CN111159716B - Safety protection method and electronic equipment - Google Patents
Safety protection method and electronic equipment Download PDFInfo
- Publication number
- CN111159716B CN111159716B CN201911349197.9A CN201911349197A CN111159716B CN 111159716 B CN111159716 B CN 111159716B CN 201911349197 A CN201911349197 A CN 201911349197A CN 111159716 B CN111159716 B CN 111159716B
- Authority
- CN
- China
- Prior art keywords
- virtual
- machine
- key
- target
- physical machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The application relates to a safety protection method and electronic equipment, wherein the method comprises the following steps: sending a creating instruction to a main board of a physical machine, wherein the creating instruction is used for triggering the main board of the physical machine to create one or more virtual keys; and receiving a target virtual key in the one or more virtual keys sent by the main board of the physical machine, and loading the target virtual key on the virtual machine, wherein the target virtual key is used for carrying out security verification on an object loaded by the virtual machine, so that the security guarantee of the virtual machine is improved.
Description
Technical Field
The present disclosure relates to the field of security technologies, and in particular, to a security protection method and an electronic device.
Background
A Virtual Machine (VM) has a Secure Boot function, and the Secure Boot function of the VM is implemented by virtualizing a Unified Extensible Firmware Interface (UEFI) Firmware through a Virtual Machine monitoring module (Hypervisor).
For UEFI firmware of a virtual machine (referred to as virtual UEFI firmware), the core foundation for realizing the Secure Boot function of the virtual machine is a public key certificate, however, the public key certificate of the virtual machine is stored in a host system in a file form, and the public key certificate is very vulnerable to attack and tampering. Once the public key certificate is tampered, an attacker can mount the operating system and the driver in the virtual machine at will, and the result is not obvious.
Disclosure of Invention
The embodiment of the application provides a safety protection method, electronic equipment and a computer storage medium.
The safety protection method provided by the embodiment of the application comprises the following steps:
sending a creating instruction to a main board of a physical machine, wherein the creating instruction is used for triggering the main board of the physical machine to create one or more virtual keys;
receiving a target virtual key in the one or more virtual keys sent by the main board of the physical machine, and loading the target virtual key on the virtual machine, wherein the target virtual key is used for performing security verification on an object loaded by the virtual machine.
The safety protection method provided by the embodiment of the application comprises the following steps:
receiving a creation instruction sent by a virtual machine monitoring module;
responding to the creating instruction, and creating one or more virtual keys on a main board of the physical machine;
and sending a target virtual key in the one or more virtual keys, wherein the target virtual key can be loaded on a virtual machine, and performing security verification on an object loaded by the virtual machine.
The safety protection method provided by the embodiment of the application comprises the following steps:
the method comprises the steps that a virtual machine receives a loading instruction aiming at a target program, and a target virtual key on a main board of a physical machine is loaded on the virtual machine;
and the virtual machine responds to the loading instruction, performs security verification on the target program by using the target virtual key, and determines whether to load the target program based on a verification result.
The electronic equipment that this application embodiment provided includes:
a sending unit, configured to send a creation instruction to a motherboard of a physical machine, where the creation instruction is used to trigger the motherboard of the physical machine to create one or more virtual keys;
a receiving unit, configured to receive a target virtual key in the one or more virtual keys sent by a motherboard of the physical machine;
and the loading unit is used for loading the target virtual key on the virtual machine, wherein the target virtual key is used for carrying out security verification on the object loaded by the virtual machine.
The electronic equipment that this application embodiment provided includes:
the receiving unit is used for receiving a creation instruction sent by the virtual machine monitoring module;
the creating unit is used for responding to the creating instruction and creating one or more virtual keys on a main board of the physical machine;
a sending unit, configured to send a target virtual key in the one or more virtual keys, where the target virtual key may be loaded on a virtual machine, and perform security verification on an object loaded by the virtual machine.
The electronic equipment that this application embodiment provided includes:
a receiving unit, configured to receive a load instruction for a target program, where a target virtual key on a motherboard of a physical machine is loaded on a virtual machine;
the verification unit is used for responding to the loading instruction and performing security verification on the target program by using the target virtual key;
and the loading unit is used for determining whether to load the target program or not based on the verification result.
The electronic equipment that this application embodiment provided includes: a processor and a memory for storing executable instructions capable of being executed on the processor, wherein the processor is configured to execute any of the steps of the above-described security protection method when executing the executable instructions.
The computer storage medium provided by the embodiment of the application stores computer instructions, and the computer instructions, when executed by the processor, implement any steps of the above security protection method.
In the technical solution of the embodiment of the present application, one or more virtual keys are created on a motherboard of a physical machine, and a virtual machine monitoring module loads one of target virtual keys on the motherboard of the physical machine on the virtual machine when creating the virtual machine, so that the virtual machine can perform security verification on an object to be loaded by using the target virtual key. By adopting the technical scheme of the embodiment of the application, the virtual key of the virtual machine comes from the mainboard of the physical machine, so that the virtual machine is not easy to be tampered, the virtual machine has the same safety capability of the hardware level of the mainboard as the physical machine, and the safety guarantee of the virtual machine is improved.
Drawings
Fig. 1 is a first schematic flow chart of a security protection method according to an embodiment of the present application;
FIG. 2 is an architecture diagram of a physical machine provided by an embodiment of the present application;
fig. 3 is a schematic flowchart illustrating a second security protection method according to an embodiment of the present application;
fig. 4 is a third schematic flowchart of a security protection method according to an embodiment of the present application;
fig. 5 is a first schematic structural component diagram of an electronic device according to an embodiment of the present disclosure;
fig. 6 is a schematic structural composition diagram ii of an electronic device according to an embodiment of the present application;
fig. 7 is a schematic structural component diagram of a virtual machine according to an embodiment of the present application;
fig. 8 is a schematic diagram of a hardware component structure of an electronic device according to an embodiment of the present application.
Detailed Description
Various exemplary embodiments of the present application will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present application unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the application, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
Fig. 1 is a first schematic flow chart of a security protection method provided in an embodiment of the present application, and as shown in fig. 1, the security protection method includes the following steps:
step 101: sending a creating instruction to a main board of the physical machine, wherein the creating instruction is used for triggering the main board of the physical machine to create one or more virtual keys.
In the embodiment of the present application, the architecture of the physical machine may be divided into three parts: a Main Board (MB), a Kernel (Kernel), and a User Space (User Space). The main board of the physical machine belongs to the hardware part, and the inner core and the user space of the physical machine belong to the software part. Typically, the operating system and drivers run in the kernel, and the applications run in the user space.
In this embodiment of the present application, a virtual machine monitoring module (Hypervisor) sends a creation instruction to a motherboard of a physical machine. Here, the virtual machine monitoring module runs in the user space, and the virtual machine monitoring module located in the user space may interact with the main board of the physical machine by:
a kernel driving module is arranged in a kernel of the physical machine and used for providing a virtual key creating interface; and the virtual machine monitoring module calls a virtual key creation interface provided by the kernel driving module and sends a creation instruction to a mainboard of the physical machine.
For example, referring to fig. 2, a kernel driver module uefi.ko is newly added to a kernel of the physical machine, and the uefi.ko is used to provide a virtual Key creation interface, and the user space may schedule the virtual Key creation interface to create a virtual Key (vKey). In specific implementation, the virtual machine monitoring module provides a virtual key creation interface for a user, the user can set the number of vkeys to be created to be an N, N positive integer through the virtual key creation interface, after the setting is completed, the user executes a confirmation operation to trigger the virtual machine monitoring module to call the virtual key creation interface to send a creation instruction to a main board of the physical machine, and the creation instruction is used for triggering the main board of the physical machine to create one or more virtual keys.
In an embodiment, the virtual key creation interface provided by the kernel driver module has a virtual key deletion function in addition to the virtual key creation function. Specifically, the virtual machine monitoring module calls a virtual key creation interface provided by the kernel driver module, and sends a deletion instruction to the motherboard of the physical machine, where the deletion instruction is used to trigger the motherboard of the physical machine to execute one of the following operations: deleting all virtual keys; the specified virtual key or keys are deleted.
In specific implementation, the virtual machine monitoring module provides a virtual key editing interface for a user, the user can select one or more virtual keys from the created virtual keys through the virtual key editing interface to delete the virtual keys, or select all the virtual keys to delete the virtual keys, and after the selection is completed, the user performs a confirmation operation to trigger the virtual machine monitoring module to call the virtual key creating interface to send a deletion instruction to a mainboard of the physical machine, so that the mainboard of the physical machine is triggered to delete one or more specified virtual keys or delete all the virtual keys.
Step 102: receiving a target virtual key in the one or more virtual keys sent by the main board of the physical machine, and loading the target virtual key on the virtual machine, wherein the target virtual key is used for performing security verification on an object loaded by the virtual machine.
In the embodiment of the application, the mainboard of the physical machine is provided with UEFI firmware, and the UEFI firmware is provided with a physical key. The UEFI firmware is added with a function of virtualizing a physical key, namely one or more virtual keys can be virtualized based on the physical key. The virtualized one or more virtual keys are also stored on the motherboard, for example, in a Non-Volatile Random Access Memory (NVRAM) on the motherboard. It should be noted that the virtual key and the physical key are both stored on the motherboard, and thus they have the same security capability of the motherboard hardware level. The UEFI firmware opens an interface for calling the virtual key in the storage module (such as the NVRAM) through the kernel, so that the virtual machine monitoring module receives a target virtual key in the one or more virtual keys sent by the mainboard of the physical machine directly through the interface when the virtual machine is created.
In this embodiment of the present application, a virtual UEFI (virtual UEFI) firmware is provided on a virtual motherboard of the virtual machine, and the virtual machine monitoring module loads the target virtual key on the virtual UEFI firmware of the virtual machine when creating the virtual machine. It should be noted that, the virtual machine monitoring module may also be understood to bind the target virtual key to the virtual machine when the target virtual key is loaded on the virtual machine.
According to the technical scheme of the embodiment of the application, the virtual key of the virtual machine comes from the mainboard of the physical machine, so that the virtual machine is not easy to tamper, the virtual machine has the same safety capability of the hardware level of the mainboard as the physical machine, and the safety guarantee of the virtual machine is improved.
Fig. 3 is a schematic flowchart of a second security protection method provided in an embodiment of the present application, and as shown in fig. 3, the security protection method includes the following steps:
step 301: and receiving a creation instruction sent by the virtual machine monitoring module.
In the embodiment of the present application, the architecture of the physical machine may be divided into three parts: mainboard, kernel and user space. The main board of the physical machine belongs to the hardware part, and the inner core and the user space of the physical machine belong to the software part. Typically, the operating system and drivers run in the kernel, and the applications run in the user space.
In this embodiment of the present application, a motherboard of a physical machine receives a creation instruction sent by a virtual machine monitoring module. Here, the virtual machine monitoring module runs in the user space, and the main board of the physical machine may interact with the virtual machine monitoring module located in the user space by:
a kernel driving module is arranged in a kernel of the physical machine and used for creating an interface for providing a virtual key; and the main board of the physical machine receives a creation instruction sent by the virtual machine monitoring module through a virtual key creation interface provided by the kernel driving module.
For example, referring to fig. 2, a kernel driver module uefi.ko is newly added to a kernel of the physical machine, and the uefi.ko is used to provide a virtual Key creation interface, and the user space may schedule the virtual Key creation interface to create a virtual Key (vKey). In specific implementation, the virtual machine monitoring module provides a virtual key creation interface for a user, the user can set the number of vkeys to be created to be an N, N positive integer through the virtual key creation interface, after the setting is completed, the user executes a confirmation operation to trigger the virtual machine monitoring module to call the virtual key creation interface to send a creation instruction to the main board of the physical machine, and therefore the main board of the physical machine receives the creation instruction sent by the virtual machine monitoring module through the virtual key creation interface.
Step 302: and responding to the creating instruction, and creating one or more virtual keys on the main board of the physical machine.
In this embodiment of the application, the main board of the physical machine responds to the creation instruction, and creates one or more virtual keys on the main board of the physical machine.
In an embodiment, the virtual key creation interface provided by the kernel driver module has a virtual key deletion function in addition to the virtual key creation function. Specifically, the virtual machine monitoring module calls a virtual key creation interface provided by the kernel driving module, and sends a deletion instruction to the motherboard of the physical machine, so that the motherboard of the physical machine receives the deletion instruction sent by the virtual machine monitoring module through the virtual key creation interface; and the main board of the physical machine responds to the deletion instruction, and deletes all the virtual keys or deletes one or more specified virtual keys on the main board of the physical machine.
In specific implementation, the virtual machine monitoring module provides a virtual key editing interface for a user, the user can select one or more virtual keys from the created virtual keys through the virtual key editing interface to delete the virtual keys, or select all the virtual keys to delete the virtual keys, and after the selection is completed, the user performs a confirmation operation to trigger the virtual machine monitoring module to call the virtual key creating interface to send a deletion instruction to a mainboard of the physical machine, so that the mainboard of the physical machine is triggered to delete one or more specified virtual keys or delete all the virtual keys.
In this embodiment of the present application, the motherboard of the physical machine has UEFI firmware and a physical key located on the UEFI firmware. The UEFI firmware is added with a function of virtualizing a physical key, namely one or more virtual keys can be virtualized based on the physical key. The UEFI firmware creates one or more virtual keys on a motherboard of the physical machine based on a physical key on the UEFI firmware. The virtualized one or more virtual keys are also stored on the motherboard, for example, in the NVRAM on the motherboard. It should be noted that the virtual key and the physical key are both stored on the motherboard, and thus they have the same security capability of the motherboard hardware level.
Step 303: and sending a target virtual key in the one or more virtual keys, wherein the target virtual key can be loaded on a virtual machine, and performing security verification on an object loaded by the virtual machine.
In this embodiment, the UEFI firmware opens an interface, which calls a virtual key, in a storage module (e.g., NVRAM) through a kernel, so that a motherboard of the physical machine can send a target virtual key of the one or more virtual keys to the virtual machine monitoring module through the interface, and the virtual machine monitoring module loads the target virtual key to the virtual machine when the virtual machine is created.
According to the technical scheme of the embodiment of the application, the virtual key of the virtual machine comes from the mainboard of the physical machine, so that the virtual machine is not easy to tamper, the virtual machine has the same safety capability of the hardware level of the mainboard as the physical machine, and the safety guarantee of the virtual machine is improved.
Fig. 4 is a schematic flowchart of a third process of the security protection method provided in the embodiment of the present application, and as shown in fig. 4, the security protection method includes the following steps:
step 401: the virtual machine receives a loading instruction aiming at a target program, and a target virtual key on a main board from a physical machine is loaded on the virtual machine.
Here, the target virtual key of the virtual machine comes from the motherboard of the physical machine, and therefore the virtual machine is not easily tampered with, and the virtual machine has the same security capability at the motherboard hardware level as the physical machine.
In one embodiment, the target program includes at least one of: system programs and hardware drivers.
It should be noted that a virtual machine refers to a complete computer system with complete hardware system functions, which is simulated by software and runs in a completely isolated environment. The work that can be done in a physical computer can be implemented in a virtual machine. When the target program is loaded through the virtual machine, the security verification needs to be performed on the target program, and the following steps are included.
Step 402: and the virtual machine responds to the loading instruction, performs security verification on the target program by using the target virtual key, and determines whether to load the target program based on a verification result.
In the embodiment of the application, the target virtual secret key is a public key; performing security verification on the target program by using the public key to obtain a verification result; 1) if the verification result is that the verification is successful, loading the target program by the virtual UEFI firmware of the virtual machine; 2) and if the verification result is verification failure, the virtual UEFI firmware of the virtual machine refuses to load the target program.
In the above scheme, the verification result is successful verification when the target program is signed by the private key corresponding to the public key.
In the embodiment of the application, a Secure Boot function of the virtual UEFI firmware can be realized through a target virtual key from the motherboard, the target virtual key is a reliable public key, and any system program or hardware driver which wants to be loaded on the virtual motherboard must be authenticated through the public key of the virtual UEFI firmware. That is, the target program to be loaded must be signed by the private key corresponding to the public key, otherwise, the virtual UEFI firmware refuses to load the target program. Because the malicious program cannot pass the authentication, the system of the virtual machine cannot be infected, and the safety of the virtual machine is guaranteed.
Fig. 5 is a schematic structural composition diagram of an electronic device according to an embodiment of the present application, and as shown in fig. 5, the electronic device includes:
a sending unit 501, configured to send a creating instruction to a motherboard of a physical machine, where the creating instruction is used to trigger the motherboard of the physical machine to create one or more virtual keys;
a receiving unit 502, configured to receive a target virtual key in the one or more virtual keys sent by a motherboard of the physical machine;
a loading unit 503, configured to load the target virtual key on the virtual machine, where the target virtual key is used to perform security verification on the object loaded by the virtual machine.
In an embodiment, a kernel driver module is disposed in a kernel of the physical machine, and the kernel driver module is configured to provide a virtual key creation interface;
the sending unit 501 is configured to call a virtual key creation interface provided by the kernel driver module, and send a creation instruction to a motherboard of a physical machine.
In an embodiment, the sending unit 501 is further configured to call a virtual key creation interface provided by the kernel driver module, and send a deletion instruction to a motherboard of a physical machine, where the deletion instruction is used to trigger the motherboard of the physical machine to perform one of the following operations:
deleting all virtual keys;
the specified virtual key or keys are deleted.
In one embodiment, the virtual motherboard of the virtual machine has virtual UEFI firmware thereon;
the loading unit 503 is configured to load the target virtual key on virtual UEFI firmware of the virtual machine when the virtual machine is created.
It will be understood by those skilled in the art that the functions implemented by the units in the electronic device shown in fig. 5 can be understood by referring to the related description of the aforementioned security protection method. The functions of the units in the electronic device shown in fig. 5 may be implemented by a program running on a processor, or may be implemented by specific logic circuits.
Fig. 6 is a schematic structural composition diagram of an electronic device according to an embodiment of the present application, and as shown in fig. 6, the electronic device includes:
a receiving unit 601, configured to receive a creation instruction sent by a virtual machine monitoring module;
a creating unit 602, configured to create one or more virtual keys on a motherboard of the physical machine in response to the creating instruction;
a sending unit 603, configured to send a target virtual key in the one or more virtual keys, where the target virtual key can be loaded on a virtual machine, and perform security verification on an object loaded by the virtual machine.
In an embodiment, a kernel driver module is disposed in a kernel of the physical machine, and the kernel driver module is configured to create an interface for providing a virtual key;
the receiving unit 601 is configured to receive, through a virtual key creation interface provided by the kernel driver module, a creation instruction sent by the virtual machine monitoring module.
In an embodiment, the receiving unit 601 is further configured to receive, through a virtual key creation interface provided by the kernel driver module, a deletion instruction sent by a virtual machine monitor module;
the device further comprises: and a deletion unit (not shown in the figure) configured to delete all the virtual keys or delete one or more specified virtual keys on the motherboard of the physical machine in response to the deletion instruction.
In one embodiment, the physical machine has UEFI firmware on a motherboard and a physical key located on the UEFI firmware;
the creating unit 602 is configured to create one or more virtual keys on the motherboard of the physical machine based on the physical key on the UEFI firmware.
Those skilled in the art will appreciate that the functions implemented by the units in the electronic device shown in fig. 6 can be understood by referring to the related description of the aforementioned security protection method. The functions of the units in the electronic device shown in fig. 6 may be implemented by a program running on a processor, or may be implemented by specific logic circuits.
Fig. 7 is a schematic structural component diagram of a virtual machine provided in the embodiment of the present application, and as shown in fig. 7, the virtual machine includes:
a receiving unit 701, configured to receive a load instruction for a target program, where a target virtual key on a motherboard of a physical machine is loaded on a virtual machine;
a verification unit 702, configured to perform security verification on the target program by using the target virtual key in response to the load instruction;
a loading unit 703, configured to determine whether to load the target program based on the verification result.
In one embodiment, the target virtual key is a public key;
the verification unit 702 is configured to perform security verification on the target program by using the public key to obtain a verification result;
the loading unit 703 is configured to load the target program through the virtual UEFI firmware if the verification result is that the verification is successful; and if the verification result is verification failure, the virtual UEFI firmware refuses to load the target program.
It will be understood by those skilled in the art that the functions implemented by the units in the electronic device shown in fig. 7 can be understood by referring to the related description of the aforementioned security protection method. The functions of the units in the electronic device shown in fig. 7 may be implemented by a program running on a processor, or may be implemented by specific logic circuits.
Based on the hardware implementation of the above device, an embodiment of the present application further provides an electronic device, fig. 8 is a schematic diagram of a hardware structure of the electronic device according to the embodiment of the present application, and as shown in fig. 8, the electronic device includes:
a processor 802 and a memory 801 for storing executable instructions capable of being executed on the processor, wherein the processor 802 is configured to perform any of the above security protection methods when executing the executable instructions.
In one embodiment, the processor 802 is configured to execute the executable instructions to perform the following steps:
sending a creating instruction to a main board of a physical machine, wherein the creating instruction is used for triggering the main board of the physical machine to create one or more virtual keys;
receiving a target virtual key in the one or more virtual keys sent by the main board of the physical machine, and loading the target virtual key on the virtual machine, wherein the target virtual key is used for performing security verification on an object loaded by the virtual machine.
In another embodiment, the processor 802 is configured to execute the executable instructions to perform the following steps:
receiving a creation instruction sent by a virtual machine monitoring module;
responding to the creating instruction, and creating one or more virtual keys on a main board of the physical machine;
and sending a target virtual key in the one or more virtual keys, wherein the target virtual key can be loaded on a virtual machine, and performing security verification on an object loaded by the virtual machine.
In yet another embodiment, the processor 802, when executing the executable instructions, performs the following steps: receiving a load instruction for a target program; and responding to the loading instruction, performing security verification on the target program by using the target virtual key, and determining whether to load the target program based on a verification result.
It will be appreciated that the memory in this embodiment can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read Only Memory (EPROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a magnetic Random Access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical Disc, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced Synchronous DRAM), Direct Memory Access (DRAM), and Direct Memory Access (DRDRU). The memories described in the embodiments of the present application are intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed in the embodiments of the present application may be applied to a processor, or may be implemented by a processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The processor described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor may implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium having a memory and a processor reading the information in the memory and combining the hardware to perform the steps of the method.
The embodiment of the application also provides a computer storage medium, in particular a computer readable storage medium. As a first embodiment, when the computer storage medium is located in an electronic device, the computer instructions are executed by a processor to implement any of the above security protection methods.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may be separately regarded as one unit, or at least two units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
Alternatively, the integrated units described above in the present application may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially implemented or portions thereof contributing to the prior art may be embodied in the form of a software product stored in a storage medium, and including several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
It should be noted that: the technical solutions described in the embodiments of the present application can be arbitrarily combined without conflict.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (11)
1. A method of security protection, the method comprising:
sending a creating instruction to a main board of a physical machine, wherein the creating instruction is used for triggering the main board of the physical machine to create one or more virtual keys;
receiving a target virtual key in the one or more virtual keys sent by the main board of the physical machine, and loading the target virtual key on the virtual machine, wherein the target virtual key is used for performing security verification on an object loaded by the virtual machine.
2. The method according to claim 1, wherein a kernel driver module is arranged in a kernel of the physical machine, and the kernel driver module is used for providing a virtual key creation interface;
the sending of the creation instruction to the main board of the physical machine includes:
and calling a virtual key creation interface provided by the kernel driving module, and sending a creation instruction to a mainboard of the physical machine.
3. The method of claim 2, wherein the method further comprises:
calling a virtual key creation interface provided by the kernel driving module, and sending a deletion instruction to a main board of the physical machine, wherein the deletion instruction is used for triggering the main board of the physical machine to execute one of the following operations:
deleting all virtual keys;
the specified virtual key or keys are deleted.
4. The method of any of claims 1-3, wherein the virtual machine has virtual UEFI firmware on a virtual motherboard;
the loading the target virtual key on the virtual machine includes:
and when the virtual machine is created, loading the target virtual key on virtual UEFI firmware of the virtual machine.
5. A method of security protection, the method comprising:
receiving a creation instruction sent by a virtual machine monitoring module;
responding to the creating instruction, and creating one or more virtual keys on a main board of the physical machine;
and sending a target virtual key in the one or more virtual keys, wherein the target virtual key can be loaded on a virtual machine, and performing security verification on an object loaded by the virtual machine.
6. The method of claim 5, wherein a kernel driver module is arranged in a kernel of the physical machine, and the kernel driver module is used for creating an interface for providing a virtual key;
the receiving of the creation instruction sent by the virtual machine monitoring module includes:
and receiving a creation instruction sent by the virtual machine monitoring module through a virtual key creation interface provided by the kernel driver module.
7. The method of claim 6, wherein the method further comprises:
receiving a deleting instruction sent by a virtual machine monitoring module through a virtual key creating interface provided by the kernel driving module;
and in response to the deleting instruction, deleting all the virtual keys or deleting one or more specified virtual keys on the main board of the physical machine.
8. The method of any of claims 5 to 7, wherein the physical machine has UEFI firmware on a motherboard and a physical key located on the UEFI firmware;
the creating one or more virtual keys on the motherboard of the physical machine includes:
creating one or more virtual keys on a motherboard of the physical machine based on a physical key on the UEFI firmware.
9. A method of security protection, the method comprising:
the method comprises the steps that a virtual machine receives a loading instruction aiming at a target program, and a target virtual key on a main board of a physical machine is loaded on the virtual machine;
and the virtual machine responds to the loading instruction, performs security verification on the target program by using the target virtual key, and determines whether to load the target program based on a verification result.
10. The method of claim 9, wherein the target virtual key is a public key;
the performing security verification on the target program by using the target virtual key and determining whether to load the target program based on a verification result includes:
performing security verification on the target program by using the public key to obtain a verification result;
if the verification result is that the verification is successful, loading the target program by the virtual UEFI firmware of the virtual machine;
and if the verification result is verification failure, the virtual UEFI firmware of the virtual machine refuses to load the target program.
11. An electronic device, characterized in that the electronic device comprises: a processor and a memory for storing executable instructions capable of running on the processor,
wherein the processor is configured to execute the executable instructions to perform the steps of the method of any one of claims 1 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911349197.9A CN111159716B (en) | 2019-12-24 | 2019-12-24 | Safety protection method and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911349197.9A CN111159716B (en) | 2019-12-24 | 2019-12-24 | Safety protection method and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111159716A CN111159716A (en) | 2020-05-15 |
| CN111159716B true CN111159716B (en) | 2022-03-25 |
Family
ID=70557871
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911349197.9A Active CN111159716B (en) | 2019-12-24 | 2019-12-24 | Safety protection method and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111159716B (en) |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101599025B (en) * | 2009-07-07 | 2012-07-18 | 武汉大学 | Safety virtualization method of trusted crypto module |
| US8375437B2 (en) * | 2010-03-30 | 2013-02-12 | Microsoft Corporation | Hardware supported virtualized cryptographic service |
| US9519498B2 (en) * | 2013-12-24 | 2016-12-13 | Microsoft Technology Licensing, Llc | Virtual machine assurances |
| CN104951712B (en) * | 2014-03-24 | 2019-07-26 | 国家计算机网络与信息安全管理中心 | A kind of data security protection method under Xen virtualized environment |
| US20170132430A1 (en) * | 2014-07-15 | 2017-05-11 | Neil Sikka | Apparatus for and Method of Preventing Unsecured Data Access |
| CN105245334B (en) * | 2015-10-28 | 2018-03-02 | 武汉大学 | A kind of TPM key and its authorization data backup/restoration system and method |
| CN105718794B (en) * | 2016-01-27 | 2018-06-05 | 华为技术有限公司 | The method and system of safeguard protection are carried out to virtual machine based on VTPM |
| CN108155988A (en) * | 2017-12-22 | 2018-06-12 | 浪潮(北京)电子信息产业有限公司 | A kind of moving method, device, equipment and readable storage medium storing program for executing for protecting key |
| CN108572861A (en) * | 2018-04-26 | 2018-09-25 | 浪潮(北京)电子信息产业有限公司 | A kind of guard method, system, equipment and the storage medium of virtual credible root |
-
2019
- 2019-12-24 CN CN201911349197.9A patent/CN111159716B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN111159716A (en) | 2020-05-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Raj et al. | {fTPM}: A {Software-Only} Implementation of a {TPM} Chip | |
| US10216522B2 (en) | Technologies for indirect branch target security | |
| EP3123311B1 (en) | Malicious code protection for computer systems based on process modification | |
| TWI559167B (en) | A unified extensible firmware interface(uefi)-compliant computing device and a method for administering a secure boot in the uefi-compliant computing device | |
| KR101946982B1 (en) | Process Evaluation for Malware Detection in Virtual Machines | |
| US7364087B2 (en) | Virtual firmware smart card | |
| CN103718165B (en) | BIOS flash memory attack protection and notice | |
| US9037873B2 (en) | Method and system for preventing tampering with software agent in a virtual machine | |
| KR101700552B1 (en) | Context based switching to a secure operating system environment | |
| KR102324336B1 (en) | User device and integrity verification method for the same | |
| KR20110128248A (en) | Method and apparatus for secure scan of data storage device from remote server | |
| EP3627368B1 (en) | Auxiliary memory having independent recovery area, and device applied with same | |
| TW201500960A (en) | Detection of secure variable alteration in a computing device equipped with unified extensible firmware interface (UEFI)-compliant firmware | |
| US10877903B2 (en) | Protected memory area | |
| CN106909848A (en) | A kind of computer security strengthening system and its method based on BIOS extensions | |
| JP5466645B2 (en) | Storage device, information processing device, and program | |
| US20190220287A1 (en) | Executing services in containers | |
| CN111159716B (en) | Safety protection method and electronic equipment | |
| KR20180067581A (en) | exception handling | |
| KR101013419B1 (en) | Guarding apparatus and method for system | |
| EP3440586A1 (en) | Method for write-protecting boot code if boot sequence integrity check fails | |
| CN116089327A (en) | Data protection method and related equipment | |
| CN113448682A (en) | Virtual machine monitor loading method and device and electronic equipment | |
| Butler et al. | New security architectures based on emerging disk functionality | |
| JP2018036695A (en) | Information processing monitoring device, information processing monitoring method, monitoring program, recording medium, and information processing apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |