloud computing), and mainly have the following deficiencies:

1. The operation and maintenance of the virtual root of trust will increase the possibility of the platform being attacked. Existing methods are mainly based on the privileged management domain of the XEN virtualization platform, using the management process in this domain to be responsible for the scheduling and operation of the entire virtual root of trust trusted function. Since there are many daemon processes running in the management domain, the operation and maintenance of the virtual root of trust makes the code volume of the management domain continuously increase, and its functions become more complex, which increases the possibility of being attacked.

2. In the existing method, the vTPM is strongly bound to the management domain, and the excessive coupling with the management domain makes it difficult for the trusted virtual platform to quickly deploy and migrate functions. The existing trusted virtual platform solutions rely too much on the management domain, which increases the difficulty of deploying trusted services in large-scale computing environments, and cannot meet the needs of these environments for the rapid migration of trusted functions.

Contents of the invention

The present invention aims to solve the problems that the amount of management domain codes in the existing trustworthy virtual platform construction method is constantly increasing and the possibility of being attacked is increased due to excessive reliance on the management domain, and it is not easy to flexibly deploy and quickly migrate. Therefore, the present invention provides a set of trusted virtual platform based on Trusted Service Domain (TSD) and its construction method, and data migration method between platforms. The present invention provides a virtual root of trust for concurrent user virtual domains by setting an independent trusted service domain TSD (that is, a virtual machine), instead of a program in the management domain in the known method, thus making the trusted virtual platform easy to deploy, It is easy to run and migrate; at the same time, because TSD has a single function and is an independent domain, it can improve the security of trusted services based on the inter-domain isolation mechanism provided by the virtual platform.

The trusted virtual platform involved in the present invention involves the following main components: a hardware security chip, a virtual machine monitor VMM (Virtual Machine Monitor), a management domain, a trusted service domain, and a common user domain. Among them, the hardware security chip is used to provide hardware trust, the VMM and the management domain are responsible for allocating resources belonging to the virtual platform, and are responsible for inter-domain isolation and data communication. Virtual root of trust.

The trusted virtual platform construction method and platform data migration method based on the trusted service domain involved in the present invention are as follows:

1. Construct a trusted service domain, and establish an extended trust chain from the underlying hardware of the virtual platform to TSD based on the hardware security chip, and then use TSD to establish a trusted operating environment for the user domain;

2. Establish a secure communication mechanism between the management domain and TSD, and between the management domain and the common user domain. The user domain interacts with the management domain to complete the call of its security application to the trusted function, and the management domain completes the trusted command through the interaction with the TSD. transmission and processing of

3. The source platform migration engine interacts with the target platform migration engine to migrate the migration data generated based on the security chip and TSD to the target platform, and restore the data on the target platform to complete the rapid migration of TSD and virtual machine.

Among them, the implementation method of step 1 mainly includes:

(1) Create and run a lightweight microkernel domain on a virtualization platform, compile and run the TPM Emulator, and build a trusted service domain TSD; TSD establishes an independent key structure tree for each user domain, and when necessary , using the local privacy certification authority PCA (Local Privacy Certification Authority) to apply for the certificate of the platform identity key AIK' (Attestation Identification Key) of the corresponding user virtual machine (ie, user domain) to complete the external trust certification of the user virtual machine;

(2) On the basis of the basic trust chain (CRTM→BIOS→VMM→DOM0 kernel), build an extended trust chain of CRTM→BIOS→VMM→DOM0kernel→TSD to ensure the trusted operation of the trusted service domain; the extended trust chain is composed of The VMM is co-constructed with the management domain. Among them, CRTM (Core Root of Trust for Measurement) is the core measurement root, BIOS is the power-on self-test and system initial startup program, VMM is the virtual machine monitor, and finally the kernel of the management domain Dom0;

(3) The management domain uses TSD to build a trust chain for the common user domain TSD→INIT→BIOS→OS→APPs, where INIT is the initial (INITial) loading program of the user virtual machine, the meaning of BIOS is the same as above, and OS is the operating system of the user virtual machine Kernel, APPs are user applications.

The main methods used for secure communication between the management domain dom0 and the user domain, and between the management domain and TSD are:

(1) Initialize the connection

1) TSD→Management Domain: After TSD is started, it actively initiates a connection request packet with the management domain, which includes information such as the current TSD domain ID, the size and number of shared pages required;

2) Management domain → TSD: According to the basic parameters in the request packet, allocate corresponding resources and return a status response of successful connection, and establish the initial communication connection between TSD and management domain;

3) User Domain→Management Domain: After the user domain is started, it actively registers with the management domain, and the registration information includes information such as the current user domain ID, the required shared page size, and the number of pages;

4) Management domain → user domain: the management domain first determines that it has established a connection with the TSD, and judges whether the user domain ID is smaller than the TSD domain ID, and if it is (True), establishes a connection with the user domain and waits for the data request from the user domain directive, otherwise the connection establishment fails and the user domain is notified.

(2) Data interaction stage

5) User domain → management domain: the upper layer security application in the user domain invokes the local trusted service, and sends a trusted function command packet to the management domain, which includes the user domain identifier, command type, command content, etc.; the local trusted service is controlled by the management domain Provided, mainly responsible for receiving requests from the upper layer and communicating with the management domain.

6) Management Domain → TSD: The management domain parses the command type, if it is an internal operation of the local platform (such as data encapsulation/decapsulation, encryption/decryption, signature/verification, etc.), the command will be forwarded to TSD; if it is an external For platform operations (such as external certification by the user domain), the management domain directly processes the command request by interacting with the TSD and the underlying TPM;

7) TSD → management domain: TSD processes commands and returns the execution results;

8) Management domain→user domain: The management domain returns and forwards the processing result to the user domain according to the user domain ID, and completes the command processing process.

In the above communication process, the user domain can only interact with the management domain, and messages from illegal user domains must be checked by the management domain before being forwarded to the TSD, thereby further enhancing the security of the TSD.

The fast migration method of the trusted virtual platform provided by the present invention is as follows:

(1) The source platform actively initiates a migration request, which includes a signature on the random number r _S , migration type and other information, and is encrypted with the public key of the target platform;

(2) The target platform receives the migration request, verifies the signature and obtains the random number r _S , and allocates corresponding resources according to the migration type:

1) When a single user domain is migrated, it is only necessary to create a new virtual root of trust instance in the existing trusted service domain of the platform, and create an empty virtual machine instance to provide running resources (memory, file, etc.) for the instance to be migrated. system, etc.);

2) When all user domains (that is, user VMs) using TSD are migrated, the target platform needs to create empty virtual machine instances with the same number as the source platform, and allocate the required resources for TSD migration;

(3) The target platform generates its own random number r _D and returns to the source platform together with the source platform random number r _S to confirm the establishment of the migration connection;

(4) The source platform collects the required information, including the trusted service domain (instance) to be migrated and the image of the user virtual machine, and uses it together with the random numbers (r _S , r _D ) of both parties as the data to be migrated, and generates a message digest , encrypted with K _M and sent to the target platform. Among them, the symmetric key K _M used to encrypt data is generated by the source platform migration engine and protected by the migratable key K _TPM provided by TPM;

(5), the target platform uses the TPM key migration mechanism to import the migratable key K _TPM of the source platform, decrypts the migration data received, and after verifying the message digest and the random number successfully, informs the source platform to delete the migrated source VM (i.e. user domain of the source platform) and the corresponding TSD _S (or instance);

(6) After receiving the command to delete the source data, the target platform loads a new TSD (or instance), and resumes the operation of the user virtual machine.

Another object of the present invention is to provide a trusted virtual platform system, its main components include: virtual machine monitor VMM, three functional domains (management domain, trusted service domain, common user domain) and two service engines ( secure communication engine and secure migration engine), in addition, the trusted virtual platform is configured with a hardware security chip TPM.

As a privileged component, VMM is responsible for the isolation between different domains in the virtualization platform; the management domain provides users with a management interface and is responsible for the creation and management of other domains. As a special functional domain, the trusted service domain only needs to run a microkernel, which is mainly used to provide functions related to trusted computing, and can carry out necessary communication with the management domain. As the operating environment of user applications and services, the ordinary user domain needs to interact with the management domain to obtain the TSD-based trusted function request processing response and build the credibility of its own operating environment.

The security communication service is implemented as a kernel device driver, which is responsible for ensuring inter-domain data communication; the security migration service is implemented as a daemon process in the management domain kernel, which is responsible for receiving migration instructions and completing the migration of virtual machines within the platform and between platforms.

Compared with prior art, the beneficial effect of the present invention:

In the existing trusted virtual platform, the continuous enrichment and updating of trusted functions leads to more complex and bulky management domain codes, which increases the possibility of attacks. Moreover, the excessive dependence of trusted functions on the management domain also affects the complexity of the entire platform. Efficiency of deployment and migration in computing environments. In the present invention, the trusted function is separated from the management domain, and it is constructed as an independent lightweight functional domain (that is, the trusted service domain TSD), which can ensure the use of trusted functions and improve the security of trusted services , and can provide a flexible operation and deployment mechanism for the platform. In addition, the loosely coupled relationship between the lightweight trusted service domain and the management domain improves the efficiency of platform migration. Compared with traditional trusted virtual platforms, platform migration based on trusted virtual domains is faster and more flexible, and can meet new computing environments. (such as cloud computing) application requirements.

Description of drawings

Figure 1 is a schematic diagram of the basic structure of a trusted virtual platform based on a trusted service domain;

Fig. 2 is a schematic diagram of an extended trust chain based on a trusted service domain;

Fig. 3 is a flow chart of migration of a virtualization platform based on a trusted service domain.

Detailed ways

The method of the present invention is mainly realized by the following virtualization platform functional components: trusted service domain, management process, communication engine, migration engine and so on. Referring to Figure 1, the user virtual machine of the virtualization platform uses the shared communication mechanism provided by the virtual machine monitor VMM to perform data transmission with the management domain dom0, while the trusted service domain is an independent lightweight functional domain, and uses the management domain to implement data transmission. Forwarding, while ensuring its own security, provides trusted services such as trust chain construction, data encapsulation and storage, and remote certification for multiple user virtual machines.

1. Trusted service domain

The trusted service domain is an independent functional domain on the virtualization platform, running a reduced microkernel system (MiniOS), which includes trusted service processing processes and communication engines. The trusted service processing process is used to provide trusted services required by user virtual machines, including various trusted command processing and key structure generation and maintenance. The following is a detailed description of its trusted service processing process.

The trusted service domain is used to provide trusted functions for the trusted virtual platform, so it must ensure that its own operation is trusted. The invention guarantees the security of the trusted service domain through the method of extending the trust chain. as shown in picture 2. Use the hardware security chip to build a basic trust chain from the underlying trust root to the virtual machine monitor and then to the management domain (dom0). In order to use the trusted service domain to build the trust chain of the user virtual machine, trust extension needs to be carried out on the basic trust chain. There are two ways to extend the chain of trust, a and b: a is to load the trusted service domain as a functional domain after the management domain is started, but it must be ensured that it starts before each user domain; b is to use the dynamic root of trust mechanism , using the characteristics of the processor to create a trusted operating environment for the trusted service domain. The above two methods can extend the trust from the hardware root of trust to the trusted service domain, and finally build the trust environment of the user virtual machine.

The trusted service processing process is a function-optimized TPM Emulator. As a system service of the microkernel system MiniOS, it is a kernel process implemented in C and is responsible for handling specific trusted function requirements:

(1) Message communication processing. It mainly receives the connection request forwarded from the management domain, determines the identity of the user virtual machine and establishes a communication connection;

(2) Key creation and maintenance. Establish the required key structure (including corresponding EK, AIK, SRK, etc.) for the user virtual machine VM, and generate new keys such as signature key, encryption key, etc. as needed;

(3) Function command processing. In addition to the key management-related commands mentioned above, this function is mainly to process commands related to the internal operation of the platform, such as encryption/decryption, encapsulation/uncapsulation, etc. For platform external operation commands, such as remote certification, key migration, etc., considering their binding relationship with the underlying TPM, the TPM Emulator interface in the TSD is tailored so that this part of the function is directly processed by the daemon process in the management domain.

2. Management process

The management process is located in the management domain dom0, and is mainly responsible for providing interactive interfaces to upper-layer users, managing the underlying data communication engine and migration engine, and handling external trusted function operations. Its main process is:

2-1. The management process receives instructions from upper-level users, and by interacting with the user console (user interaction interface), parses the instructions and invokes the corresponding processing engine according to the instructions, including the creation and management of TSD and user domains, domain migration, and communication Engine and migration engine management, etc.;

2-2. The management process handles external trusted function operations of the platform, including TSD migration, user virtual domain external certification, etc. The communication engine forwards such messages to the management process, and the management process interacts with the TSD and TPM to obtain the required data and return to the communication engine.

3. Communication engine

The communication engine is responsible for secure communication between domains of the trusted virtual platform, mainly including communication drivers in the trusted service domain, management domain and user domain. These drivers are loaded as kernel modules before the system runs, and are executed in a determined order. The flow of secure communication is as follows:

3-1. The trusted service domain loads and runs after the management domain is started, and its communication engine (communication device front end) first initiates an initial connection request to the management domain REQ _TSD = (ID _TSD ||pagesize||pagenum); ID _TSD is TSD The ID of the domain.

3-2. After receiving the connection request from the trusted service domain, the management domain communication engine (communication backend) provides it with corresponding shared memory pages according to the information such as the page size and quantity provided by it, and establishes a connection with the trusted service domain. connection and return the connection status state=ready;

3-3. After the trusted service domain TSD receives the response, it waits for the trusted command request on the connection;

3-4. The user domain loads and runs after the trusted service domain runs, and its communication engine actively initiates a connection request to the management domain REQ _VM = (ID _VM ||pagesize||pagenum); ID _VM is the ID of the user domain.

3-5. According to the ID _VM , the management domain determines whether the user domain can use the trusted service of the TSD (the domain must be loaded after the TSD, and build its trust chain based on the TSD; only the user domain with the ID _VM greater than the ID _TSD can Use TSD, because the size of the domain ID represents the order in which the corresponding domains are created, the smaller the value, the earlier the creation.), after the verification is passed, the connection with the user domain is established, and the connection status state=ready is returned to it;

3-6. After receiving the connection establishment response from the management domain, the user domain waits for the upper layer security application to initiate a trusted function request;

3-7. The user domain security application invokes the trusted function interface, and transmits the trusted function request to the communication engine, and the communication engine encapsulates the data into a standard form cmdpkg _VM = (cmdtype||cmdcontent), and sends it to the management domain;

3-8. The management domain communication engine judges the command type cmdtype in the received cmdpkg _VM :

1) If it is operated on a local platform, it is forwarded to the trusted service domain TSD, and the TSD trusted service process processes the request and returns the processing result to the management domain communication engine;

2) If it is an external operation, the command is forwarded to the management process for processing, and the management process returns the processing result to the communication engine;

3-9. The management domain communication engine forwards the received processing result to the user domain identified as ID _VM ;

3-10. The user domain communication engine submits the processing result to the upper layer security application.

The above communication process is mainly completed by the cooperation of the communication engine and the corresponding functional components. The user domain cannot perceive the existence of the trusted service domain during the entire communication process, and its data requests are forwarded through the management domain, further ensuring the trusted service domain security.

4. Migration engine

The migration engine is responsible for the rapid migration of trusted virtual platforms based on trusted service domains. As shown in Figure 3. Considering the migration of a single virtual machine and the entire platform of the trusted virtual platform, the migration process is divided into two cases: (a) the migration of a single virtual machine and (b) the migration of the entire platform. Its main methods are:

4-1. After receiving the migration command from the administrator, the source platform migration engine sends a migration request REQ _M to the target platform migration engine: aenc(sign(type||r _S , SK _S ), PK _D );

4-2. The target platform receives the migration request, verifies the signature of the source platform, and allocates corresponding resources according to the migration type:

(1) Migrate a single VM, allocate corresponding resources (memory, file system, etc.) for the VM, and create an empty TSD instance instance: TSDI _D in the target platform TSD _D ;

(2) All VMs using TSD are migrated, allocate corresponding resources for multiple VMs and TSDs to be migrated, and ensure that there are no other TSDs in the target platform; if there are other TSDs, in order to migrate a complete TSD, the original platform needs to be TSD delete.

4-3. The target platform migration engine generates a random number r _D based on its TPM _D , and confirms the establishment of the migration connection to the source platform: aenc(sign(r _D ||r _S , SK _D ), PK _S );

4-4. After the source platform receives the response and verifies the signature of the target platform, the migration engine generates a symmetric key K _M for migration, which is encapsulated by the migratable key K _TPM of TPM _S and sent to the target platform. Then generate migration data:

(1) During a single migration, the migration engine generates the mirrored VMI of the VM to be migrated, the TSD instance instance: TSDI _S and its status data corresponding to the VM, and then uses K _M to encrypt the above data and the random numbers of both parties, and then based on SHA- 1 The algorithm generates a summary MAC value and sends it to the target platform: (senc(VMI||TSDI _S ||r _S |r _D , K _M )||MAC);

(2) When all VMs using TSD are migrated, the migration engine uses K _M to encrypt the image VMI, the entire TSD, and random numbers of both parties for all VMs to be migrated, and then send them to the target platform together with the digest value (senc(VMI||TSD| |r _S |r _D ，K _M )||MAC);

(3) The symmetric key K _M used to encrypt the migration data is encapsulated by the migratable key K _TPM of the TPM and then encrypted and transmitted to the target platform: aenc((senc(K _M , K _TPM )), PK _D ).

4-5. The target platform verifies the message summary, imports K _TPM using the existing TPM key migration protocol, and obtains K _M , decrypts the migration data and verifies the random number, and notifies the target platform to delete the VM and the corresponding TSD _S ( or instance TSDI _S );

4-6. The source platform notifies the target platform after deleting the source data, and the target platform restores the TSD (or instance) and VM to complete the migration process.

Although specific embodiments and drawings are disclosed for the purpose of illustrating the present invention, the purpose is to help understand the content of the present invention and implement it accordingly, but those skilled in the art can understand that: without departing from the present invention and the appended claims Various substitutions, changes and modifications are possible within the spirit and scope of . Therefore, the present invention should not be limited to the content disclosed in the embodiments and drawings, and the protection scope of the present invention is subject to the scope defined in the claims.

Claims (15)

1. a credible virtual platform, comprise hardware security chip, monitor of virtual machine VMM, management domain, user domain, characterized by further comprising a credible service-domain TSD; Described credible service-domain TSD utilizes the expansion trust chain to set up credible running environment for user domain, described expansion trust chain be management domain with monitor of virtual machine VMM based on the trust chain of hardware security chip foundation from the virtual platform bottom hardware to credible service-domain TSD.

2. credible virtual platform as claimed in claim 1 is characterized in that described credible service-domain TSD is a lightweight micro-kernel territory, wherein compilation run credible platform module on virtual platform; Described credible service-domain TSD sets up independently key structure tree for each user domain on this virtual platform.

3. method as claimed in claim 2, is characterized in that it is the certificate of described user domain application platform identity key A IK ' that described credible service-domain TSD utilizes privacy certification authority (CA) PCA, trusts proof for user domain provides.

4. a credible virtual platform construction method, the steps include:

1) build a credible service-domain TSD, and based on the expansion trust chain of hardware security chip foundation from the virtual platform bottom hardware to TSD, then credible service-domain TSD is that user domain is set up credible running environment according to described expansion trust chain;

2) but user domain upper strata safety applications is called this locality telecommunications services, send the trusted function command packet to management domain;

3) management domain is resolved this trusted function command packet, if the operation of local platform inside forwards it to credible service-domain TSD; If to outside platform operations, by mutual with credible service-domain TSD and bottom hardware safety chip, directly process this trusted function command packet by management domain;

4) credible service-domain TSD issues management domain with the result of this trusted function command packet; Management domain identifies according to user domain, and result is returned to user domain.

5. the method for claim 1 is characterized in that the method that builds described credible service-domain TSD is: create and move a lightweight micro-kernel territory on virtual platform, wherein the compilation run credible platform module, build credible service-domain TSD; Described credible service-domain TSD sets up independently key structure tree for each user domain on this virtual platform.

6. method as claimed in claim 2, is characterized in that it is the certificate of described user domain application platform identity key A IK ' that described credible service-domain TSD utilizes privacy certification authority (CA) PCA, utilizes AIK ' to trust proof for user domain externally provides.

7. as claim 4 or 5 or 6 described methods, the method for building up that it is characterized in that described expansion trust chain is: at first utilize the hardware security chip to build from the bottom root of trust to monitor of virtual machine the basic trust chain of management domain again, then after management domain starts, before user domain starts, credible service-domain TSD is loaded as a functional domain; Perhaps adopt dynamic trust root mechanism that described basic trust chain is expanded, obtain described expansion trust chain.

8. as claim 4 or 5 or 6 described methods, it is characterized in that setting up a secure communication mechanism between management domain and credible service-domain TSD communicates, its method is:

1) credible service-domain TSD initiates the connection request bag to management domain, and it comprises size and the quantity of credible service-domain TSD domain identifier ID, required shared page;

2) management domain is according to be responsible for assigning respective resources and return to the condition responsive of successful connection, the communication connection of setting up credible service-domain TSD and management domain of this connection request.

9. as claim 4 or 5 or 6 described methods, it is characterized in that setting up between management domain and user domain a secure communication mechanism and communicate, its method is:

1) user domain is registered to management domain, and log-on message comprises active user's domain identifier, required shared page size and number of pages;

2) at first management domain is determined ownly to connect with credible service-domain TSD, then judges user domain ID whether less than the territory ID of credible service-domain TSD, if it is set up and being connected of user domain, otherwise connection is set up failure and notified user domain.

10. data migration method between the platform of a credible virtual platform, the steps include:

1) source platform is initiated migration request to target platform; Wherein, described source platform, target platform include a credible service-domain TSD; Described credible service-domain TSD utilizes the expansion trust chain to set up credible running environment for user domain, described expansion trust chain be management domain with monitor of virtual machine VMM based on the trust chain of hardware security chip foundation from the virtual platform bottom hardware to credible service-domain TSD;

2) target platform distributes corresponding resource according to this migration request; Wherein: if a) migration request is single virtual machine migration, the virtual machine instance that target platform has created, and create a new virtual root of trust example in its credible service-domain TSD; B) if migration request is used the credible service-domain TSD of source platform for all _SVirtual machine (vm) migration, target platform creates the empty virtual machine instance consistent with source platform quantity, and with the original TSD of target platform _DDeletion;

3) target platform notification source platform confirms that migration connects foundation;

4) source platform is collected data to be migrated, sends it to target platform;

5) after target platform is received this migration data, return to confirmation to source platform.

11. method as claimed in claim 10 is characterized in that the method that builds described credible service-domain TSD is: create and move a lightweight micro-kernel territory on virtual platform, wherein the compilation run credible platform module, build credible service-domain TSD; Described credible service-domain TSD sets up independently key structure tree for each user domain on this virtual platform.

12. method as claimed in claim 11 is characterized in that it is the certificate of described user domain application platform identity key A IK ' that described credible service-domain TSD utilizes privacy certification authority (CA) PCA, proves for user domain provides external trust.

13. as claim 10 or 11 or 12 described methods, it is characterized in that described migration request comprises the random number r that migration type, source platform migration engine generate _SSigning messages; Described source platform adopts the described migration request of public key encryption of target platform.

14. method as claimed in claim 13, after it is characterized in that described target platform is received this migration request, certifying signature also obtains random number r _S, then described target platform generates the random number r of oneself _DAnd with random number r _SReturn to together described source platform, confirm that migration connects foundation.

15. method as claimed in claim 14 is characterized in that described source platform is with random number r _S, random number r _DAfter the generating messages summary, utilize K together with described data to be migrated _MEncryption sends to target platform; Target platform utilizes the key migration mechanism of hardware security chip TPM with the transportable key K of source platform _TPMImport, the migration data that deciphering is received, after good authentication eap-message digest and random number, the source VM that the deletion of notification source platform is had moved and corresponding TSD _SOr example; Wherein, the symmetric key K that is used for enciphered data _MGenerated by the source platform migration engine, and the transportable key K of using hardware security chip TPM to provide _TPMProtection.

Images