[go: up one dir, main page]

CN113703918B - Virtual trusted platform based on hardware assistance and security processing method - Google Patents

Virtual trusted platform based on hardware assistance and security processing method Download PDF

Info

Publication number
CN113703918B
CN113703918B CN202110990232.6A CN202110990232A CN113703918B CN 113703918 B CN113703918 B CN 113703918B CN 202110990232 A CN202110990232 A CN 202110990232A CN 113703918 B CN113703918 B CN 113703918B
Authority
CN
China
Prior art keywords
virtual
security device
cryptographic coprocessor
trusted platform
driver
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110990232.6A
Other languages
Chinese (zh)
Other versions
CN113703918A (en
Inventor
郭松辉
孙磊
宋云帆
刘海东
窦睿彧
郝前防
钱大赞
韩松莘
王淼
李楠
周明
赵锟
戴乐育
郭松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University Of Chinese People's Liberation Army Cyberspace Force
Original Assignee
PLA Information Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PLA Information Engineering University filed Critical PLA Information Engineering University
Priority to CN202110990232.6A priority Critical patent/CN113703918B/en
Publication of CN113703918A publication Critical patent/CN113703918A/en
Application granted granted Critical
Publication of CN113703918B publication Critical patent/CN113703918B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Storage Device Security (AREA)

Abstract

The application program in the virtual trusted platform uses a TSS (virtual security system) interface to write a request to be processed into an annular queue by calling a VirtIO (virtual input/output) front-end driver, the VirtIO rear-end driver acquires the request to be processed from the annular queue and sends the request to be processed to a password coprocessor encryption interface, the password coprocessor encryption interface sends the request to be processed to a password coprocessor by calling a password coprocessor driver, so that the password coprocessor performs secure operation processing on the request to be processed to obtain a processing result, the purpose of performing secure operation on data based on hardware is achieved, the security protection capability of the virtual trusted platform is enhanced, and the security of the data is improved.

Description

一种基于硬件辅助的虚拟可信平台及安全处理方法A hardware-assisted virtual trusted platform and security processing method

技术领域technical field

本申请涉及计算机技术领域,特别涉及一种基于硬件辅助的虚拟可信平台及安全处理方法。The present application relates to the field of computer technology, and in particular, to a hardware-assisted virtual trusted platform and a security processing method.

背景技术Background technique

面向5G云化网络环境下安全性需求,往往采用在云化架构中部署灵活、扩展性高的虚拟可信平台来增强5G云化网络环境下的安全性。Facing the security requirements in the 5G cloud-based network environment, a flexible and highly scalable virtual trusted platform is often deployed in the cloud-based architecture to enhance the security in the 5G cloud-based network environment.

但是,现行的云环境下虚拟可信平台对数据的安全性保护能力不足,导致数据的安全性差。并且,虚拟可信平台对数据的隔离效果较差。However, in the current cloud environment, the virtual trusted platform has insufficient data security protection capability, resulting in poor data security. Moreover, the virtual trusted platform has poor data isolation effect.

发明内容SUMMARY OF THE INVENTION

本申请提供如下技术方案:This application provides the following technical solutions:

一种安全处理方法,基于虚拟可信平台,所述虚拟可信平台包括:虚拟机用户空间、虚拟机内核空间、主机用户空间和主机内核空间,所述虚拟机用户空间中部署有应用程序和TSS接口,所述虚拟机内核空间包含虚拟安全设备和VirtIO前端驱动,所述主机用户空间至少包含VirtIO后端驱动和密码协处理器加密接口,所述主机内核空间包含密码协处理器驱动程序,该方法包括:A security processing method is based on a virtual trusted platform, wherein the virtual trusted platform includes: a virtual machine user space, a virtual machine kernel space, a host user space and a host kernel space, wherein an application program and a host kernel space are deployed in the virtual machine user space. TSS interface, the virtual machine kernel space includes a virtual security device and a VirtIO front-end driver, the host user space at least includes a VirtIO back-end driver and a cryptographic coprocessor encryption interface, and the host kernel space includes a cryptographic coprocessor driver, The method includes:

所述应用程序使用所述TSS接口调用所述VirtIO前端驱动,由所述VirtIO前端驱动将待处理请求写入环形队列;The application uses the TSS interface to call the VirtIO front-end driver, and the VirtIO front-end driver writes the pending request into the ring queue;

所述VirtIO后端驱动从所述环形队列中获取所述待处理请求,并将所述待处理请求发送给所述密码协处理器加密接口;The VirtIO backend driver obtains the pending request from the circular queue, and sends the pending request to the cryptographic coprocessor encryption interface;

所述密码协处理器加密接口通过调用所述密码协处理器驱动程序,将所述待处理请求发送给密码协处理器,以使所述密码协处理器对所述待处理请求进行安全运算处理,得到处理结果,并将所述处理结果返回给所述应用程序;The cryptographic coprocessor encryption interface sends the pending request to the cryptographic coprocessor by calling the cryptographic coprocessor driver, so that the cryptographic coprocessor performs secure operation processing on the pending request , obtain the processing result, and return the processing result to the application;

所述应用程序获取所述处理结果。The application acquires the processing result.

可选的,所述将所述处理结果返回给所述应用程序,包括:Optionally, the returning the processing result to the application includes:

通过所述密码协处理器驱动程序将所述处理结果返回给所述密码协处理器加密接口;Return the processing result to the cryptographic coprocessor encryption interface through the cryptographic coprocessor driver;

所述密码协处理器加密接口将所述处理结果返回给所述VirtIO后端驱动;The cryptographic coprocessor encryption interface returns the processing result to the VirtIO backend driver;

所述VirtIO后端驱动通过中断注入机制将所述处理结果返回给所述应用程序。The VirtIO backend driver returns the processing result to the application through an interrupt injection mechanism.

可选的,所述密码协处理器与所述主机用户空间中的硬件安全设备具备绑定关系,所述绑定关系通过以下方式建立:Optionally, the cryptographic coprocessor has a binding relationship with the hardware security device in the host user space, and the binding relationship is established in the following manner:

所述硬件安全设备在向本地证书签发机构展示EK密钥证明其身份后,向所述本地证书签发机构申请硬件AIK证书;The hardware security device applies for a hardware AIK certificate to the local certificate issuing authority after showing the EK key to the local certificate issuing authority to prove its identity;

所述硬件安全设备利用所述硬件AIK证书为所述密码协处理器颁发AIK证书,以建立所述硬件安全设备与所述密码协处理器的绑定关系。The hardware security device issues an AIK certificate to the cryptographic coprocessor by using the hardware AIK certificate, so as to establish a binding relationship between the hardware security device and the cryptographic coprocessor.

可选的,所述方法还包括:Optionally, the method further includes:

基于所述密码协处理器生成所述虚拟安全设备的EK密钥,并利用所述密码协处理器AIK密钥为所述虚拟安全设备的EK密钥颁发证书;Generate the EK key of the virtual security device based on the cryptographic coprocessor, and issue a certificate for the EK key of the virtual security device using the cryptographic coprocessor AIK key;

所述虚拟安全设备在使用所述虚拟安全设备的EK密钥向所述本地证书签发机构证明其身份后,向所述本地证书签发机构申请虚拟AIK证书,以使所述本地证书签发机构向所述虚拟安全设备颁发虚拟AIK证书。After the virtual security device uses the EK key of the virtual security device to prove its identity to the local certificate issuing authority, it applies to the local certificate issuing authority for a virtual AIK certificate, so that the local certificate issuing authority can issue a certificate to the local certificate issuing authority. The above virtual security device issues a virtual AIK certificate.

可选的,所述方法还包括:Optionally, the method further includes:

将所述主机用户空间中的硬件安全设备的寄存器中的度量值映射到所述虚拟安全设备的寄存器中;mapping the metric value in the register of the hardware security device in the user space of the host to the register of the virtual security device;

在对所述虚拟机用户空间及所述虚拟机内核空间进行远程证明的情况下,所述虚拟安全设备通过所述虚拟AIK证书对所述虚拟安全设备的寄存器中的度量值进行签名,得到度量值签名;In the case of performing remote attestation on the virtual machine user space and the virtual machine kernel space, the virtual security device signs the metric value in the register of the virtual security device through the virtual AIK certificate to obtain the metric value signature;

所述虚拟安全设备将所述度量值签名及所述虚拟安全设备的寄存器中的度量值发送给远程证明设备,以使所述远程证明设备基于所述虚拟安全设备的寄存器中的度量值,对所述硬件安全设备进行可信证明,及基于所述度量值签名及所述虚拟安全设备的寄存器中的度量值,对所述虚拟安全设备进行可信证明。The virtual security device sends the metric value signature and the metric value in the register of the virtual security device to the remote attestation device, so that the remote attestation device based on the metric value in the register of the virtual security device, The hardware security device performs trustworthiness certification, and based on the metric value signature and the metric value in the register of the virtual security device, performs trustworthiness certification on the virtual security device.

可选的,所述方法还包括:Optionally, the method further includes:

所述虚拟可信平台获取云计算迁移控制服务器的迁移命令,并锁定所述虚拟可信平台,对与所述虚拟安全设备关联的数据进行打包,得到数据包;The virtual trusted platform obtains the migration command of the cloud computing migration control server, locks the virtual trusted platform, and packages the data associated with the virtual security device to obtain a data package;

所述虚拟可信平台获取所述云计算迁移控制服务器为所述虚拟可信平台分配的会话加密密钥,所述会话加密密钥通过以下方式分配:基于所述虚拟可信平台中硬件安全设备对所述虚拟可信平台进行可信证明,在证明所述虚拟可信平台可信后,为所述虚拟可信平台分配会话加密密钥;The virtual trusted platform obtains the session encryption key allocated by the cloud computing migration control server to the virtual trusted platform, and the session encryption key is allocated in the following manner: based on the hardware security device in the virtual trusted platform Performing a trustworthy certification on the virtual trusted platform, and after proving that the virtual trusted platform is trustworthy, assigning a session encryption key to the virtual trusted platform;

所述虚拟可信平台利用所述会话加密密钥对所述数据包进行加密,得到加密数据,并利用所述密码协处理器对所述加密数据包进行签名,得到数据签名;The virtual trusted platform uses the session encryption key to encrypt the data packet to obtain encrypted data, and uses the cryptographic coprocessor to sign the encrypted data packet to obtain a data signature;

将所述加密数据及所述数据签名发送给另一个虚拟可信平台,以使另一个虚拟可信平台向所述云计算迁移控制服务器申请与所述会话加密密钥匹配的会话解密密钥,并利用所述会话解密密钥对所述加密数据进行解密,并对所述数据签名进行验签。sending the encrypted data and the data signature to another virtual trusted platform, so that the other virtual trusted platform applies to the cloud computing migration control server for a session decryption key matching the session encryption key, The encrypted data is decrypted by using the session decryption key, and the data signature is verified.

一种基于硬件辅助的虚拟可信平台,包括:虚拟机用户空间、虚拟机内核空间、主机用户空间和主机内核空间,所述虚拟机用户空间中部署有应用程序和TSS接口,所述虚拟机内核空间包含虚拟安全设备和VirtIO前端驱动,所述主机用户空间至少包含VirtIO后端驱动和密码协处理器加密接口,所述主机内核空间包含密码协处理器驱动程序;A virtual trusted platform based on hardware assistance, comprising: a virtual machine user space, a virtual machine kernel space, a host user space and a host kernel space, an application program and a TSS interface are deployed in the virtual machine user space, and the virtual machine The kernel space includes a virtual security device and a VirtIO front-end driver, the host user space at least includes a VirtIO back-end driver and a cryptographic coprocessor encryption interface, and the host kernel space includes a cryptographic coprocessor driver;

所述应用程序,用于使用所述TSS接口调用所述VirtIO前端驱动;The application program is used to call the VirtIO front-end driver by using the TSS interface;

所述VirtIO前端驱动,用于将待处理请求写入环形队列;The VirtIO front-end driver is used to write the pending request into the ring queue;

所述VirtIO后端驱动,用于从所述环形队列中获取所述待处理请求,并将所述待处理请求发送给所述密码协处理器加密接口;the VirtIO backend driver, configured to obtain the pending request from the circular queue, and send the pending request to the cryptographic coprocessor encryption interface;

所述密码协处理器加密接口,用于调用所述密码协处理器驱动程序;the cryptographic coprocessor encryption interface for calling the cryptographic coprocessor driver;

所述密码协处理器驱动程序,用于将所述待处理请求发送给密码协处理器,以使所述密码协处理器对所述待处理请求进行安全运算处理,得到处理结果,并将所述处理结果返回给所述应用程序;The cryptographic coprocessor driver is configured to send the pending request to the cryptographic coprocessor, so that the cryptographic coprocessor performs secure operation processing on the pending request, obtains a processing result, and sends the received request to the cryptographic coprocessor. The processing result is returned to the application;

所述应用程序,还用于获取所述处理结果。The application program is further configured to acquire the processing result.

可选的,所述密码协处理器加密接口,还用于接收所述密码协处理器通过所述密码协处理器驱动程序返回的所述处理结果,及将所述处理结果返回给所述VirtIO后端驱动;Optionally, the cryptographic coprocessor encryption interface is further configured to receive the processing result returned by the cryptographic coprocessor through the cryptographic coprocessor driver, and return the processing result to the VirtIO back-end drive;

所述VirtIO后端驱动,还用于通过中断注入机制将所述处理结果返回给所述应用程序。The VirtIO backend driver is further configured to return the processing result to the application through an interrupt injection mechanism.

可选的,所述虚拟可信平台还包括:Optionally, the virtual trusted platform further includes:

建立模块,用于所述硬件安全设备在向本地证书签发机构展示EK密钥证明其身份后,向所述本地证书签发机构申请硬件AIK证书;establishing a module for the hardware security device to apply for a hardware AIK certificate to the local certificate issuing authority after showing the EK key to the local certificate issuing authority to prove its identity;

所述硬件安全设备利用所述硬件AIK证书为所述密码协处理器颁发AIK证书,以建立所述硬件安全设备与所述密码协处理器的绑定关系。The hardware security device issues an AIK certificate to the cryptographic coprocessor by using the hardware AIK certificate, so as to establish a binding relationship between the hardware security device and the cryptographic coprocessor.

可选的,基于所述密码协处理器生成所述虚拟安全设备的EK密钥,并利用所述密码协处理器AIK证书为所述虚拟安全设备的EK密钥颁发证书;Optionally, generating the EK key of the virtual security device based on the cryptographic coprocessor, and using the cryptographic coprocessor AIK certificate to issue a certificate for the EK key of the virtual security device;

所述虚拟安全设备,用于在使用所述虚拟安全设备的EK密钥向所述本地证书签发机构证明其身份后,向所述本地证书签发机构申请虚拟AIK证书,以使所述本地证书签发机构向所述虚拟安全设备颁发虚拟AIK证书。The virtual security device is configured to apply for a virtual AIK certificate to the local certificate issuing authority after using the EK key of the virtual security device to prove its identity to the local certificate issuing authority, so that the local certificate is issued The institution issues a virtual AIK certificate to the virtual security device.

可选的,还包括:Optionally, also include:

将所述主机用户空间中的硬件安全设备的寄存器中的度量值映射到所述虚拟安全设备的寄存器中;mapping the metric value in the register of the hardware security device in the user space of the host to the register of the virtual security device;

在对所述虚拟机用户空间及所述虚拟机内核空间进行远程证明的情况下,所述虚拟安全设备,还用于通过所述虚拟AIK证书对所述虚拟安全设备的寄存器中的度量值进行签名,得到度量值签名;In the case of performing remote attestation on the virtual machine user space and the virtual machine kernel space, the virtual security device is further configured to perform the measurement on the metric value in the register of the virtual security device by using the virtual AIK certificate signature, get the metric signature;

所述虚拟安全设备,还用于将所述度量值签名及所述虚拟安全设备的寄存器中的度量值发送给远程证明设备,以使所述远程证明设备基于所述虚拟安全设备的寄存器中的度量值,对所述硬件安全设备进行可信证明,及基于所述度量值签名及所述虚拟安全设备的寄存器中的度量值,对所述虚拟安全设备进行可信证明。The virtual security device is further configured to send the metric value signature and the metric value in the register of the virtual security device to a remote attestation device, so that the remote attestation device is based on the metric value in the register of the virtual security device. A metric value, performing trusted certification on the hardware security device, and performing trusted certification on the virtual security device based on the metric value signature and the metric value in the register of the virtual security device.

可选的,所述虚拟可信平台,具体用于:Optionally, the virtual trusted platform is specifically used for:

获取云计算迁移控制服务器的迁移命令,并锁定所述虚拟可信平台,对与所述虚拟安全设备关联的数据进行打包,得到数据包;Obtain the migration command of the cloud computing migration control server, lock the virtual trusted platform, and package the data associated with the virtual security device to obtain a data package;

获取所述云计算迁移控制服务器为所述虚拟可信平台分配的会话加密密钥,所述会话加密密钥通过以下方式分配:基于所述虚拟可信平台中硬件安全设备对所述虚拟可信平台进行可信证明,在证明所述虚拟可信平台可信后,为所述虚拟可信平台分配会话加密密钥;Obtain a session encryption key allocated by the cloud computing migration control server to the virtual trusted platform, where the session encryption key is allocated in the following manner: based on the hardware security device in the virtual trusted platform for the virtual trusted platform The platform performs trustworthy certification, and after proving that the virtual trusted platform is trustworthy, assigns a session encryption key to the virtual trusted platform;

利用所述会话加密密钥对所述数据包进行加密,得到加密数据,并利用所述密码协处理器对所述加密数据包进行签名,得到数据签名;Utilize the session encryption key to encrypt the data packet to obtain encrypted data, and use the cryptographic coprocessor to sign the encrypted data packet to obtain a data signature;

将所述加密数据及所述数据签名发送给另一个虚拟可信平台的主机用户空间,以使另一个虚拟可信平台的主机用户空间向所述云计算迁移控制服务器申请与所述会话加密密钥匹配的会话解密密钥,并利用所述会话解密密钥对所述加密数据进行解密,并对所述数据签名进行验签。Send the encrypted data and the data signature to the host user space of another virtual trusted platform, so that the host user space of the other virtual trusted platform applies to the cloud computing migration control server for the session encryption encryption. A session decryption key that matches the key, and the encrypted data is decrypted by using the session decryption key, and the data signature is verified.

与现有技术相比,本申请的有益效果为:Compared with the prior art, the beneficial effects of the present application are:

在本申请中,提供一种虚拟可信平台,虚拟可信平台中虚拟机内核空间包含虚拟安全设备和VirtIO前端驱动,主机用户空间至少包含VirtIO后端驱动和密码协处理器加密接口,及主机内核空间包含密码协处理器驱动程序,其中,应用程序使用TSS接口通过调用所述VirtIO前端驱动,将待处理请求写入环形队列,VirtIO后端驱动从环形队列中获取待处理请求,并将待处理请求发送给密码协处理器加密接口,密码协处理器加密接口通过调用密码协处理器驱动程序,将待处理请求发送给密码协处理器,以使密码协处理器对待处理请求进行安全运算处理,得到处理结果,实现基于硬件对数据进行安全运算,增强虚拟可信平台的安全性保护能力,提高数据的安全性。In this application, a virtual trusted platform is provided, in which the virtual machine kernel space includes a virtual security device and a VirtIO front-end driver, the host user space at least includes a VirtIO back-end driver and a cryptographic coprocessor encryption interface, and a host The kernel space contains a cryptographic coprocessor driver, wherein the application uses the TSS interface to write the pending request into the ring queue by calling the VirtIO front-end driver, and the VirtIO back-end driver obtains the pending request from the ring queue and stores the pending request. The processing request is sent to the cryptographic coprocessor encryption interface, and the cryptographic coprocessor encryption interface sends the pending request to the cryptographic coprocessor by invoking the cryptographic coprocessor driver, so that the cryptographic coprocessor can perform secure operation processing on the pending request. , obtain the processing result, realize the safe operation of the data based on the hardware, enhance the security protection capability of the virtual trusted platform, and improve the security of the data.

并且,在虚拟可信平台部署了VirtIO前端驱动、VirtIO后端驱动、密码协处理器加密接口及密码协处理器驱动程序的基础上,由密码协处理器对不同虚拟可信平台的密钥进行隔离保存和使用,在多个虚拟机同时请求密码运算时,可以保障不同运算、密钥互不干扰,做到实例隔离,改善虚拟可信平台的隔离效果。In addition, on the basis of the deployment of the VirtIO front-end driver, VirtIO back-end driver, cryptographic coprocessor encryption interface and cryptographic coprocessor driver on the virtual trusted platform, the cryptographic coprocessor performs encryption on the keys of different virtual trusted platforms. Isolate storage and use, when multiple virtual machines request cryptographic operations at the same time, it can ensure that different operations and keys do not interfere with each other, achieve instance isolation, and improve the isolation effect of virtual trusted platforms.

附图说明Description of drawings

为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions in the embodiments of the present application more clearly, the following briefly introduces the drawings that are used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without creative labor.

图1是本申请提供的一种基于硬件辅助的虚拟可信平台的架构示意图;1 is a schematic diagram of the architecture of a hardware-assisted virtual trusted platform provided by the present application;

图2是本申请实施例1提供的一种安全处理方法的流程示意图;2 is a schematic flowchart of a security processing method provided in Embodiment 1 of the present application;

图3是本申请实施例2提供的一种安全处理方法的流程示意图;3 is a schematic flowchart of a security processing method provided in Embodiment 2 of the present application;

图4是本申请提供的一种寄存器映射示意图;4 is a schematic diagram of a register mapping provided by the present application;

图5是本申请实施例3提供的一种安全处理方法的流程示意图。FIG. 5 is a schematic flowchart of a security processing method provided in Embodiment 3 of the present application.

具体实施方式Detailed ways

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments are only a part of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.

为了解决上述问题,本申请提供了一种安全处理方法,接下来对本申请提供的安全处理方法进行介绍。In order to solve the above problems, the present application provides a security processing method. Next, the security processing method provided by the present application will be introduced.

本申请提供的安全处理方法基于虚拟可信平台,虚拟可信平台可以理解为:基于硬件辅助的虚拟可信平台,如图1所示,基于硬件辅助的虚拟可信平台可以包括:虚拟机用户空间、虚拟机内核空间、主机用户空间、主机内核空间和密码协处理器。The security processing method provided by the present application is based on a virtual trusted platform, and the virtual trusted platform can be understood as: a hardware-assisted virtual trusted platform, as shown in FIG. 1 , the hardware-assisted virtual trusted platform may include: a virtual machine user space, virtual machine kernel space, host user space, host kernel space, and cryptographic coprocessors.

所述虚拟机用户空间中部署有应用程序和TSS(TCG可信协议栈)接口;其中,虚拟机用户空间中的TSS接口是通过对主机用户空间中用于调用硬件安全设备(硬件TPM)的TSS接口进行复用得到的,因此,虚拟机用户空间中的TSS接口与主机用户空间中的TSS接口的功能一致。An application program and a TSS (TCG Trusted Protocol Stack) interface are deployed in the user space of the virtual machine; wherein, the TSS interface in the user space of the virtual machine is used to call the hardware security device (hardware TPM) in the user space of the host computer. It is obtained by multiplexing the TSS interface. Therefore, the function of the TSS interface in the user space of the virtual machine is the same as that of the TSS interface in the user space of the host.

虚拟机用户空间中的TSS接口,可以用于为其他安全程序提供使用vtpm的标准接口,及向下调用VirtIO前端驱动。The TSS interface in the virtual machine user space can be used to provide other security programs with a standard interface for using vtpm, and to call down the VirtIO front-end driver.

所述虚拟机内核空间可以包含虚拟安全设备(vtpm)和VirtIO前端驱动(VirtIOFE Driver)。The virtual machine kernel space may include a virtual security device (vtpm) and a VirtIO front-end driver (VirtIOFE Driver).

VirtIO前端驱动可以用于注册vtpm,实现VirtQueue的创建、Feature的协商和vtpm的配置读取等。The VirtIO front-end driver can be used to register vtpm, implement VirtQueue creation, Feature negotiation, and vtpm configuration reading.

VirtQueue,可以理解为:VirtIO的前后端环形队列,用于实现虚拟机和主机数据交换。通过VirtQueue可以找到底层virtio-vring(可以理解为VirtIO传输机制的具体实现)进而传输数据。VirtQueue can be understood as: VirtIO's front-end and back-end circular queues, which are used to implement data exchange between virtual machines and hosts. Through VirtQueue, you can find the underlying virtio-vring (which can be understood as the specific implementation of the VirtIO transmission mechanism) and then transmit data.

Feature定义了客户端虚拟机和主机支持的功能。Feature defines the features supported by the client virtual machine and the host.

VirtIO是一种I/O半虚拟化解决方案,是一套通用I/O设备虚拟化的程序,是对半虚拟化Hypervisor中的一组通用I/O设备的抽象。VirtIO抽象了一套vring接口来完成虚拟机和宿主机之间的数据收发过程,提供了一套上层应用与vtpm(如,QEMU虚拟化设备)之间的通信框架和编程接口,减少跨平台所带来的兼容性问题,大大提高驱动程序开发效率。VirtIO is an I/O paravirtualization solution, a set of general-purpose I/O device virtualization programs, and an abstraction of a set of general-purpose I/O devices in a paravirtualized hypervisor. VirtIO abstracts a set of vring interfaces to complete the data sending and receiving process between the virtual machine and the host, and provides a set of communication frameworks and programming interfaces between upper-layer applications and vtpm (such as QEMU virtualization devices), reducing cross-platform requirements. The compatibility problems brought about greatly improve the efficiency of driver development.

在具体实施中,VirtIO包括位于虚拟机内核空间的VirtIO前端驱动和位于主机用户空间的VirtIO后端驱动,VirtIO前端驱动和VirtIO后端驱动之间通过vring机制来实现通信。In a specific implementation, VirtIO includes a VirtIO front-end driver located in the virtual machine kernel space and a VirtIO back-end driver located in the host user space. The VirtIO front-end driver and the VirtIO back-end driver communicate through a vring mechanism.

其中,虚拟机用户空间和虚拟机内核空间组成虚拟网元。The virtual machine user space and the virtual machine kernel space form a virtual network element.

所述主机用户空间至少可以包含VirtIO后端驱动(VirtIO BE Driver)和密码协处理器加密接口(Crypto API)。The host user space may at least include a VirtIO backend driver (VirtIO BE Driver) and a cryptographic coprocessor encryption interface (Crypto API).

主机用户空间还可以包括硬件安全设备,硬件安全设备对主机的数据进行可信保护。The host user space may further include a hardware security device, and the hardware security device performs trusted protection on the data of the host.

主机用户空间中可以但不局限于部署虚拟安全设备管理模块。虚拟安全设备管理模块可以用于注册VirtIO后端驱动,及启动虚拟网元,及调用密码协处理器加密接口。The virtual security device management module can be deployed in the user space of the host but is not limited to. The virtual security device management module can be used to register the VirtIO back-end driver, start the virtual network element, and call the cryptographic coprocessor encryption interface.

虚拟安全设备管理模块可以为但不局限于:QEMU模拟器。The virtual security device management module can be but not limited to: QEMU emulator.

密码协处理器加密接口,可以用于访问密码协处理器驱动程序。Cryptographic coprocessor cryptographic interface, which can be used to access the cryptographic coprocessor driver.

所述主机内核空间可以包含密码协处理器驱动程序(Crypto Co-processorDrive)。The host kernel space may contain a cryptographic co-processor driver (Crypto Co-processorDrive).

密码协处理器驱动程序可以用于访问密码协处理器。The cryptographic coprocessor driver can be used to access the cryptographic coprocessor.

本实施例中,所述密码协处理器与所述主机用户空间中的硬件安全设备具备绑定关系,所述绑定关系可以通过以下方式建立:In this embodiment, the cryptographic coprocessor and the hardware security device in the host user space have a binding relationship, and the binding relationship can be established in the following ways:

所述硬件安全设备在向本地证书签发机构(CA,Certificate Authority)展示EK密钥证明其身份后,向所述本地证书签发机构申请硬件AIK证书;After the hardware security device shows the EK key to the local certificate issuing authority (CA, Certificate Authority) to prove its identity, it applies to the local certificate issuing authority for a hardware AIK certificate;

所述硬件安全设备利用所述硬件AIK证书为所述密码协处理器颁发AIK证书,以建立所述硬件安全设备与所述密码协处理器的绑定关系。The hardware security device issues an AIK certificate to the cryptographic coprocessor by using the hardware AIK certificate, so as to establish a binding relationship between the hardware security device and the cryptographic coprocessor.

在建立所述硬件安全设备与所述密码协处理器的绑定关系之后,可以通过以下方式实现从硬件安全设备到虚拟安全设备的证书链接:After the binding relationship between the hardware security device and the cryptographic coprocessor is established, the certificate linking from the hardware security device to the virtual security device can be implemented in the following manner:

基于所述密码协处理器生成所述虚拟安全设备的EK密钥,并利用所述密码协处理器AIK证书为所述虚拟安全设备的EK密钥颁发证书。The EK key of the virtual security device is generated based on the cryptographic coprocessor, and a certificate is issued for the EK key of the virtual security device using the cryptographic coprocessor AIK certificate.

在实现从硬件安全设备到虚拟安全设备的证书链接之后,可以通过以下方式完成虚拟安全设备证书链的扩展:After implementing the certificate chain from the hardware security device to the virtual security device, the extension of the certificate chain of the virtual security device can be done in the following ways:

所述虚拟安全设备在使用所述虚拟安全设备的EK密钥向所述本地证书签发机构证明其身份后,向所述本地证书签发机构申请虚拟AIK证书,以使所述本地证书签发机构向所述虚拟安全设备颁发虚拟AIK证书。After the virtual security device uses the EK key of the virtual security device to prove its identity to the local certificate issuing authority, it applies to the local certificate issuing authority for a virtual AIK certificate, so that the local certificate issuing authority can issue a certificate to the local certificate issuing authority. The above virtual security device issues a virtual AIK certificate.

基于上述虚拟可信平台,本申请提供的安全处理方法可以参见图1,该方法可以包括以下步骤:Based on the above-mentioned virtual trusted platform, the security processing method provided by the present application may refer to FIG. 1, and the method may include the following steps:

步骤S11、所述应用程序使用所述TSS接口调用所述VirtIO前端驱动,由所述VirtIO前端驱动将待处理请求写入环形队列。Step S11, the application uses the TSS interface to call the VirtIO front-end driver, and the VirtIO front-end driver writes the pending request into the ring queue.

步骤S12、所述VirtIO后端驱动从所述环形队列中获取所述待处理请求,并将所述待处理请求发送给所述密码协处理器加密接口。Step S12, the VirtIO backend driver obtains the pending request from the circular queue, and sends the pending request to the cryptographic coprocessor encryption interface.

步骤S13、所述密码协处理器加密接口通过调用所述密码协处理器驱动程序,将所述待处理请求发送给密码协处理器。Step S13: The cryptographic coprocessor encryption interface sends the pending request to the cryptographic coprocessor by calling the cryptographic coprocessor driver.

步骤S14、所述密码协处理器对所述待处理请求进行安全运算处理,得到处理结果,并将所述处理结果返回给所述应用程序。Step S14 , the cryptographic coprocessor performs security operation processing on the pending request, obtains a processing result, and returns the processing result to the application program.

本实施例中,将所述处理结果返回给所述应用程序的过程,可以包括:In this embodiment, the process of returning the processing result to the application may include:

S141、通过所述密码协处理器驱动程序将所述处理结果返回给所述密码协处理器加密接口。S141. Return the processing result to the cryptographic coprocessor encryption interface through the cryptographic coprocessor driver.

步骤S15、所述应用程序获取所述处理结果。Step S15, the application acquires the processing result.

对应步骤S141,所述应用程序获取所述处理结果的过程,可以包括:Corresponding to step S141, the process of acquiring the processing result by the application may include:

S151、所述密码协处理器加密接口将所述处理结果返回给所述VirtIO后端驱动;S151, the cryptographic coprocessor encryption interface returns the processing result to the VirtIO backend driver;

S152、所述VirtIO后端驱动通过中断注入机制将所述处理结果返回给所述应用程序。S152. The VirtIO backend driver returns the processing result to the application through an interrupt injection mechanism.

所述VirtIO后端驱动通过中断注入机制将所述处理结果返回给所述应用程序,保证应用程序获取处理结果的及时性,提高效率。The VirtIO backend driver returns the processing result to the application program through an interrupt injection mechanism, so as to ensure the timeliness of the application program obtaining the processing result and improve the efficiency.

在本申请中,提供一种虚拟可信平台,虚拟可信平台中虚拟机内核空间包含虚拟安全设备和VirtIO前端驱动,主机用户空间至少包含VirtIO后端驱动和密码协处理器加密接口,及主机内核空间包含密码协处理器驱动程序,其中,应用程序使用TSS接口通过调用所述VirtIO前端驱动,将待处理请求写入环形队列,VirtIO后端驱动从环形队列中获取待处理请求,并将待处理请求发送给密码协处理器加密接口,密码协处理器加密接口通过调用密码协处理器驱动程序,将待处理请求发送给密码协处理器,以使密码协处理器对待处理请求进行安全运算处理,得到处理结果,实现基于硬件对数据进行安全运算,增强虚拟可信平台的安全性保护能力,提高数据的安全性。In this application, a virtual trusted platform is provided, in which the virtual machine kernel space includes a virtual security device and a VirtIO front-end driver, the host user space at least includes a VirtIO back-end driver and a cryptographic coprocessor encryption interface, and a host The kernel space contains a cryptographic coprocessor driver, wherein the application uses the TSS interface to write the pending request into the ring queue by calling the VirtIO front-end driver, and the VirtIO back-end driver obtains the pending request from the ring queue and stores the pending request. The processing request is sent to the cryptographic coprocessor encryption interface, and the cryptographic coprocessor encryption interface sends the pending request to the cryptographic coprocessor by invoking the cryptographic coprocessor driver, so that the cryptographic coprocessor can perform secure operation processing on the pending request. , obtain the processing result, realize the safe operation of the data based on the hardware, enhance the security protection capability of the virtual trusted platform, and improve the security of the data.

在虚拟可信平台部署了VirtIO前端驱动、VirtIO后端驱动、密码协处理器加密接口及密码协处理器驱动程序的基础上,由密码协处理器对不同虚拟可信平台的密钥进行隔离保存和使用,在多个虚拟机同时请求密码运算时,可以保障不同运算、密钥互不干扰,做到实例隔离,改善虚拟可信平台的隔离效果。On the basis of deploying the VirtIO front-end driver, VirtIO back-end driver, cryptographic coprocessor encryption interface and cryptographic coprocessor driver on the virtual trusted platform, the cryptographic coprocessor isolates and saves the keys of different virtual trusted platforms When multiple virtual machines request cryptographic operations at the same time, it can ensure that different operations and keys do not interfere with each other, achieve instance isolation, and improve the isolation effect of virtual trusted platforms.

作为本申请另一可选实施例,参照图3,为本申请实施例2提供的一种安全处理方法的流程示意图,本实施例主要是对上述实施例1描述的安全处理方法的扩展方案,如图3所示,该方法可以包括但并不局限于以下步骤:As another optional embodiment of the present application, referring to FIG. 3 , which is a schematic flowchart of a security processing method provided in Embodiment 2 of the present application. This embodiment is mainly an extension of the security processing method described in Embodiment 1 above. As shown in Figure 3, the method may include but is not limited to the following steps:

步骤S21、所述应用程序使用所述TSS接口调用所述VirtIO前端驱动,由所述VirtIO前端驱动将待处理请求写入环形队列。Step S21, the application uses the TSS interface to call the VirtIO front-end driver, and the VirtIO front-end driver writes the pending request into the ring queue.

步骤S22、所述VirtIO后端驱动从所述环形队列中获取所述待处理请求,并将所述待处理请求发送给所述密码协处理器加密接口。Step S22, the VirtIO backend driver obtains the pending request from the circular queue, and sends the pending request to the cryptographic coprocessor encryption interface.

步骤S23、所述密码协处理器加密接口通过调用所述密码协处理器驱动程序,将所述待处理请求发送给密码协处理器.Step S23, the cryptographic coprocessor encryption interface sends the pending request to the cryptographic coprocessor by calling the cryptographic coprocessor driver.

步骤S24、所述密码协处理器对所述待处理请求进行安全运算处理,得到处理结果,并将所述处理结果返回给所述应用程序。Step S24, the cryptographic coprocessor performs security operation processing on the pending request, obtains a processing result, and returns the processing result to the application program.

步骤S25、所述应用程序获取所述处理结果。Step S25, the application acquires the processing result.

步骤S21-S25的详细过程可以参见步骤S11-S15的相关介绍,在此不再赘述。For the detailed process of steps S21-S25, reference may be made to the related introduction of steps S11-S15, and details are not repeated here.

步骤S26、所述虚拟安全设备将所述主机用户空间中的硬件安全设备的寄存器中的度量值映射到所述虚拟安全设备的寄存器中。Step S26: The virtual security device maps the metric value in the register of the hardware security device in the user space of the host to the register of the virtual security device.

如图4所示,将所述主机用户空间中的硬件安全设备的寄存器中的度量值映射到所述虚拟安全设备的寄存器中,可以包括:将所述主机用户空间中的硬件安全设备(硬件TPM)的PCR 0-7寄存器中的度量值映射到所述虚拟安全设备(vTPM)的PCR0-7寄存器中。As shown in FIG. 4 , mapping the metric value in the register of the hardware security device in the host user space to the register of the virtual security device may include: mapping the hardware security device (hardware security device) in the host user space The metric values in the PCR0-7 registers of the TPM) are mapped into the PCR0-7 registers of the virtual security device (vTPM).

步骤S27、在对所述虚拟机用户空间及所述虚拟机内核空间进行远程证明的情况下,所述虚拟安全设备通过所述虚拟AIK证书对所述虚拟安全设备的寄存器中的度量值进行签名,得到度量值签名。Step S27, in the case of performing remote attestation on the virtual machine user space and the virtual machine kernel space, the virtual security device signs the metric value in the register of the virtual security device through the virtual AIK certificate , get the metric signature.

步骤S28、所述虚拟安全设备将所述度量值签名及所述虚拟安全设备的寄存器中的度量值发送给远程证明设备,以使所述远程证明设备基于所述虚拟安全设备的寄存器中的度量值,对所述硬件安全设备进行可信证明,及基于所述度量值签名及所述虚拟安全设备的寄存器中的度量值,对所述虚拟安全设备进行可信证明。Step S28, the virtual security device sends the metric value signature and the metric value in the register of the virtual security device to the remote attestation device, so that the remote attestation device is based on the measurement in the register of the virtual security device value, perform trusted certification on the hardware security device, and perform trusted certification on the virtual security device based on the metric value signature and the metric value in the register of the virtual security device.

本实施例中,所述虚拟安全设备将所述度量值签名及所述虚拟安全设备的寄存器中的度量值发送给远程证明设备,以使所述远程证明设备基于所述虚拟安全设备的寄存器中的度量值,对所述硬件安全设备进行可信证明,及基于所述度量值签名及所述虚拟安全设备的寄存器中的度量值,对所述虚拟安全设备进行可信证明,实现了对虚拟网元的深度证明,满足5G云化网络中虚拟网元信任需求。In this embodiment, the virtual security device sends the metric value signature and the metric value in the register of the virtual security device to the remote attestation device, so that the remote attestation device is based on the register of the virtual security device. The metric value of the virtual security device is credible proof, and based on the metric value signature and the metric value in the register of the virtual security device, the virtual security device is credible proof, and the virtual security device is realized. The in-depth proof of network elements meets the trust requirements of virtual network elements in 5G cloud-based networks.

作为本申请另一可选实施例,参照图5,为本申请实施例3提供的一种安全处理方法的流程示意图,本实施例主要是对上述实施例1描述的安全处理方法的扩展方案,如图5所示,该方法可以包括但并不局限于以下步骤:As another optional embodiment of the present application, referring to FIG. 5 , it is a schematic flowchart of a security processing method provided in Embodiment 3 of the present application. This embodiment is mainly an extension of the security processing method described in Embodiment 1 above. As shown in Figure 5, the method may include but is not limited to the following steps:

步骤S31、所述应用程序使用所述TSS接口调用所述VirtIO前端驱动,由所述VirtIO前端驱动将待处理请求写入环形队列。Step S31 , the application uses the TSS interface to call the VirtIO front-end driver, and the VirtIO front-end driver writes the pending request into the ring queue.

步骤S32、所述VirtIO后端驱动从所述环形队列中获取所述待处理请求,并将所述待处理请求发送给所述密码协处理器加密接口。Step S32, the VirtIO backend driver obtains the pending request from the circular queue, and sends the pending request to the cryptographic coprocessor encryption interface.

步骤S33、所述密码协处理器加密接口通过调用所述密码协处理器驱动程序,将所述待处理请求发送给密码协处理器。Step S33: The cryptographic coprocessor encryption interface sends the pending request to the cryptographic coprocessor by calling the cryptographic coprocessor driver.

步骤S34、所述密码协处理器对所述待处理请求进行安全运算处理,得到处理结果,并将所述处理结果返回给所述应用程序。Step S34 , the cryptographic coprocessor performs security operation processing on the pending request, obtains a processing result, and returns the processing result to the application program.

步骤S35、所述应用程序获取所述处理结果。Step S35, the application acquires the processing result.

步骤S31-S35的详细过程可以参见步骤S11-S15的相关介绍,在此不再赘述。For the detailed process of steps S31-S35, reference may be made to the related introduction of steps S11-S15, and details are not repeated here.

步骤S36、所述主机用户空间中虚拟安全设备管理模块获取云计算迁移控制服务器的迁移命令,并锁定所述虚拟可信平台,对与所述虚拟安全设备关联的数据进行打包,得到数据包。Step S36: The virtual security device management module in the host user space obtains the migration command of the cloud computing migration control server, locks the virtual trusted platform, and packages the data associated with the virtual security device to obtain a data package.

本实施例中,锁定所述虚拟可信平台,可以理解为:所述虚拟可信平台不再进行可信度量和运算处理。In this embodiment, locking the virtual trusted platform can be understood as: the virtual trusted platform no longer performs trusted measurement and calculation processing.

步骤S37、所述虚拟安全设备管理模块获取所述云计算迁移控制服务器为所述虚拟可信平台分配的会话加密密钥,所述会话加密密钥通过以下方式分配:基于所述虚拟可信平台中硬件安全设备对所述主机用户空间及所述主机内核空间进行可信证明,在证明所述主机用户空间及所述主机内核空间可信后,为所述虚拟可信平台分配会话加密密钥。Step S37, the virtual security device management module obtains the session encryption key allocated by the cloud computing migration control server for the virtual trusted platform, and the session encryption key is allocated in the following manner: based on the virtual trusted platform The medium hardware security device certifies the trustworthiness of the host user space and the host kernel space, and allocates a session encryption key to the virtual trusted platform after proving that the host user space and the host kernel space are trustworthy .

步骤S38、所述虚拟安全设备管理模块利用所述会话加密密钥对所述数据包进行加密,得到加密数据,并利用所述密码协处理器对所述加密数据包进行签名,得到数据签名。Step S38, the virtual security device management module encrypts the data packet by using the session encryption key to obtain encrypted data, and uses the cryptographic coprocessor to sign the encrypted data packet to obtain a data signature.

步骤S39、所述虚拟安全设备管理模块将所述加密数据及所述数据签名发送给另一个虚拟可信平台的主机用户空间,以使另一个虚拟可信平台的主机用户空间向所述云计算迁移控制服务器申请与所述会话加密密钥匹配的会话解密密钥,并利用所述会话解密密钥对所述加密数据进行解密,并对所述数据签名进行验签。Step S39, the virtual security device management module sends the encrypted data and the data signature to the host user space of another virtual trusted platform, so that the host user space of the other virtual trusted platform can send the data to the cloud computing platform. The migration control server applies for a session decryption key matching the session encryption key, decrypts the encrypted data by using the session decryption key, and verifies the data signature.

本实施例中,通过对所述数据签名进行验签,验证迁移过来的数据是否被篡改,确保数据的完整性。In this embodiment, by verifying the data signature, it is verified whether the migrated data has been tampered with, so as to ensure the integrity of the data.

在另一个虚拟可信平台的主机用户空间向云计算迁移控制服务器发送迁移已完成信息后,云计算迁移控制服务器可以将迁移已完成信息发送给发送数据的虚拟可信平台,发送数据的虚拟可信平台将删除密码协处理器中已经迁移的vTPM数据,确保vTPM的唯一性。同时随着vTPM的迁移,导致了vTPM基础设施的变化。vEK和vAIK证书必须重新进行证书链的扩展,以确保vTPM与硬件设备的绑定关系。After the host user space of another virtual trusted platform sends the migration completed information to the cloud computing migration control server, the cloud computing migration control server can send the migration completed information to the virtual trusted platform that sends the data, and the virtual trusted platform that sends the data can send the migration completed information to the cloud computing migration control server. The information platform will delete the migrated vTPM data in the cryptographic co-processor to ensure the uniqueness of the vTPM. At the same time, with the migration of vTPM, changes in the vTPM infrastructure have resulted. The vEK and vAIK certificates must be re-extended in the certificate chain to ensure the binding relationship between the vTPM and the hardware device.

接下来对本申请提供的虚拟可信平台进行介绍,下文介绍的基于硬件辅助的虚拟可信平台与上文介绍的安全处理方法可相互对应参照。Next, the virtual trusted platform provided by the present application will be introduced. The hardware-assisted virtual trusted platform described below and the security processing method described above may refer to each other correspondingly.

本实施例中,如图1所示,基于硬件辅助的虚拟可信平台包括:虚拟机用户空间、虚拟机内核空间、主机用户空间、主机内核空间和密码协处理器,所述虚拟机用户空间中部署有应用程序和TSS接口,所述虚拟机内核空间包含虚拟安全设备和VirtIO前端驱动,所述主机用户空间至少包含VirtIO后端驱动和密码协处理器加密接口,所述主机内核空间包含密码协处理器驱动程序。In this embodiment, as shown in FIG. 1 , the hardware-assisted virtual trusted platform includes: a virtual machine user space, a virtual machine kernel space, a host user space, a host kernel space, and a cryptographic coprocessor. The virtual machine user space There are application programs and TSS interfaces deployed in the virtual machine kernel space, the virtual machine kernel space includes a virtual security device and a VirtIO front-end driver, the host user space at least includes a VirtIO back-end driver and a cryptographic coprocessor encryption interface, and the host kernel space includes a password coprocessor driver.

所述应用程序,用于使用所述TSS接口调用所述VirtIO前端驱动;The application program is used to call the VirtIO front-end driver by using the TSS interface;

所述VirtIO前端驱动,用于将待处理请求写入环形队列;The VirtIO front-end driver is used to write the pending request into the ring queue;

所述VirtIO后端驱动,用于从所述环形队列中获取所述待处理请求,并将所述待处理请求发送给所述密码协处理器加密接口;the VirtIO backend driver, configured to obtain the pending request from the circular queue, and send the pending request to the cryptographic coprocessor encryption interface;

所述密码协处理器加密接口,用于调用所述密码协处理器驱动程序;the cryptographic coprocessor encryption interface for calling the cryptographic coprocessor driver;

所述密码协处理器驱动程序,用于将所述待处理请求发送给密码协处理器;the cryptographic coprocessor driver, configured to send the pending request to the cryptographic coprocessor;

所述密码协处理器,用于对所述待处理请求进行安全运算处理,得到处理结果,并将所述处理结果返回给所述应用程序;the cryptographic coprocessor, configured to perform secure operation processing on the pending request, obtain a processing result, and return the processing result to the application;

所述应用程序,还用于获取所述处理结果。The application program is further configured to acquire the processing result.

本实施例中,所述密码协处理器加密接口,还用于接收所述密码协处理器通过所述密码协处理器驱动程序返回的所述处理结果,及将所述处理结果返回给所述VirtIO后端驱动;In this embodiment, the cryptographic coprocessor encryption interface is further configured to receive the processing result returned by the cryptographic coprocessor through the cryptographic coprocessor driver, and return the processing result to the VirtIO backend driver;

所述VirtIO后端驱动,还用于通过中断注入机制将所述处理结果返回给所述应用程序。The VirtIO backend driver is further configured to return the processing result to the application through an interrupt injection mechanism.

本实施例中,所述虚拟可信平台还包括:In this embodiment, the virtual trusted platform further includes:

建立模块,用于所述硬件安全设备在向本地证书签发机构展示EK密钥证明其身份后,向所述本地证书签发机构申请硬件AIK证书;establishing a module for the hardware security device to apply for a hardware AIK certificate to the local certificate issuing authority after showing the EK key to the local certificate issuing authority to prove its identity;

所述硬件安全设备利用所述硬件AIK证书为所述密码协处理器颁发AIK证书,以建立所述硬件安全设备与所述密码协处理器的绑定关系。The hardware security device issues an AIK certificate to the cryptographic coprocessor by using the hardware AIK certificate, so as to establish a binding relationship between the hardware security device and the cryptographic coprocessor.

本实施例中,所述密码协处理器,还用于:In this embodiment, the cryptographic coprocessor is also used for:

生成所述虚拟安全设备的EK密钥,并为所述虚拟安全设备的EK密钥颁发证书;generating the EK key of the virtual security device, and issuing a certificate for the EK key of the virtual security device;

所述虚拟安全设备,用于在使用所述虚拟安全设备的EK密钥向所述本地证书签发机构证明其身份后,向所述本地证书签发机构申请虚拟AIK证书,以使所述本地证书签发机构向所述虚拟安全设备颁发虚拟AIK证书。The virtual security device is configured to apply for a virtual AIK certificate to the local certificate issuing authority after using the EK key of the virtual security device to prove its identity to the local certificate issuing authority, so that the local certificate is issued The institution issues a virtual AIK certificate to the virtual security device.

本实施例中,所述虚拟安全设备,还可以用于:In this embodiment, the virtual security device can also be used for:

将所述主机用户空间中的硬件安全设备的寄存器中的度量值映射到所述虚拟安全设备的寄存器中;mapping the metric value in the register of the hardware security device in the user space of the host to the register of the virtual security device;

在对所述虚拟机用户空间及所述虚拟机内核空间进行远程证明的情况下,通过所述虚拟AIK证书对所述虚拟安全设备的寄存器中的度量值进行签名,得到度量值签名;In the case of performing remote attestation on the virtual machine user space and the virtual machine kernel space, the metric value in the register of the virtual security device is signed by the virtual AIK certificate to obtain a metric value signature;

将所述度量值签名及所述虚拟安全设备的寄存器中的度量值发送给远程证明设备,以使所述远程证明设备基于所述虚拟安全设备的寄存器中的度量值,对所述硬件安全设备进行可信证明,及基于所述度量值签名及所述虚拟安全设备的寄存器中的度量值,对所述虚拟安全设备进行可信证明。Send the metric value signature and the metric value in the register of the virtual security device to the remote attestation device, so that the remote attestation device can certify the hardware security device based on the metric value in the register of the virtual security device. Performing trusted certification, and performing trusted certification on the virtual security device based on the metric value signature and the metric value in the register of the virtual security device.

本实施例中,所述主机用户空间还可以包括:虚拟安全设备管理模块,用于:In this embodiment, the host user space may further include: a virtual security device management module, configured to:

获取云计算迁移控制服务器的迁移命令,并锁定所述虚拟可信平台,对与所述虚拟安全设备关联的数据进行打包,得到数据包;Obtain the migration command of the cloud computing migration control server, lock the virtual trusted platform, and package the data associated with the virtual security device to obtain a data package;

获取所述云计算迁移控制服务器为所述虚拟可信平台分配的会话加密密钥,所述会话加密密钥通过以下方式分配:基于所述虚拟可信平台中硬件安全设备对所述虚拟可信平台进行可信证明,在证明所述虚拟可信平台可信后,为所述虚拟可信平台分配会话加密密钥;Obtain a session encryption key allocated by the cloud computing migration control server to the virtual trusted platform, where the session encryption key is allocated in the following manner: based on the hardware security device in the virtual trusted platform for the virtual trusted platform The platform performs trustworthy certification, and after proving that the virtual trusted platform is trustworthy, assigns a session encryption key to the virtual trusted platform;

利用所述会话加密密钥对所述数据包进行加密,得到加密数据,并利用所述密码协处理器对所述加密数据包进行签名,得到数据签名;Utilize the session encryption key to encrypt the data packet to obtain encrypted data, and use the cryptographic coprocessor to sign the encrypted data packet to obtain a data signature;

将所述加密数据及所述数据签名发送给另一个虚拟可信平台的主机用户空间,以使另一个虚拟可信平台的主机用户空间向所述云计算迁移控制服务器申请与所述会话加密密钥匹配的会话解密密钥,并利用所述会话解密密钥对所述加密数据进行解密,并对所述数据签名进行验签。Send the encrypted data and the data signature to the host user space of another virtual trusted platform, so that the host user space of the other virtual trusted platform applies to the cloud computing migration control server for the session encryption encryption. A session decryption key that matches the key, and the encrypted data is decrypted by using the session decryption key, and the data signature is verified.

需要说明的是,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似的部分互相参见即可。对于装置类实施例而言,由于其与方法实施例基本相似,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。It should be noted that, each embodiment focuses on the differences from other embodiments, and the same and similar parts between the various embodiments may be referred to each other. As for the apparatus type embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for the relevant part, please refer to the partial description of the method embodiment.

最后,还需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。Finally, it should also be noted that in this document, relational terms such as first and second are used only to distinguish one entity or operation from another, and do not necessarily require or imply these entities or that there is any such actual relationship or sequence between operations. Moreover, the terms "comprising", "comprising" or any other variation thereof are intended to encompass a non-exclusive inclusion such that a process, method, article or device that includes a list of elements includes not only those elements, but also includes not explicitly listed or other elements inherent to such a process, method, article or apparatus. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in a process, method, article or apparatus that includes the element.

为了描述的方便,描述以上装置时以功能分为各种单元分别描述。当然,在实施本申请时可以把各单元的功能在同一个或多个软件和/或硬件中实现。For the convenience of description, when describing the above device, the functions are divided into various units and described respectively. Of course, when implementing the present application, the functions of each unit may be implemented in one or more software and/or hardware.

通过以上的实施方式的描述可知,本领域的技术人员可以清楚地了解到本申请可借助软件加必需的通用硬件平台的方式来实现。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例或者实施例的某些部分所述的方法。From the description of the above embodiments, those skilled in the art can clearly understand that the present application can be implemented by means of software plus a necessary general hardware platform. Based on this understanding, the technical solutions of the present application can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products can be stored in storage media, such as ROM/RAM, magnetic disks , CD-ROM, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in various embodiments or some parts of the embodiments of the present application.

以上对本申请所提供的一种基于硬件辅助的虚拟可信平台及安全处理方法进行了详细介绍,本文中应用了具体个例对本申请的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本申请的方法及其核心思想;同时,对于本领域的一般技术人员,依据本申请的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本申请的限制。A hardware-assisted virtual trusted platform and a security processing method provided by the present application have been described above in detail. The principles and implementations of the present application are described with specific examples in this paper. The description of the above embodiments is only for In order to help understand the method of the present application and its core idea; at the same time, for those of ordinary skill in the art, according to the idea of the present application, there will be changes in the specific implementation and application scope. In summary, this specification The content should not be construed as a limitation on this application.

Claims (12)

1.一种安全处理方法,其特征在于,基于虚拟可信平台,所述虚拟可信平台包括:虚拟机用户空间、虚拟机内核空间、主机用户空间、主机内核空间和密码协处理器,所述虚拟机用户空间中部署有应用程序和TSS接口,所述虚拟机内核空间包含虚拟安全设备和VirtIO前端驱动,所述主机用户空间至少包含VirtIO后端驱动和密码协处理器加密接口,所述主机内核空间包含密码协处理器驱动程序,该方法包括:1. a security processing method, it is characterized in that, based on virtual trusted platform, described virtual trusted platform comprises: virtual machine user space, virtual machine kernel space, host user space, host kernel space and cryptographic coprocessor, so An application program and a TSS interface are deployed in the virtual machine user space, the virtual machine kernel space includes a virtual security device and a VirtIO front-end driver, the host user space at least includes a VirtIO back-end driver and a cryptographic coprocessor encryption interface, and the The host kernel space contains the cryptographic coprocessor driver, which includes: 所述应用程序使用所述TSS接口调用所述VirtIO前端驱动,由所述VirtIO前端驱动将待处理请求写入环形队列;The application uses the TSS interface to call the VirtIO front-end driver, and the VirtIO front-end driver writes the pending request into the ring queue; 所述VirtIO后端驱动从所述环形队列中获取所述待处理请求,并将所述待处理请求发送给所述密码协处理器加密接口;The VirtIO backend driver obtains the pending request from the circular queue, and sends the pending request to the cryptographic coprocessor encryption interface; 所述密码协处理器加密接口通过调用所述密码协处理器驱动程序,将所述待处理请求发送给所述密码协处理器;The cryptographic coprocessor encryption interface sends the pending request to the cryptographic coprocessor by invoking the cryptographic coprocessor driver; 所述密码协处理器对所述待处理请求进行安全运算处理,得到处理结果,并将所述处理结果返回给所述应用程序;The cryptographic coprocessor performs secure operation processing on the pending request, obtains a processing result, and returns the processing result to the application; 所述应用程序获取所述处理结果。The application acquires the processing result. 2.根据权利要求1所述的方法,其特征在于,所述将所述处理结果返回给所述应用程序,包括:2. The method according to claim 1, wherein the returning the processing result to the application comprises: 通过所述密码协处理器驱动程序将所述处理结果返回给所述密码协处理器加密接口,以使所述密码协处理器加密接口将所述处理结果返回给所述VirtIO后端驱动;Return the processing result to the cryptographic coprocessor encryption interface through the cryptographic coprocessor driver, so that the cryptographic coprocessor encryption interface returns the processing result to the VirtIO backend driver; 所述应用程序获取所述处理结果,包括:The application program obtains the processing result, including: 所述应用程序接受所述VirtIO后端驱动通过中断注入机制返回的所述处理结果。The application program accepts the processing result returned by the VirtIO backend driver through the interrupt injection mechanism. 3.根据权利要求1所述的方法,其特征在于,所述密码协处理器与所述主机用户空间中的硬件安全设备具备绑定关系,所述绑定关系通过以下方式建立:3. The method according to claim 1, wherein the cryptographic coprocessor has a binding relationship with a hardware security device in the host user space, and the binding relationship is established in the following manner: 所述硬件安全设备在向本地证书签发机构展示EK密钥证明其身份后,向所述本地证书签发机构申请硬件AIK证书;The hardware security device applies for a hardware AIK certificate to the local certificate issuing authority after showing the EK key to the local certificate issuing authority to prove its identity; 所述硬件安全设备利用所述硬件AIK证书为所述密码协处理器颁发AIK证书,以建立所述硬件安全设备与所述密码协处理器的绑定关系。The hardware security device issues an AIK certificate to the cryptographic coprocessor by using the hardware AIK certificate, so as to establish a binding relationship between the hardware security device and the cryptographic coprocessor. 4.根据权利要求3所述的方法,其特征在于,所述方法还包括:4. The method according to claim 3, wherein the method further comprises: 所述密码协处理器生成所述虚拟安全设备的EK密钥,并为所述虚拟安全设备的EK密钥颁发证书;The cryptographic coprocessor generates the EK key of the virtual security device, and issues a certificate for the EK key of the virtual security device; 所述虚拟安全设备在使用所述虚拟安全设备的EK密钥向所述本地证书签发机构证明其身份后,向所述本地证书签发机构申请虚拟AIK证书,以使所述本地证书签发机构向所述虚拟安全设备颁发虚拟AIK证书。After the virtual security device uses the EK key of the virtual security device to prove its identity to the local certificate issuing authority, it applies to the local certificate issuing authority for a virtual AIK certificate, so that the local certificate issuing authority can issue a certificate to the local certificate issuing authority. The above virtual security device issues a virtual AIK certificate. 5.根据权利要求4所述的方法,其特征在于,所述方法还包括:5. The method according to claim 4, wherein the method further comprises: 所述虚拟安全设备将所述主机用户空间中的硬件安全设备的寄存器中的度量值映射到所述虚拟安全设备的寄存器中;The virtual security device maps the metric value in the register of the hardware security device in the host user space to the register of the virtual security device; 在对所述虚拟机用户空间及所述虚拟机内核空间进行远程证明的情况下,所述虚拟安全设备通过所述虚拟AIK证书对所述虚拟安全设备的寄存器中的度量值进行签名,得到度量值签名;In the case of performing remote attestation on the virtual machine user space and the virtual machine kernel space, the virtual security device signs the metric value in the register of the virtual security device through the virtual AIK certificate to obtain the metric value signature; 所述虚拟安全设备将所述度量值签名及所述虚拟安全设备的寄存器中的度量值发送给远程证明设备,以使所述远程证明设备基于所述虚拟安全设备的寄存器中的度量值,对所述硬件安全设备进行可信证明,及基于所述度量值签名及所述虚拟安全设备的寄存器中的度量值,对所述虚拟安全设备进行可信证明。The virtual security device sends the metric value signature and the metric value in the register of the virtual security device to the remote attestation device, so that the remote attestation device based on the metric value in the register of the virtual security device, The hardware security device performs trustworthiness certification, and based on the metric value signature and the metric value in the register of the virtual security device, performs trustworthiness certification on the virtual security device. 6.根据权利要求1所述的方法,其特征在于,所述方法还包括:6. The method of claim 1, wherein the method further comprises: 所述主机用户空间中虚拟安全设备管理模块获取云计算迁移控制服务器的迁移命令,并锁定所述虚拟可信平台,对与所述虚拟安全设备关联的数据进行打包,得到数据包;The virtual security device management module in the host user space obtains the migration command of the cloud computing migration control server, locks the virtual trusted platform, and packages the data associated with the virtual security device to obtain a data package; 所述虚拟安全设备管理模块获取所述云计算迁移控制服务器为所述虚拟可信平台分配的会话加密密钥,所述会话加密密钥通过以下方式分配:基于所述虚拟可信平台中硬件安全设备对所述虚拟可信平台进行可信证明,在证明所述虚拟可信平台可信后,为所述虚拟可信平台分配会话加密密钥;The virtual security device management module obtains a session encryption key allocated by the cloud computing migration control server to the virtual trusted platform, and the session encryption key is allocated in the following manner: based on the hardware security in the virtual trusted platform; The device performs trustworthiness certification on the virtual trusted platform, and after proving that the virtual trusted platform is trustworthy, assigns a session encryption key to the virtual trusted platform; 所述虚拟安全设备管理模块利用所述会话加密密钥对所述数据包进行加密,得到加密数据,并利用所述密码协处理器对所述加密数据包进行签名,得到数据签名;The virtual security device management module uses the session encryption key to encrypt the data packet to obtain encrypted data, and uses the cryptographic coprocessor to sign the encrypted data packet to obtain a data signature; 所述虚拟安全设备管理模块将所述加密数据及所述数据签名发送给另一个虚拟可信平台的主机用户空间,以使另一个虚拟可信平台的主机用户空间向所述云计算迁移控制服务器申请与所述会话加密密钥匹配的会话解密密钥,并利用所述会话解密密钥对所述加密数据进行解密,并对所述数据签名进行验签。The virtual security device management module sends the encrypted data and the data signature to the host user space of another virtual trusted platform, so that the host user space of the other virtual trusted platform is migrated to the cloud computing control server Apply for a session decryption key matching the session encryption key, decrypt the encrypted data by using the session decryption key, and verify the data signature. 7.一种基于硬件辅助的虚拟可信平台,其特征在于,包括:虚拟机用户空间、虚拟机内核空间、主机用户空间、主机内核空间和密码协处理器,所述虚拟机用户空间中部署有应用程序和TSS接口,所述虚拟机内核空间包含虚拟安全设备和VirtIO前端驱动,所述主机用户空间至少包含VirtIO后端驱动和密码协处理器加密接口,所述主机内核空间包含密码协处理器驱动程序;7. A virtual trusted platform based on hardware assistance, comprising: a virtual machine user space, a virtual machine kernel space, a host user space, a host kernel space and a cryptographic coprocessor, wherein the virtual machine user space is deployed There are application programs and TSS interfaces, the virtual machine kernel space contains virtual security devices and VirtIO front-end drivers, the host user space at least contains VirtIO back-end drivers and cryptographic coprocessor encryption interfaces, and the host kernel space contains cryptographic coprocessors driver; 所述应用程序,用于使用所述TSS接口调用所述VirtIO前端驱动;The application program is used to call the VirtIO front-end driver by using the TSS interface; 所述VirtIO前端驱动,用于将待处理请求写入环形队列;The VirtIO front-end driver is used to write the pending request into the ring queue; 所述VirtIO后端驱动,用于从所述环形队列中获取所述待处理请求,并将所述待处理请求发送给所述密码协处理器加密接口;the VirtIO backend driver, configured to obtain the pending request from the circular queue, and send the pending request to the cryptographic coprocessor encryption interface; 所述密码协处理器加密接口,用于调用所述密码协处理器驱动程序;the cryptographic coprocessor encryption interface for calling the cryptographic coprocessor driver; 所述密码协处理器驱动程序,用于将所述待处理请求发送给密码协处理器;the cryptographic coprocessor driver, configured to send the pending request to the cryptographic coprocessor; 所述密码协处理器,用于对所述待处理请求进行安全运算处理,得到处理结果,并将所述处理结果返回给所述应用程序;the cryptographic coprocessor, configured to perform secure operation processing on the pending request, obtain a processing result, and return the processing result to the application; 所述应用程序,还用于获取所述处理结果。The application program is further configured to acquire the processing result. 8.根据权利要求7所述的虚拟可信平台,其特征在于,所述密码协处理器加密接口,还用于接收所述密码协处理器通过所述密码协处理器驱动程序返回的所述处理结果,及将所述处理结果返回给所述VirtIO后端驱动;8 . The virtual trusted platform according to claim 7 , wherein the cryptographic coprocessor encryption interface is further configured to receive the cryptographic coprocessor returned by the cryptographic coprocessor driver through the cryptographic coprocessor driver. 9 . processing the result, and returning the processing result to the VirtIO backend driver; 所述VirtIO后端驱动,还用于通过中断注入机制将所述处理结果返回给所述应用程序。The VirtIO backend driver is further configured to return the processing result to the application through an interrupt injection mechanism. 9.根据权利要求7所述的虚拟可信平台,其特征在于,所述虚拟可信平台还包括:9. The virtual trusted platform according to claim 7, wherein the virtual trusted platform further comprises: 建立模块,用于所述硬件安全设备在向本地证书签发机构展示EK密钥证明其身份后,向所述本地证书签发机构申请硬件AIK证书;establishing a module for the hardware security device to apply for a hardware AIK certificate to the local certificate issuing authority after showing the EK key to the local certificate issuing authority to prove its identity; 所述硬件安全设备利用所述硬件AIK证书为所述密码协处理器颁发AIK证书,以建立所述硬件安全设备与所述密码协处理器的绑定关系。The hardware security device issues an AIK certificate to the cryptographic coprocessor by using the hardware AIK certificate, so as to establish a binding relationship between the hardware security device and the cryptographic coprocessor. 10.根据权利要求9所述的虚拟可信平台,其特征在于,所述密码协处理器,还用于:10. The virtual trusted platform according to claim 9, wherein the cryptographic coprocessor is further used for: 生成所述虚拟安全设备的EK密钥,并为所述虚拟安全设备的EK密钥颁发证书;generating the EK key of the virtual security device, and issuing a certificate for the EK key of the virtual security device; 所述虚拟安全设备,用于在使用所述虚拟安全设备的EK密钥向所述本地证书签发机构证明其身份后,向所述本地证书签发机构申请虚拟AIK证书,以使所述本地证书签发机构向所述虚拟安全设备颁发虚拟AIK证书。The virtual security device is configured to apply for a virtual AIK certificate to the local certificate issuing authority after using the EK key of the virtual security device to prove its identity to the local certificate issuing authority, so that the local certificate is issued The institution issues a virtual AIK certificate to the virtual security device. 11.根据权利要求10所述的虚拟可信平台,其特征在于,所述虚拟安全设备,还用于:11. The virtual trusted platform according to claim 10, wherein the virtual security device is further used for: 将所述主机用户空间中的硬件安全设备的寄存器中的度量值映射到所述虚拟安全设备的寄存器中;mapping the metric value in the register of the hardware security device in the user space of the host to the register of the virtual security device; 在对所述虚拟机用户空间及所述虚拟机内核空间进行远程证明的情况下,所述虚拟安全设备,还用于通过所述虚拟AIK证书对所述虚拟安全设备的寄存器中的度量值进行签名,得到度量值签名;In the case of performing remote attestation on the virtual machine user space and the virtual machine kernel space, the virtual security device is further configured to perform the measurement on the metric value in the register of the virtual security device by using the virtual AIK certificate signature, get the metric signature; 将所述度量值签名及所述虚拟安全设备的寄存器中的度量值发送给远程证明设备,以使所述远程证明设备基于所述虚拟安全设备的寄存器中的度量值,对所述硬件安全设备进行可信证明,及基于所述度量值签名及所述虚拟安全设备的寄存器中的度量值,对所述虚拟安全设备进行可信证明。Send the metric value signature and the metric value in the register of the virtual security device to the remote attestation device, so that the remote attestation device can certify the hardware security device based on the metric value in the register of the virtual security device. Performing trusted certification, and performing trusted certification on the virtual security device based on the metric value signature and the metric value in the register of the virtual security device. 12.根据权利要求7所述的虚拟可信平台,其特征在于,所述主机用户空间还包括:虚拟安全设备管理模块,用于:12. The virtual trusted platform according to claim 7, wherein the host user space further comprises: a virtual security device management module for: 获取云计算迁移控制服务器的迁移命令,并锁定所述虚拟可信平台,对与所述虚拟安全设备关联的数据进行打包,得到数据包;Obtain the migration command of the cloud computing migration control server, lock the virtual trusted platform, and package the data associated with the virtual security device to obtain a data package; 获取所述云计算迁移控制服务器为所述虚拟可信平台分配的会话加密密钥,所述会话加密密钥通过以下方式分配:基于所述虚拟可信平台中硬件安全设备对所述虚拟可信平台进行可信证明,在证明所述虚拟可信平台可信后,为所述虚拟可信平台分配会话加密密钥;Obtain a session encryption key allocated by the cloud computing migration control server to the virtual trusted platform, where the session encryption key is allocated in the following manner: based on the hardware security device in the virtual trusted platform for the virtual trusted platform The platform performs trustworthy certification, and after proving that the virtual trusted platform is trustworthy, assigns a session encryption key to the virtual trusted platform; 利用所述会话加密密钥对所述数据包进行加密,得到加密数据,并利用所述密码协处理器对所述加密数据包进行签名,得到数据签名;Utilize the session encryption key to encrypt the data packet to obtain encrypted data, and use the cryptographic coprocessor to sign the encrypted data packet to obtain a data signature; 将所述加密数据及所述数据签名发送给另一个虚拟可信平台的主机用户空间,以使另一个虚拟可信平台的主机用户空间向所述云计算迁移控制服务器申请与所述会话加密密钥匹配的会话解密密钥,并利用所述会话解密密钥对所述加密数据进行解密,并对所述数据签名进行验签。Send the encrypted data and the data signature to the host user space of another virtual trusted platform, so that the host user space of the other virtual trusted platform applies to the cloud computing migration control server for the session encryption encryption. A session decryption key that matches the key, and the encrypted data is decrypted by using the session decryption key, and the data signature is verified.
CN202110990232.6A 2021-08-26 2021-08-26 Virtual trusted platform based on hardware assistance and security processing method Active CN113703918B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110990232.6A CN113703918B (en) 2021-08-26 2021-08-26 Virtual trusted platform based on hardware assistance and security processing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110990232.6A CN113703918B (en) 2021-08-26 2021-08-26 Virtual trusted platform based on hardware assistance and security processing method

Publications (2)

Publication Number Publication Date
CN113703918A CN113703918A (en) 2021-11-26
CN113703918B true CN113703918B (en) 2022-10-11

Family

ID=78655446

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110990232.6A Active CN113703918B (en) 2021-08-26 2021-08-26 Virtual trusted platform based on hardware assistance and security processing method

Country Status (1)

Country Link
CN (1) CN113703918B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115203708B (en) * 2022-09-14 2022-12-23 粤港澳大湾区数字经济研究院(福田) Method and system for deploying application data to coprocessor
WO2024108583A1 (en) * 2022-11-25 2024-05-30 华为技术有限公司 Trust measurement method, device, and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103139221B (en) * 2013-03-07 2016-07-06 中国科学院软件研究所 Data migration method between a kind of dependable virtual platform and construction method, platform
CN107465689B (en) * 2017-09-08 2020-08-04 大唐高鸿信安(浙江)信息科技有限公司 Key management system and method of virtual trusted platform module in cloud environment

Also Published As

Publication number Publication date
CN113703918A (en) 2021-11-26

Similar Documents

Publication Publication Date Title
CN111082934B (en) Cross-domain secure multiparty computing method and device based on trusted execution environment
US9792427B2 (en) Trusted execution within a distributed computing system
US11991273B2 (en) Storage device key management for encrypted host data
EP3574438B1 (en) Data unsealing with a sealing enclave
EP3574437B1 (en) Cross-platform enclave data sealing
EP3846060B1 (en) Key vault enclave
EP3798889B1 (en) Data sealing with a sealing enclave
EP3574435B1 (en) Cross-platform enclave identity
US10511436B1 (en) Protecting key material using white-box cryptography and split key techniques
EP3574432B1 (en) Abstract enclave identity
US10230693B2 (en) Safechannel encrypted messaging system
US8977842B1 (en) Hypervisor enabled secure inter-container communications
CN102271124B (en) Data processing equipment and data processing method
US9948616B2 (en) Apparatus and method for providing security service based on virtualization
EP3574441B1 (en) Enclave abstraction model
CN110199285B (en) Slave enclave binary
US10230738B2 (en) Procedure for platform enforced secure storage in infrastructure clouds
CN109844748B (en) Computing system and method for hosting security services in a virtual security environment
KR20230078706A (en) Certificate-based security using post-quantum cryptography
CN113703918B (en) Virtual trusted platform based on hardware assistance and security processing method
US20210281392A1 (en) Consistent ciphertext creation
CN115348077A (en) A virtual machine encryption method, device, equipment, and storage medium
CN117786758B (en) Trusted execution environment-based secret database system and electronic equipment
CN110430046B (en) A two-stage key replication method for trusted platform module in cloud environment
Nepal et al. Trust extension device: providing mobility and portability of trust in cooperative information systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 450000 Science Avenue 62, Zhengzhou High-tech Zone, Henan Province

Patentee after: Information Engineering University of the Chinese People's Liberation Army Cyberspace Force

Country or region after: China

Address before: No. 62 Science Avenue, High tech Zone, Zhengzhou City, Henan Province

Patentee before: Information Engineering University of Strategic Support Force,PLA

Country or region before: China