CN112433824A - Virtualization implementation architecture of password equipment - Google Patents
Virtualization implementation architecture of password equipment Download PDFInfo
- Publication number
- CN112433824A CN112433824A CN202011575763.0A CN202011575763A CN112433824A CN 112433824 A CN112433824 A CN 112433824A CN 202011575763 A CN202011575763 A CN 202011575763A CN 112433824 A CN112433824 A CN 112433824A
- Authority
- CN
- China
- Prior art keywords
- user
- password
- kernel
- virtual machine
- interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention provides a virtualization implementation Framework of password equipment, which comprises an application program interface, a Linux user space encryption interface cryptodev, a Linux Kernel Crypto Framework, an I/O semi-virtualization program Virtio-Crypto, a QEMU simulator, a password card interface and a physical password equipment driver, wherein the application program interface sends a password service request of a user; the linux user space encryption interface cryptodev sends a password service request of a user to a kernel state of a user virtual machine; the Linux Kernel encryption Framework comprises a Linux Kernel Crypto Framework and a data processing interface for a Kernel-state calling encryption algorithm of a user virtual machine; the I/O semi-virtualization program Virtio-Crypto is used for sending a password service request of a user in the Linux Kernel Crypto framework to the QEMU simulator; and the QEMU simulator is used for calling the password card interface to access the physical password device driver according to the password service request of the user so as to provide password service.
Description
Technical Field
The invention relates to the field of information security, in particular to a virtualization implementation framework of a password device.
Background
The existing password service providing mode comprises two modes, the first mode based on the cloud providing password service has the advantages of high operation performance, strong system scalability, controllable password operation process and data safety of a user, and adaptability to different types of cloud computing environments such as private cloud, public cloud, hybrid cloud and the like, and has the defects of complex system structure and service initialization process, high system deployment cost and suitability for providing safety service for a large-scale cloud platform. The second cryptographic service providing mode is a mode that the service cloud platform provides cryptographic services at the same time, and has the advantages of high operation speed, simple structure and protocol flow and low deployment cost.
In order to solve the above problems, people are always seeking an ideal technical solution.
Disclosure of Invention
The invention aims to overcome the defects of the prior art, and provides a virtualization implementation architecture of a password device.
In order to achieve the purpose, the invention adopts the technical scheme that: a virtualization implementation architecture of password equipment comprises an application program interface, a Linux user space encryption interface cryptodev, a Linux Kernel encryption Framework Linux Kernel Crypto Framework, an I/O paravirtualization program Virtio-Crypto, a QEMU simulator, a password card interface and a physical password equipment driver,
the application program interface is deployed in a user mode of the user virtual machine and used for sending a password service request of a user;
the linux user space encryption interface cryptodev is deployed in the user virtual machine and used for connecting a user state of the user virtual machine and a kernel state of the user virtual machine so as to send a password service request of a user to the kernel state of the user virtual machine;
the Linux Kernel Crypto Framework is deployed in a Kernel state of the user virtual machine, is used for managing an encryption algorithm, and provides a data processing interface for the Kernel state of the user virtual machine to call the encryption algorithm;
the system comprises an I/O semi-virtualization program Virtio-Cryptoto, a front end drive module of the I/O semi-virtualization program Virtio-Cryptoto and a back end handler of the I/O semi-virtualization program Virtio-Cryptoto, wherein the front end drive module of the I/O semi-virtualization program Virtio-Cryptoto is deployed in a Linux Kernel Cryptoto framework, and the back end handler of the I/O semi-virtualization program Virtio-Cryptoto and is deployed in a QEMU simulator and used for sending a password service request of a user in the Linux Kernel Cryptoto framework to the QEMU simulator;
the password card interface is deployed in a host user mode and used for accessing a physical password device driver;
the physical password device driver is deployed in a host kernel state and is used for driving the physical password device to work and providing password service;
and the QEMU simulator is deployed in a host user state and used for calling the password card interface to access the physical password device driver according to a password service request of a user.
Compared with the prior art, the method has outstanding substantive characteristics and remarkable progress, and particularly provides a set of virtualization modes of the password equipment through an application program interface, a Linux user space encryption interface cryptodev, a Linux Kernel Crypto Framework, an I/O semi-virtualization program Virtio-Crypto, a QEMU simulator, a password card interface and a physical password equipment driver, so that a user can directly manage and use the password equipment in own virtual machine through an API (application programming interface), and more network overhead and management links do not exist; in the virtualization mode, the life cycles of the virtual password device and the user virtual machine coexist, the virtual password device is only directly distributed and recycled when the user virtual machine is started and stopped, the problem of recycling intermediate resources does not exist, the whole life cycle of the virtual password device is exclusive for users, and the problem of secret key replacement in midway does not exist, so the system deployment cost is low; and because address isolation is performed during hardware allocation, the virtual password device is not shared with other users in the cloud environment, has higher security, and is suitable for exclusive private clouds with higher requirements on security.
The virtualization modeling, cryptodev, can also realize a hardware acceleration function, and realizes zero copy of data in Virtio, thereby realizing the acceleration function every time.
Drawings
Fig. 1 is a schematic diagram of a virtualization implementation architecture of a cryptographic device according to the present invention.
Detailed Description
The technical solution of the present invention is further described in detail by the following embodiments.
Example 1
As shown in fig. 1, this embodiment provides a virtualization implementation architecture of a cryptographic device, including an application program interface App (API), a Linux USER space encryption interface cryptodev, a Linux Kernel Crypto Framework, an I/O paravirtualization program Virtio-Crypto, a QEMU, a cryptographic card interface USER API, and a physical cryptographic device driver Dirver for Linux,
the application program interface APP (API) is deployed in a user state Guest user space of the user virtual machine and used for sending a password service request of a user;
the linux user space encryption interface cryptodev is deployed in a user virtual machine and used for connecting a user state Guest user space of the user virtual machine and a kernel state Guest kernel space of the user virtual machine so as to send a password service request of a user to the kernel state Guest kernel space of the user virtual machine;
the Linux Kernel Crypto Framework is configured in a Kernel mode Guest Kernel space of the user virtual machine, and is used for managing an encryption algorithm and providing a data processing interface for the Kernel mode of the user virtual machine to call the encryption algorithm;
the system comprises an I/O semi-virtualization program Virtio-Cryptoto, a front end drive module of the I/O semi-virtualization program Virtio-Cryptoto and a back end handler of the I/O semi-virtualization program Virtio-Cryptoto, wherein the front end drive module of the I/O semi-virtualization program Virtio-Cryptoto is deployed in a Linux Kernel Cryptoto framework, and the back end handler of the I/O semi-virtualization program Virtio-Cryptoto and is deployed in a QEMU simulator and used for sending a password service request of a user in the Linux Kernel Cryptoto framework to the QEMU simulator;
the password card interface USER API is deployed in Host USER mode and used for accessing a physical password device driver;
the physical password device driver Dirver for Linux is deployed in a Host kernel mode Host kernel space and is used for driving the physical password device to work and providing password service;
the QEMU simulator is deployed in Host user mode Host user space and used for calling the password card interface to access the physical password device driver according to a password service request of a user.
Specifically, the workflow of the virtualization implementation architecture includes the following steps:
the user sends a password service request of the user through an application program interface (APP) (API);
after receiving a password service request of a user, the Cryptodev-linux transmits the password service request of the user to a kernel state Guest kernel space of the user virtual machine;
calling an encryption algorithm in a Linux Kernel Crypto Framework Linux Kernel Crypto Framework by a Kernel mode Guest space of the user virtual machine to process a password service request of the user;
a front-end driving module of the I/O paravirtualization program Virtio-Crypto acquires a password service request of a user from the linux kernel encryption framework and sends the password service request to a back-end processing program of the I/O paravirtualization program Virtio through an intermediate communication module;
and the QEMU simulator intercepts a password service request of a user and calls a password card interface to access the underlying physical password equipment so as to provide password service.
Specifically, cryptodev is a linux encryption interface implementation mode, is implemented based on a linux native encryption interface, does not need any modification of a hardware driver, is high in encryption execution efficiency, is simpler in compiling and installing steps, and can be used only by simultaneously inserting cryptodev.
When the cryptodev is used, the cryptodev is deployed in a user virtual machine and is used as a device capable of being directly connected with a linux kernel encryption framework to connect a user mode and a kernel mode, the capability of hardware acceleration can be fully exerted in a user space, a user accesses the cryptodev through an API (application programming interface) provided by a dynamic library at a user mode virtual machine end, the API of the user is compatible with an openBSD user mode API, and the cryptodev provides a standard mode so that an application program can access password resources of the kernel layer at the user mode of the user virtual machine.
A Linux Kernel Crypto Framework (Linux Kernel Crypto Framework) is a set of general Crypto algorithm Framework realized by kernels, is used for providing a password resource of the kernels, is an independent subsystem, and a source code is positioned under Kernel/Crypto; the method realizes the unified management of the algorithm and provides a unified data processing interface for other subsystems to use; based on the set of frames, a user can add an encryption algorithm which can be realized by using a physical password device to the linux kernel encryption frame according to the requirement, and the linux kernel encryption frame is loaded to the kernel state of the user virtual machine at the beginning of system starting.
The Linux Kernel Crypto Framework transmits the password service request of the user to the host through the front-end and back-end drivers of the virtio.
Virtio is an I/O (input/output) para-virtualization solution, is a set of programs for virtualization of general I/O equipment, is an abstraction of a group of general I/O equipment in para-virtualization hypervisors, provides a set of communication framework and programming interfaces between upper-layer application and each Hypervisor virtualization equipment, reduces compatibility problems caused by cross-platform, and greatly improves the development efficiency of a driver.
Virtio uses Virtqueue to realize I/O mechanism, each Virtqueue is a queue for bearing a large amount of data, and the number of Virtqueue can be dynamically adjusted according to requirements. Virtqueue is a simple structure that identifies an optional callback function, a reference to a virtual _ device, a reference to a Virtqueue operation, and a priv reference to use by the reference.
In specific implementation, the Virtio includes a front-end Driver module Virtio-FE Driver and a back-end handler Virtio-BE Driver, where the front-end Driver module Virtio-FE Driver exists in the virtual machine, and the back-end handler Virtio-BE Driver exists in the QEMU.
An intermediate layer is also defined between the front-end drive module VirtiO-FE Driver and the back-end processing program VirtiO-BE Driver to support the communication between the virtual machine and Qemu.
No matter what virtualization platform, the virtual machine is running in host memory or the virtual machine shares the same memory block, so that data does not need to be copied between different areas of the same memory block, and only simple address remapping is needed. Zero-copy of data is thus achieved at Virtio. Taking network transmission as an example, after receiving a data packet, a host machine forwards the data packet according to a destination MAC address, and essentially shares data to a user space application program, namely QEMU, so as to realize communication between the host machine and a virtual machine.
And the QEMU intercepts a USER request in a host USER state and calls a real password card interface USER API to access the underlying physical password equipment.
Finally, it should be noted that the above examples are only used to illustrate the technical solutions of the present invention and not to limit the same; although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art will understand that: modifications to the specific embodiments of the invention or equivalent substitutions for parts of the technical features may be made; without departing from the spirit of the present invention, it is intended to cover all aspects of the invention as defined by the appended claims.
Claims (2)
1. A virtualization implementation architecture of a cryptographic device, characterized in that: comprises an application program interface, a Linux user space encryption interface cryptodev, a Linux Kernel Crypto Framework, an I/O paravirtualization program Virtio-Crypto, a QEMU simulator, a password card interface and a physical password device driver,
the application program interface is deployed in a user mode of the user virtual machine and used for sending a password service request of a user;
the linux user space encryption interface cryptodev is deployed in the user virtual machine and used for connecting a user state of the user virtual machine and a kernel state of the user virtual machine so as to send a password service request of a user to the kernel state of the user virtual machine;
the Linux Kernel Crypto Framework is deployed in a Kernel state of the user virtual machine, is used for managing an encryption algorithm, and provides a data processing interface for the Kernel state of the user virtual machine to call the encryption algorithm;
the system comprises an I/O semi-virtualization program Virtio-Cryptoto, a front end drive module of the I/O semi-virtualization program Virtio-Cryptoto and a back end handler of the I/O semi-virtualization program Virtio-Cryptoto, wherein the front end drive module of the I/O semi-virtualization program Virtio-Cryptoto is deployed in a Linux Kernel Cryptoto framework, and the back end handler of the I/O semi-virtualization program Virtio-Cryptoto and is deployed in a QEMU simulator and used for sending a password service request of a user in the Linux Kernel Cryptoto framework to the QEMU simulator;
the password card interface is deployed in a host user mode and used for accessing a physical password device driver;
the physical password device driver is deployed in a host kernel state and is used for driving the physical password device to work and providing password service;
and the QEMU simulator is deployed in a host user state and used for calling the password card interface to access the physical password device driver according to a password service request of a user.
2. The virtualization implementation architecture of a cryptographic device as in claim 1, wherein: and the user can add an encryption algorithm which can be realized by using a physical password device to the linux kernel encryption framework according to the requirement, and loads the linux kernel encryption framework to the kernel state of the user virtual machine at the beginning of system startup.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011575763.0A CN112433824B (en) | 2020-12-28 | 2020-12-28 | Virtualized implementation architecture of password equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011575763.0A CN112433824B (en) | 2020-12-28 | 2020-12-28 | Virtualized implementation architecture of password equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112433824A true CN112433824A (en) | 2021-03-02 |
| CN112433824B CN112433824B (en) | 2023-06-20 |
Family
ID=74697003
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011575763.0A Active CN112433824B (en) | 2020-12-28 | 2020-12-28 | Virtualized implementation architecture of password equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112433824B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113626156A (en) * | 2021-10-14 | 2021-11-09 | 云宏信息科技股份有限公司 | Encryption method and system for virtual machine disk and computer readable storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101968746A (en) * | 2010-09-02 | 2011-02-09 | 北京航空航天大学 | Method for implementing organizational architecture mode of kernel-based virtual machine (KVM) |
| CN104461678A (en) * | 2014-11-03 | 2015-03-25 | 中国科学院信息工程研究所 | Method and system for providing password service in virtualized environment |
| CN105184154A (en) * | 2015-09-15 | 2015-12-23 | 中国科学院信息工程研究所 | System and method for providing cryptogrammic operation service in virtualized environment |
| US20160366130A1 (en) * | 2015-02-10 | 2016-12-15 | Electronics And Telecommunications Research Institute | Apparatus and method for providing security service based on virtualization |
| CN107634950A (en) * | 2017-09-19 | 2018-01-26 | 重庆大学 | A kind of method that unloading SSL/TLS agreements are designed using pipeline hardware |
| CN111782344A (en) * | 2020-07-02 | 2020-10-16 | 北京数字认证股份有限公司 | Method and system for providing password resources and host machine |
-
2020
- 2020-12-28 CN CN202011575763.0A patent/CN112433824B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101968746A (en) * | 2010-09-02 | 2011-02-09 | 北京航空航天大学 | Method for implementing organizational architecture mode of kernel-based virtual machine (KVM) |
| CN104461678A (en) * | 2014-11-03 | 2015-03-25 | 中国科学院信息工程研究所 | Method and system for providing password service in virtualized environment |
| US20160366130A1 (en) * | 2015-02-10 | 2016-12-15 | Electronics And Telecommunications Research Institute | Apparatus and method for providing security service based on virtualization |
| CN105184154A (en) * | 2015-09-15 | 2015-12-23 | 中国科学院信息工程研究所 | System and method for providing cryptogrammic operation service in virtualized environment |
| US20180232519A1 (en) * | 2015-09-15 | 2018-08-16 | Institute Of Information Engineering, Chinese Academy Of Sciences | System and method for providing cryptographic operation service in virtualization environment |
| CN107634950A (en) * | 2017-09-19 | 2018-01-26 | 重庆大学 | A kind of method that unloading SSL/TLS agreements are designed using pipeline hardware |
| CN111782344A (en) * | 2020-07-02 | 2020-10-16 | 北京数字认证股份有限公司 | Method and system for providing password resources and host machine |
Non-Patent Citations (4)
| Title |
|---|
| 姚华超;王振宇;: "基于KVM-QEMU与Libvirt的虚拟化资源池构建", 计算机与现代化 * |
| 苏振宇: "密码卡虚拟化技术研究与实现", 《集成技术》 * |
| 苏振宇;: "密码卡虚拟化技术研究与实现", 集成技术 * |
| 谢玉华: "ARM加密引擎在WebServer领域的应用优化", 《中国优秀硕士学位论文全文数据库-信息科技辑》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113626156A (en) * | 2021-10-14 | 2021-11-09 | 云宏信息科技股份有限公司 | Encryption method and system for virtual machine disk and computer readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112433824B (en) | 2023-06-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9201704B2 (en) | System and method for migrating application virtual machines in a network environment | |
| CN108228316B (en) | Method and device for virtualizing password device | |
| KR101956411B1 (en) | Delivering a single end user experience to a client from multiple servers | |
| CA3101982C (en) | Domain pass-through authentication in a hybrid cloud environment | |
| US9344334B2 (en) | Network policy implementation for a multi-virtual machine appliance within a virtualization environment | |
| Baratto et al. | Mobidesk: mobile virtual desktop computing | |
| EP2831732B1 (en) | System and method for supporting live migration of virtual machines in an infiniband network | |
| JP5275407B2 (en) | Method for network interface shared by multiple virtual machines | |
| US9225596B2 (en) | Undifferentiated service domains | |
| US7743107B2 (en) | System and method for using remote module on VIOS to manage backups to remote backup servers | |
| CN100399273C (en) | System of virtual machine, and method for configuring hardware | |
| US20130254368A1 (en) | System and method for supporting live migration of virtual machines in an infiniband network | |
| US20080189432A1 (en) | Method and system for vm migration in an infiniband network | |
| CN113242175B (en) | Storage gateway based on SPDK and implementation method thereof | |
| CN112433824B (en) | Virtualized implementation architecture of password equipment | |
| US20230138867A1 (en) | Methods for application deployment across multiple computing domains and devices thereof | |
| Guay et al. | Early experiences with live migration of SR-IOV enabled InfiniBand | |
| US20150373478A1 (en) | Virtual machine based on a mobile device | |
| US20240126580A1 (en) | Transparently providing virtualization features to unenlightened guest operating systems | |
| LU500447B1 (en) | Nested isolation host virtual machine | |
| CN114978589B (en) | Lightweight cloud operating system and construction method thereof | |
| US11924336B1 (en) | Cryptographic artifact generation using virtualized security modules | |
| US20240184611A1 (en) | Virtual baseboard management controller capability via guest firmware layer | |
| WO2024081072A1 (en) | Transparently providing virtualization features to unenlightened guest operating systems | |
| CN117608746A (en) | Virtual machine network equipment creation method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |