CN113342467B

CN113342467B - Virtual machine snapshot storage and reading method and device and related equipment

Info

Publication number: CN113342467B
Application number: CN202110694868.6A
Authority: CN
Inventors: 徐本煜; 冯浩; 应志伟
Original assignee: Haiguang Information Technology Co Ltd
Current assignee: Haiguang Information Technology Co Ltd
Priority date: 2021-06-22
Filing date: 2021-06-22
Publication date: 2023-12-05
Anticipated expiration: 2041-06-22
Also published as: CN113342467A

Abstract

The embodiment of the application provides a virtual machine snapshot storage and reading method, a device and related equipment, wherein the virtual machine snapshot storage method comprises the following steps: generating a TEK, and generating a KEK; encrypting at least the TEK based on the KEK to obtain key encryption information; encrypting the snapshot content of the target virtual machine based on the TEK to obtain the encrypted snapshot content of the target virtual machine; and storing the key encryption information and the encryption snapshot content in a virtual machine snapshot of the target virtual machine, wherein the virtual machine snapshot is written into a virtual machine image file of the target virtual machine. The embodiment of the application can improve the security of the virtual machine snapshot.

Description

Virtual machine snapshot storage and reading method and device and related equipment

Technical Field

The embodiment of the application relates to the technical field of virtual machines, in particular to a method and a device for storing and reading snapshots of a virtual machine and related equipment.

Background

Through Virtualization technology (Virtualization), a physical host Machine can virtualize a plurality of Virtual Machines (VMs), so that hardware resources of the physical host Machine are efficiently utilized. The virtualized virtual machines can allocate virtual machine memory in the physical memory, and the virtual machine memory of each virtual machine is mainly used for task consumption and supporting virtualization.

The state of the virtual machine at a certain point in time can be saved through the virtual machine snapshot, so as to be used for backup and recovery of the virtual machine data. Therefore, when the virtual machine snapshot is saved, a security protection scheme of the virtual machine snapshot needs to be provided so as to improve the security of the virtual machine snapshot.

Disclosure of Invention

In view of this, the embodiments of the present application provide a method, a device and a related device for saving and reading a snapshot of a virtual machine, so as to improve security of the snapshot of the virtual machine.

In order to achieve the above purpose, the embodiment of the present application provides the following technical solutions.

In a first aspect, an embodiment of the present application provides a method for saving a snapshot of a virtual machine, which is applied to a secure processor, and the method includes:

generating a TEK, and generating a KEK;

encrypting at least the TEK based on the KEK to obtain key encryption information; encrypting the snapshot content of the target virtual machine based on the TEK to obtain the encrypted snapshot content of the target virtual machine;

and storing the key encryption information and the encryption snapshot content in a virtual machine snapshot of the target virtual machine, wherein the virtual machine snapshot is written into a virtual machine image file of the target virtual machine.

In a second aspect, an embodiment of the present application provides a method for reading a snapshot of a virtual machine, which is applied to a secure processor, and the method includes:

Obtaining a virtual machine snapshot of a target virtual machine, wherein the virtual machine snapshot comprises encrypted snapshot content and key encryption information;

recovering the KEK;

decrypting the key encryption information based on the KEK to obtain a TEK;

and decrypting the encrypted snapshot content based on the TEK to obtain the snapshot content of the target virtual machine.

In a third aspect, an embodiment of the present application provides a virtual machine snapshot saving device, applied to a secure processor, where the device includes:

the key generation module is used for generating a TEK and generating a KEK;

the encryption module is used for encrypting at least the TEK based on the KEK to obtain key encryption information; encrypting the snapshot content of the target virtual machine based on the TEK to obtain the encrypted snapshot content of the target virtual machine;

and the storage module is used for storing the key encryption information and the encryption snapshot content in a virtual machine snapshot of the target virtual machine, wherein the virtual machine snapshot is written into a virtual machine image file of the target virtual machine.

In a fourth aspect, an embodiment of the present application provides a virtual machine snapshot reading device, applied to a secure processor, where the device includes:

the system comprises an acquisition module, a storage module and a storage module, wherein the acquisition module is used for acquiring a virtual machine snapshot of a target virtual machine, and the virtual machine snapshot comprises encrypted snapshot content and key encryption information;

A recovery module for recovering the KEK;

the key decryption module is used for decrypting the key encryption information based on the KEK to obtain the TEK;

and the snapshot decryption module is used for decrypting the encrypted snapshot content based on the TEK to obtain the snapshot content of the target virtual machine.

In a fifth aspect, embodiments of the present application provide a secure processor configured to perform the virtual machine snapshot saving method as described in the first aspect, and the virtual machine snapshot reading method as described in the second aspect.

In a sixth aspect, an embodiment of the present application provides an electronic device, including a security processor as described in the fifth aspect.

According to the virtual machine snapshot storage method provided by the embodiment of the application, the security processor can generate the TEK for encrypting the snapshot content and the KEK for encrypting the TEK; therefore, when the virtual machine snapshot of the target virtual machine needs to be stored, the secure processor can encrypt the snapshot content of the target virtual machine based on the TEK to obtain the encrypted snapshot content of the target virtual machine. In order to realize encryption protection of the TEK, the secure processor may further encrypt at least the TEK based on the KEK to obtain key encryption information. Furthermore, the encrypted snapshot content and the key encryption information can be stored in a virtual machine snapshot of the target virtual machine, and the virtual machine snapshot can be written into a virtual machine image file of the target virtual machine, so that the virtual machine snapshot of the target virtual machine can be stored. Therefore, the method for storing the snapshot of the virtual machine can store the snapshot content in the ciphertext form in the snapshot of the virtual machine, reduce the condition that configuration and data related to the virtual machine are stolen through the snapshot content of the virtual machine, and effectively reduce the condition that the data of the virtual machine are tampered. Meanwhile, by storing the encryption key information obtained by encrypting at least the TEK in the virtual machine snapshot, the security protection of the TEK can be realized, and when the virtual machine snapshot is read later, the TEK can be recovered by decrypting the encryption key information, so that the decryption and the reading of the encrypted snapshot content can be realized.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.

FIG. 1a is a schematic diagram of a system architecture of a virtualization technology.

FIG. 1b is a schematic diagram of a system architecture of a secure virtualization technology.

Fig. 2a is a flowchart of a method for saving a snapshot of a virtual machine according to an embodiment of the present application.

Fig. 2b is a schematic diagram of a data structure of a virtual machine snapshot according to an embodiment of the present application.

FIG. 3a is a flow chart of generating a KEK according to an embodiment of the present application.

Fig. 3b is another schematic diagram of a data structure of a virtual machine snapshot according to an embodiment of the present application.

Fig. 3c is a schematic diagram of a data structure of a virtual machine snapshot according to an embodiment of the present application.

Fig. 3d is a flowchart of integrity protecting key encryption information according to an embodiment of the present application.

Fig. 3e is a further schematic diagram of a data structure of a virtual machine snapshot according to an embodiment of the present application.

Fig. 4a is a flowchart of integrity protecting policy information of a target virtual machine according to an embodiment of the present application.

Fig. 4b is a schematic diagram of a data structure of a virtual machine snapshot according to an embodiment of the present application.

Fig. 4c is a further schematic diagram of a data structure of a virtual machine snapshot according to an embodiment of the present application.

Fig. 5 is another flowchart of a virtual machine snapshot saving method according to an embodiment of the present application.

Fig. 6a is a flowchart of a method for reading a snapshot of a virtual machine according to an embodiment of the present application.

Fig. 6b is another flowchart of a virtual machine snapshot reading method according to an embodiment of the present application.

Fig. 7 is a block diagram of a virtual machine snapshot storage device according to an embodiment of the present application.

Fig. 8 is a block diagram of a virtual machine snapshot reading device according to an embodiment of the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

FIG. 1a is a schematic diagram of a system architecture illustrating virtualization technology, as shown in FIG. 1a, the system architecture may include: a CPU (Central Processing Unit ) 110, a memory controller 120, a physical memory 130, and a storage medium 140 (storage medium such as a magnetic disk).

Wherein, the CPU110 may configure the virtual machine platform 111 (e.g., virtual machine manager) in software form and virtualize a plurality of virtual machines 112 through a virtualization technology. The plurality of virtual machines may be managed by a virtual machine platform, such as virtual machine memory of the virtual machines in physical memory 130.

Memory controller 120 is hardware that controls physical memory 130 and causes data to be exchanged between physical memory 130 and CPU 110. Some or all of the space of physical memory 130 may be used as virtual machine memory allocated for the virtual machine.

The storage medium 140 may store a virtual machine snapshot of the virtual machine to preserve the state of the virtual machine 120 at a point in time. In some embodiments, the virtual machine snapshot mainly includes snapshot content, which may describe the state of the virtual machine at a certain point in time; also, the virtual machine snapshot may be contained in the virtual machine image file of the storage medium 140, i.e., the virtual machine snapshot is a snapshot portion of the virtual machine image file.

When the virtual machine snapshot is stored, the snapshot content of the virtual machine snapshot is stored in the virtual machine image file to be realized; when the virtual machine snapshot is read, the snapshot content of the virtual machine snapshot is mainly read from the virtual machine image file. In some embodiments, the storage medium 140 may store an Image Header (Image Header) of the virtual machine Image file, and the virtual machine platform 111 may obtain a snapshot Header (snapshot Header) by parsing the Image Header, and further obtain a virtual machine snapshot by parsing the snapshot Header (snapshot Header).

In some embodiments, the image file header may be saved at the beginning of the virtual machine image file. In other embodiments, the image header may not be stored at the beginning of the virtual machine image file, but rather the image header may be stored separately from the virtual machine image file. Under the condition that the image file header and the virtual machine image file are stored separately, the mapping relation or the corresponding relation between the image file header and the virtual machine image file can be recorded by using files such as a database file, a configuration file and the like, so that the image file header of the virtual machine image file can be found through the mapping relation or the corresponding relation recorded by the files when the virtual machine snapshot is read. That is, in a possible implementation, the information of the format, version, size, disk sector mapping information, disk sector reference information, number of virtual machine snapshots, snapshot header offset, etc. of the virtual machine image file corresponding to the image file header may be obtained by reading the image file header from the beginning of the virtual machine image file or other storage location (in the case where the image file header is stored separately from the virtual machine image file).

As can be seen, the virtual machine platform 111 can obtain the snapshot header offset through parsing the image file header; thereby finding a snapshot header in the storage medium according to the snapshot header offset; and further obtaining the virtual machine snapshot based on the content of the snapshot head. The snapshot header may correspond to contents such as a virtual machine snapshot format, a size, a version, disk sector mapping information, disk sector reference information, virtual machine state information, and the like.

It should be noted that, the same as the image file header and the virtual machine image file can be stored separately, the content such as the snapshot header offset can also be stored separately from the image file header, and the mapping relationship or the corresponding relationship between the snapshot header offset and the image file header is recorded through the files such as the database file, the configuration file and the like. Similarly, the content corresponding to the snapshot header, the content corresponding to the virtual machine snapshot, and the like may also be stored separately from the snapshot header and the virtual machine snapshot, and the mapping relationship or the corresponding relationship may be recorded through similar files.

In other possible implementations, virtual machine snapshots may also be stored in physical memory 130, and are not limited to being stored in storage medium 140. For example, virtual machine image files may be stored in physical memory 130 for the need to increase read and write speeds.

Because the virtual machine snapshot saves the state of the virtual machine at a certain point in time (e.g., the hardware state, the software state, the operating system state, the file system state, the memory state, etc. of the virtual machine at a certain point in time), if the virtual machine snapshot is saved in a plaintext form, an attacker (e.g., malware in a physical host) is very easy to obtain configuration and data related to the virtual machine through the virtual machine snapshot, thereby monitoring, copying, stealing or tampering with the virtual machine data. Therefore, the virtual machine snapshot is stored in a plaintext form, so that a safety protection scheme of the virtual machine snapshot needs to be provided, the virtual machine snapshot is stored in an encrypted mode, and the safety of the virtual machine snapshot is improved.

In some embodiments, secure virtualization techniques may be used to secure virtual machine data in virtual machine memory. On the basis of a secure virtualization technology, the embodiment of the application can realize the encryption storage of the snapshot of the virtual machine through perfect technology. FIG. 1b illustrates a system architecture diagram of a secure virtualization technique. As shown in conjunction with fig. 1a and 1b, the system architecture shown in fig. 1b may further include, compared to the system architecture shown in fig. 1 a: secure processor (Platform Secure Processor, PSP) 150, secure processor 150 is a processor responsible for data security specifically set by secure virtualization technology.

As shown in fig. 1b, the virtual machine platform 111 may configure an API (Application Programming Interface, application program interface) interface in communication with the secure processor 150 to enable data interaction of the virtual machine platform 111 with the secure processor 150. Meanwhile, the memory controller 120 may configure the encryption and decryption engine 121, where the encryption and decryption engine 121 may store VEKs (VM Encryption Key, virtual machine encryption keys) corresponding to each virtual machine, so as to encrypt and decrypt virtual machine data of each virtual machine in the memory of the virtual machine, thereby implementing security protection on the virtual machine data. For example, when the virtual machine data of the virtual machine needs to be read into the memory, the encryption and decryption engine 121 may encrypt the virtual machine data by using the corresponding VEK, and when the virtual machine data of the virtual machine needs to be sent from the memory to the CPU for processing, the encryption and decryption engine 121 may decrypt the virtual machine data by using the corresponding VEK.

In the secure virtualization technology, different virtual machines may correspond to different VEKs, and the VEKs corresponding to the respective virtual machines may be distributed and managed by the secure processor 150 and stored in the encryption and decryption engine 121. For example, the management of the VEK may be performed by secure firmware running in secure processor 150, so as to ensure that only the virtual machine itself can be accessed after the virtual machine data in the physical memory is encrypted, and that neither the virtual machine platform nor other virtual machines can be accessed.

The secure virtualization technology is a technology for performing secure protection on virtual machine data in a virtual machine memory, and is not suitable for performing encryption protection on a virtual machine snapshot at present. Based on the above, the embodiment of the application is perfect through the technology on the basis of the secure virtualization technology, so that the secure virtualization technology supports the encryption protection of the virtual machine snapshot.

As an optional implementation, fig. 2a schematically illustrates an optional flowchart of a method for saving a snapshot of a virtual machine according to an embodiment of the present application. In some embodiments, the process may be performed by a secure processor (e.g., secure firmware in the secure processor) in conjunction with a virtual machine platform. As shown in fig. 2a, the flow may include the following steps.

In step S210, the secure processor generates a TEK (Transport Encryption Key, transmission encryption key).

The TEK is an encryption key used for encrypting the snapshot content of the virtual machine, can be used for encrypting and protecting data transmission between the secure processor and a user of the virtual machine, and can be generated by the secure processor. Note that TEK is not equivalent to VEK allocated by the secure processor for the virtual machine. In some embodiments, the embodiments of the present application may utilize the TEK to encrypt snapshot contents of multiple virtual machines, respectively, where virtual machine data of the virtual machine in the memory is encrypted by using the VEK corresponding to the virtual machine.

In some embodiments, the secure processor may generate the TEK through a hardware true random number generator. A hardware true random number generator is a device that generates random numbers from physical processes rather than computer programs. For example, the secure processor may generate the TEK based on a random number generated by a hardware true random number generator. In some alternative implementations, the TEK may be in the form of an SM4 key, for example, the secure processor may generate the SM4 key based on a random number generated by a hardware true random number generator to obtain the TEK.

In step S211, the secure processor generates a KEK (Key Encryption Key ).

The KEK is a secret key used for encrypting the secret key in the embodiment of the application so as to ensure the security of the secret key, and the TEK can be generated by a security processor. In the embodiment of the present application, the KEK may encrypt at least the TEK generated in step S210, so as to ensure security of the TEK.

In some embodiments, the secure processor may generate the KEK based at least on the key agreement information. The key negotiation information may be information used by the secure processor to negotiate a key.

As an alternative implementation, step S210 and step S211 may be performed synchronously, and the two may be performed in no order.

In step S212, the secure processor encrypts at least the TEK based on the KEK, resulting in key encryption information (WRAP_TK).

In some embodiments, the secure processor may encrypt at least the TEK directly based on the KEK, resulting in key encryption information (wrap_tk). In other embodiments, the secure processor may encrypt at least the TEK based on the KEK and the first random number (warp_iv) generated by the hardware true random number generator to obtain the key encryption information (wrap_tk). Optionally, the first random number (WARP_IV) is different from the random number used to generate the TEK.

In step S213, the secure processor encrypts the snapshot content of the target virtual machine based on the TEK, to obtain the encrypted snapshot content of the target virtual machine.

The target virtual machine may be considered a virtual machine that currently needs to save a snapshot of the virtual machine. In some embodiments, the secure processor may encrypt the snapshot content of the target virtual machine directly based on the TEK, resulting in encrypted snapshot content of the target virtual machine. In other embodiments, the secure processor may encrypt the snapshot content of the target virtual machine based on the TEK and the first random number (warp_iv) to obtain the encrypted snapshot content of the target virtual machine. In an alternative implementation, the snapshot content of the target virtual machine may be transferred by the virtual machine platform to the secure processor. For example, the virtual machine platform may determine the state of the target virtual machine at a point in time, thereby obtaining snapshot content describing the state, and transmit the snapshot content to the secure processor.

When the virtual machine snapshot of the target virtual machine is stored, the security processor encrypts the snapshot content of the target virtual machine by using the TEK to obtain the encrypted snapshot content of the target virtual machine, and the security processor also provides security protection of the TEK. That is, the secure processor may also encrypt at least the TEK with the KEK to obtain key encryption information. For ease of description to follow, the key encryption information may be referred to using wrap_tk.

It should be noted that, after the embodiment of the present application completes the saving of the virtual machine snapshot and destroys the TEK, the secure processor may not be able to repeatedly generate the same TEK as in step S210 by using the hardware true random number generator, so that in order to ensure that the encrypted snapshot content of the target virtual machine can be decrypted when the virtual machine snapshot of the target virtual machine is read later, the embodiment of the present application may save the key encryption information (wrap_tk) and the encrypted snapshot content in the virtual machine snapshot of the target virtual machine; therefore, the subsequent secure processor can decrypt the key encryption information (WRAP_TK) in the virtual machine snapshot by recovering the KEK to obtain the TEK used when the snapshot content is encrypted, and further the TEK is utilized to decrypt the encrypted snapshot content. In view of the foregoing, embodiments of the present application encrypt, in addition to the snapshot content of the target virtual machine based on the TEK, at least the TEK based on the KEK, and subsequently store the key encryption information (wrap_tk) and the encrypted snapshot content in the virtual machine snapshot of the target virtual machine. In further embodiments, if the first random number (WARP_IV) is used in combination when obtaining the key encryption information (WRAP_TK) and/or obtaining the encrypted snapshot content, embodiments of the present application may also save the first random number (WARP_IV) in the virtual machine snapshot in the form of a plaintext.

In some embodiments, when the target virtual machine needs to save the virtual machine snapshot, the virtual machine platform may suspend the running target virtual machine, then encrypt the snapshot content of the target virtual machine by the secure processor, and resume running the target virtual machine by the virtual machine platform after the virtual machine snapshot of the target virtual machine is saved.

As an alternative implementation, step S212 and step S213 may be performed synchronously, and the two may be performed in no order.

In step S214, the secure processor transmits at least the key encryption information (WRAP_TK) and the encrypted snapshot content to the virtual machine platform.

In step S215, the virtual machine platform saves at least the key encryption information (wrap_tk) and the encrypted snapshot content in the virtual machine snapshot of the target virtual machine.

After the secure processor obtains the key encryption information (wrap_tk) and the encrypted snapshot content, the embodiment of the application can store the key encryption information (wrap_tk) and the encrypted snapshot content in the virtual machine snapshot of the target virtual machine. In some embodiments, the secure processor may transmit the key encryption information (wrap_tk) and the encrypted snapshot content to the virtual machine platform such that the key encryption information (wrap_tk) and the encrypted snapshot content are maintained by the virtual machine platform in the virtual machine snapshot of the target virtual machine. In further embodiments, the virtual machine platform may write the virtual machine snapshot of the target virtual machine to the virtual machine image file of the target virtual machine to enable saving of the virtual machine snapshot.

Of course, the storage of the key encryption information (wrap_tk) and the encrypted snapshot content in the virtual machine snapshot of the target virtual machine by the virtual machine platform is only an optional means, and in the case that the secure processor supports data reading of the physical memory and the storage medium (such as a disk), the embodiment of the application can also directly store the key encryption information (wrap_tk) and the encrypted snapshot content in the virtual machine snapshot of the target virtual machine by the secure processor without being stored by the virtual machine platform; furthermore, the embodiment of the application can also write the virtual machine snapshot into the virtual machine image file by the security processor, thereby realizing the storage of the virtual machine snapshot.

That is, in the embodiment of the present application, data (such as key encryption information and encrypted snapshot content) is stored in the virtual machine snapshot, which may be stored in the virtual machine snapshot by the secure processor through the virtual machine platform, or may be directly stored in the virtual machine snapshot by the secure processor.

In some embodiments, when the virtual machine snapshot is written into the virtual machine image file to save the virtual machine snapshot, the embodiments of the present application may update the image file header of the virtual machine image file (e.g., update the snapshot number and the snapshot header offset) and generate the snapshot header.

For ease of understanding, fig. 2b shows an alternative schematic diagram of a data structure of a virtual machine snapshot provided by an embodiment of the present application. As can be seen from fig. 2b and fig. 1a, the virtual machine snapshot stored in the embodiment of the present application includes at least encrypted snapshot content and key encryption information (wrap_tk); the snapshot content can be encrypted and protected, so that the situations that the configuration and the data related to the virtual machine are stolen caused by the fact that the snapshot content of the target virtual machine is stored in a plaintext form are reduced, and the situation that the virtual machine data of the target virtual machine are tampered can be effectively reduced; the key encryption information can at least encrypt and protect the TEK of the encrypted snapshot content, so that the TEK can be obtained by decrypting the key encryption information when the virtual machine snapshot is read later, and decryption and reading of the subsequent encrypted snapshot content are realized.

In some embodiments, the secure processor may generate the KEK based at least on the key agreement information. As an alternative implementation, FIG. 3a illustrates an alternative implementation flowchart for generating a KEK. The flow may be implemented by the secure processor execution, as shown in fig. 3a, and may include the following steps.

In step S310, the secure processor determines a public key using key negotiation criteria based on the key negotiation information.

In some embodiments, the key agreement information may include key agreement private key information, as well as key agreement public key information. The key negotiation private key information may be a private key for key negotiation that is private to the secure processor, and the key negotiation public key information may be a public key for key negotiation that can be externally disclosed.

In some embodiments, the key agreement private key information may include at least a secure certificate private key of the secure processor, and the key agreement public key information may include at least a secure certificate public key of the secure processor. For example, the security certificate of the security processor may be a PDH (Platform Diffie-Hellman, platform Difeihman Key exchange protocol/algorithm) certificate; the PDH certificate may include a PDH certificate private key for key agreement, which may be considered an alternative form of the security certificate private key described above, and a PDH certificate public key, which may be considered an alternative form of the security certificate public key described above. In an alternative implementation, the secure processor may determine the public key using key agreement criteria based at least on a secure certificate private key (e.g., PDH certificate private key) of the secure processor, a secure certificate public key (e.g., PDH certificate public key).

In further embodiments, the secure processor may further combine the random private key and the random public key of the key agreement standard to determine the public key; thus, the key agreement private key information may further include a random private key of the key agreement standard, and the key agreement public key information may further include a random public key of the key agreement standard. In one alternative implementation example, the security processor may negotiate the public key based on key negotiation criteria such as SM 2; taking the SM2 key agreement standard as an example, the random private key of the key agreement standard may be an SM2 random private key, and the random public key of the key agreement standard may be an SM2 random public key.

As an alternative implementation, in case that the public key is determined based on the security certificate of the security processor and a key negotiation standard (e.g., SM2 key negotiation standard), the key negotiation private key information in the key negotiation information may include a security certificate private key of the security processor, and a random private key of the key negotiation standard; the key negotiation public key information in the key negotiation information may include a security certificate public key of the security processor and a random public key of the key negotiation standard. For example, using a PDH certificate and SM2 key agreement criteria, the security processor may determine the public key using the SM2 key agreement criteria based on the PDH certificate private key, the PDH certificate public key, the SM2 random private key, and the SM2 random co-key.

In step S311, the secure processor derives a master secret (master secret) based on the public key.

In some embodiments, the secure processor may derive the master key from the public key using a key derivation algorithm (Key Derivation Function, KDF).

In step S312, the secure processor derives a KEK based on the master key.

In the embodiment of the application, the KEK is a key used for encrypting the key so as to ensure the security of the key. In some embodiments, the KEK may be an SM4 key. For example, the secure processor may derive the SM4 key from the master key to generate the KEK.

As can be seen from the flow shown in fig. 3a, the security processor may first determine the public key using key negotiation criteria based on the key negotiation information; then deriving a master key based on the public key; thus, the KEK is derived based on the master key. That is, generating the KEK may encompass the process of negotiating a public key based on the key negotiation information, deriving a master key based on the public key, deriving the KEK based on the master key. Of course, the process of generating a KEK shown in FIG. 3a is only one alternative implementation, and other possible processes of generating a KEK based on key agreement information may be supported by embodiments of the present application.

In some embodiments, since the embodiment of the present application stores the encryption key information in the virtual machine snapshot, where the encryption key information is obtained by encrypting at least the TEK by the KEK, in the case where the KEK is generated based on the key negotiation information, the embodiment of the present application may store key negotiation public key information (for example, a security certificate public key of the security processor and a random public key of the key negotiation standard) that can be externally disclosed in the key negotiation information in the virtual machine snapshot. Based on the above operation, when the virtual machine snapshot is read later, the security processor can recover the KEK by combining the key negotiation private key information stored by the security processor by deriving the key negotiation public key information from the virtual machine snapshot, so as to decrypt the encrypted key information in the virtual machine snapshot by using the KEK to recover the TEK; and further, the encrypted snapshot content in the virtual machine snapshot can be decrypted by utilizing the recovered TEK so as to decrypt and read the encrypted snapshot content.

Based on the above considerations, in some embodiments, embodiments of the present application may save key agreement public key information in a virtual machine snapshot of a target virtual machine. In an alternative implementation, the secure processor may transmit the key agreement public key information to the virtual machine platform, which saves the key agreement public key information in the virtual machine snapshot of the target virtual machine. Of course, the embodiment of the application can also support the secure processor to store the key negotiation public key information in the virtual machine snapshot of the target virtual machine. As one implementation example, where the virtual machine snapshot already has encrypted snapshot content and encryption key information stored in ciphertext form, the key agreement public key information may be stored in plaintext form in the virtual machine snapshot. For example, additional information for storing information in a plaintext form may be further provided in the virtual machine snapshot, and key negotiation public key information may be written into the additional information to achieve storage in the virtual machine snapshot.

For ease of understanding, fig. 3b shows another alternative schematic diagram of a data structure of a virtual machine snapshot provided by an embodiment of the present application. As can be seen from the combination of fig. 2b and fig. 3b, the virtual machine snapshot saved in the embodiment of the present application includes, in addition to encrypted snapshot content and key encryption information in a ciphertext form, additional information in a plaintext form; the key agreement public key information may be written in additional information to enable saving of the key agreement public key information in the virtual machine snapshot.

In further embodiments, if the secure processor is based on the KEK and the first random number (WARP_IV) generated by the hardware true random number generator, encrypting at least the TEK to obtain key encryption information (WRAP_TK); because of the randomness of the hardware true random number generator, the embodiment of the application can also store the first random number (WARP_IV) in the additional information of the virtual machine snapshot so that the subsequent security processor can decrypt the key encryption information (WRAP_TK) through the self-recovered KEK and the first random number (WARP_IV) written in the additional information. In some possible embodiments, the first random number (WARP_IV) may also be used in conjunction with the TEK to encrypt the snapshot content of the target virtual machine, resulting in the encrypted snapshot content. It should be noted that the first random number (warp_iv) is different from the random number used to generate the TEK, so that the first random number (warp_iv) stored with the plain text in the virtual machine snapshot does not cause information leakage of generating the TEK.

Fig. 3c is a schematic diagram of still another alternative data structure of a virtual machine snapshot according to an embodiment of the present application, where the data structure shown in fig. 3c further writes a first random number (warp_iv) in the additional information based on fig. 3 b. In an alternative implementation, the secure processor may transmit the first random number (WARP_IV) to the virtual machine platform, which saves the first random number (WARP_IV) in the additional information of the virtual machine snapshot. Of course, embodiments of the present application may also support direct writing of the first random number (WARP_IV) by the secure processor into additional information of the virtual machine snapshot. It should be noted that, in the case that the secure processor supports reading and writing of physical memory and storage media (such as a disk), any data reading and writing of the virtual machine snapshot implemented by the virtual machine platform in the embodiment of the present application may be implemented by the secure processor instead, and the alternative implementation of the same property will not be further described below. That is, the embodiment of the application writes the data into the virtual machine snapshot, which can be realized by the secure processor through the virtual machine platform or directly realized by the secure processor.

In some embodiments, the embodiment of the present application may further support integrity protection of the key encryption information (wrap_tk), so that when the virtual machine snapshot is read later, whether the key encryption information stored in the virtual machine snapshot is complete or not can be detected, and if the key encryption information is detected to be incomplete, the embodiment of the present application may confirm that the key encryption information is destroyed when stored in the virtual machine snapshot, and may terminate reading the virtual machine snapshot. Based on this, embodiments of the present application may achieve integrity protection of key encryption information (wrap_tk) by generating a KIK (Key Integrity Key ). As an alternative implementation, fig. 3d shows a flowchart of an alternative implementation of integrity protection of key encryption information according to an embodiment of the present application. The flow shown in fig. 3d may be implemented by the secure processor execution, as shown in fig. 3d, and may include the following steps.

In step S320, the secure processor generates a KIK.

In the embodiment of the application, the KIK is a key for guaranteeing the integrity of the key.

As an alternative implementation, the security processor may derive the KIK based on the master key generated in step S311. In some embodiments, the KEK and the KIK may both be derived from the master key, but the key types of the KEK and the KIK may be different; the secure processor may derive the KEK and the KIK by deriving different types of keys from the master key. For example, the KEK may be an SM4 key, and the KIK may be an HMAC (Hash message authentication code, hash-based Message Authentication Code) -SM3 key; the security processor may derive the SM4 key from the master key to generate the KEK; the security processor may derive the HMAC-SM3 key from the master key to generate the KIK.

Of course, other ways of generating the KIK may be supported by embodiments of the present application, and are not limited to deriving the KIK from the master key. Essentially, the KIK is a key for guaranteeing the integrity of the key, and the embodiment of the application can support any key capable of guaranteeing the integrity of the key as the KIK.

In step S321, the security processor performs integrity protection on the key encryption information (wrap_tk) based on the KIK to obtain key integrity protection information (wrap_mac).

For the need of integrity protection of the key encryption information in the virtual machine snapshot, the security processor may use the KIK to perform integrity protection on the key encryption information (wrap_tk) to obtain key integrity protection information (wrap_mac) corresponding to the key encryption information (wrap_tk). In some embodiments, the secure processor may calculate the HMAC of the key encryption information (wrap_tk) based on the KIK to obtain the key integrity protection information (wrap_mac).

In further embodiments, the key integrity protection information (wrap_mac) may be stored in plain text form in the virtual machine snapshot of the target virtual machine. For example, the secure processor may transmit key integrity protection information (wrap_mac) to the virtual machine platform, which writes the key integrity protection information (wrap_mac) into the additional information of the virtual machine snapshot. For ease of understanding, fig. 3e shows a further alternative schematic diagram of a data structure of a virtual machine snapshot provided by an embodiment of the present application. As shown in fig. 3e and fig. 3c, it can be seen that the additional information of the virtual machine snapshot is further written with key integrity protection information (wrap_mac), so as to facilitate the subsequent detection of the integrity of the key encryption information (wrap_tk) stored in the virtual machine snapshot when the virtual machine snapshot is read.

In some embodiments, policy (policy) information of the target virtual machine is valid and unalterable throughout the life cycle of the target virtual machine, thus ensuring that policy information of the target virtual machine is not altered during virtual machine snapshot save and read. Based on the method, the embodiment of the application can also carry out integrity protection on the strategy information of the target virtual machine. And then when the virtual machine snapshot of the target virtual machine is read later, if the strategy information of the target virtual machine is detected to be incomplete, the strategy information of the target virtual machine is changed in the middle process of storing the virtual machine snapshot into the reading, and the subsequent reading of the virtual machine snapshot of the target virtual machine can be terminated. It should be noted that, policy information of the virtual machine may be configuration and operation commands that are enforced by a secure processor (e.g., secure firmware in the secure processor) and limit the virtual machine hypervisor to allow execution on the virtual machine.

As an alternative implementation, the security processor may implement integrity protection of the policy information of the target virtual machine by generating a TIK (Transport Integrity Key, transmitting the integrity key). FIG. 4a illustrates an alternative implementation flow diagram of integrity protection of policy information for a target virtual machine in accordance with an embodiment of the present application. The flow shown in fig. 4a may be implemented by the secure processor, as shown in fig. 4a, and may include the following steps.

In step S410, the secure processor generates a TIK.

TIK is a key used by embodiments of the present application to ensure data integrity.

In some embodiments, the secure processor may generate the TIK through a hardware true random number generator. For example, the secure processor may generate the TIK based on a random number generated by a hardware true random number generator. In an alternative implementation, the TEK generated by the secure processor at step S210 and the TIK generated at step S410 may both be generated by a hardware true random number generator, but the key types of the TEK and the TIK may be different; the secure processor may generate different types of keys via a hardware true random number generator to obtain TEK and TIK. For example, the TEK may be an SM4 key, and the secure processor may generate the SM4 key through a hardware true random number generator to obtain the TEK. For example, the TIK may be an HMAC-SM3 key and the secure processor may generate the HMAC-SM3 key via a hardware true random number generator to obtain the TIK.

Of course, other ways of generating the TIK may be supported by embodiments of the present application, and are not limited to generating the TIK by a secure processor via a hardware true random number generator. The TIK is essentially a key for guaranteeing data integrity, and any key capable of supporting data integrity protection can be used as the TIK.

In step S411, the secure processor acquires policy information of the target virtual machine.

In some embodiments, policy information for the target virtual machine may be transferred by the virtual machine platform to the secure processor.

In step S412, the security processor performs integrity protection on the POLICY information based on the TIK to obtain POLICY integrity protection information (policy_mac).

In some embodiments, the security processor may calculate the HMAC of the POLICY information of the target virtual machine based on the TIK to obtain the POLICY integrity protection information (policy_mac).

In further embodiments, POLICY integrity protection information (policy_mac) may be stored in plain text form in the virtual machine snapshot of the target virtual machine. For example, the security processor may transmit POLICY integrity protection information (policy_mac) to the virtual machine platform, which writes the POLICY integrity protection information (policy_mac) into the additional information of the virtual machine snapshot. For ease of understanding, fig. 4b shows yet another alternative schematic diagram of a data structure of a virtual machine snapshot provided by an embodiment of the present application. As shown in fig. 3e and fig. 4b, it can be seen that POLICY integrity protection information (policy_mac) is also written in the additional information of the virtual machine snapshot, so as to facilitate the subsequent detection of the integrity of the POLICY information of the target virtual machine when the virtual machine snapshot is read.

In some further embodiments, the security processor may further perform integrity protection on the encrypted snapshot content based on the TIK, resulting in encrypted snapshot integrity protection information. For example, the secure processor calculates the HMAC corresponding to the encrypted snapshot content based on the TIK to obtain the encrypted snapshot integrity protection information. The encrypted snapshot integrity protection information may also be stored in the additional information. Further in connection with fig. 4b, the additional information may also hold encrypted snapshot integrity protection information.

In some further embodiments, the policy information of the target virtual machine may also be stored in a virtual machine snapshot of the target virtual machine. For example, the secure processor may transmit policy information for the target virtual machine to the virtual machine platform, which writes the policy information for the target virtual machine into the additional information for the virtual machine snapshot.

In some further embodiments, the embodiment of the application can also encrypt and protect the TIK, so that when the virtual machine snapshot is read later, the integrity of the policy information of the target virtual machine and the integrity of the encrypted snapshot content are detected by recovering the encrypted TIK. In an alternative implementation, the TIK may be used as part of the encrypted content in the key encryption information (WRAP_TK) since both the TEK and the TIK are generated by the secure processor via a hardware true random number generator. In some embodiments, the secure processor may encrypt the TEK and the TIK together based on the KEK to obtain the key encryption information (WRAP TK) when generating the key encryption information (WRAP TK). For example, the secure processor may encrypt the TEK and the TIK together based on the KEK and a first random number (warp_iv) generated by the hardware true random number generator to obtain key encryption information (wrap_tk). Based on this, the key encryption information (wrap_tk) stored in the virtual machine snapshot of the target virtual machine may be information obtained by encrypting the TEK and the TIK as a whole. For ease of understanding, fig. 4c shows yet another alternative schematic diagram of a data structure of a virtual machine snapshot provided by an embodiment of the present application. As shown in fig. 4c and fig. 4b, it can be seen that the key encryption information (wrap_tk) of the virtual machine snapshot is the information obtained by integrally encrypting the TEK and the TIK. Accordingly, the key integrity protection information (wrap_mac) may be the integrity protection of the key encryption information (wrap_tk) obtained by encrypting the TEK and the TIK together.

It should be noted that, based on the flow shown in fig. 2a, the implementation means for generating the KEK based on the key negotiation information, the integrity protection means for the key encryption information, the integrity protection means for the policy information of the target virtual machine, and the like, which are further provided in the embodiment of the present application, may be all considered as optional segments, and the embodiment of the present application may select to use one or more of the above means according to actual situations, and accordingly, the information stored in the snapshot of the virtual machine may be adjusted correspondingly. For example, if the integrity protection means is selected not to use the key encryption information, the key integrity protection information (wrap_mac) may not be saved in the virtual machine snapshot, and otherwise the same derives, which are not further developed here. Of course, the integrity protection means of the key encryption information, the integrity protection means of the policy information of the target virtual machine and the like are selected, so that the scheme provided by the embodiment of the application is more perfect, and the security of snapshot storage and subsequent reading of the virtual machine is improved, but the scheme is only a further technical perfection means based on the flow shown in fig. 2a, and is not a necessary means.

In further embodiments, after the virtual machine snapshot of the target virtual machine is saved, e.g., after the virtual machine snapshot of the target virtual machine is written to the virtual machine image file, the secure processor may destroy the related keys generated during the saving of the virtual machine snapshot, e.g., the secure processor may destroy TEK, TIK, KEK and KIK.

In further embodiments, if the security processor generates the KEK during the key negotiation based on the key negotiation information, the security processor may transmit a key digest generated during the key negotiation (e.g., a key digest calculated according to SM2 key negotiation standards) to the virtual machine platform; and the virtual machine platform encrypts the snapshot content of the target virtual machine and enables the encrypted snapshot content to be stored in the virtual machine snapshot under the condition that the key negotiation process of the security processor is checked to be successful based on the key digest. For example, the virtual machine platform may recalculate the key digest, compare the recalculated key digest with the key digest transmitted by the secure processor, if the comparison is consistent, the secure processor's key negotiation process is successful, and if the comparison is inconsistent, the secure processor's key negotiation process is failed. Under the condition that the key negotiation process of the secure processor fails, the embodiment of the application can terminate the subsequent operations of encrypting the snapshot content, storing the encrypted snapshot content into the virtual machine snapshot and the like.

As an alternative implementation, FIG. 5 shows another alternative flowchart of a virtual machine snapshot saving method provided by an embodiment of the present application. The flow shown in fig. 5 may describe a virtual machine snapshot save scheme in technical detail. The steps shown in fig. 5 may be considered as steps that may be set to implement the virtual machine snapshot saving, and the order between the steps shown in fig. 5 may be adjusted, and not necessarily performed according to the sequence numbers of the steps shown in fig. 5. As shown in fig. 5, the flow may include the following steps.

In step S510, the virtual machine platform reads and parses the virtual machine image file of the target virtual machine to start the target virtual machine.

In some embodiments, when the target virtual machine is started, the virtual machine platform may read the virtual machine image file of the target virtual machine, and parse the read virtual machine image file to obtain starting data (for example, BIOS, hardware configuration, partition information, boot program, etc. of the target virtual machine) required for starting the target virtual machine, so as to implement starting the target virtual machine through the starting data.

In step S511, the virtual machine platform suspends running the target virtual machine, and requests information such as the PDH certificate public key, the SM2 random public key, and the like from the secure processor.

In step S512, the security processor transmits information such as the PDH certificate public key, the SM2 random public key, and the like to the virtual machine platform.

After the virtual machine platform starts the target virtual machine, if the virtual machine snapshot of the target virtual machine needs to be saved (for example, the virtual machine snapshot is written into the virtual machine image file), the virtual machine platform initiates a flow of saving the virtual machine snapshot, at this time, the virtual machine platform controls the target virtual machine to pause running, requests to the secure processor to derive key negotiation public key information such as a PDH certificate public key, an SM2 random public key and the like, so that the subsequent virtual machine platform can recalculate a key abstract generated in the key negotiation process, and checks whether the key negotiation process of the secure processor is successful. In further embodiments, in step S511, the virtual machine platform may also request the secure processor to export a PDH certificate chain. It should be noted that, the timing of the virtual machine platform initiating the saving of the virtual machine snapshot is not limited, and the flow of the embodiment of the present application may be triggered, for example, according to the conventional timing of saving the virtual machine snapshot.

In step S513, the security processor calculates a public key based on the PDH certificate private key, the PDH certificate public key, the SM2 random private key, the SM2 random public key, using the SM2 key agreement criterion.

In step S514, the secure processor derives a master key from the public key using a key derivation algorithm.

In step S515, the secure processor derives a KEK and a KIK from the master key.

In step S516, the secure processor generates a first random number (warp_iv) by a hardware true random number generator.

In step S517, the secure processor generates TEK and TIK by a hardware true random number generator.

In step S518, the secure processor encrypts the TEK and the KIK together using the KEK and the first random number to obtain key encryption information (WRAP_TK).

In step S519, the secure processor calculates HMAC of the key encryption information (wrap_tk) using the KIK, resulting in key integrity protection information (wrap_mac).

In step S520, the security processor calculates HMAC of POLICY information of the target virtual machine using the TIK, resulting in POLICY integrity protection information (policy_mac).

In some embodiments, after the virtual machine platform requests the information of the PDH certificate public key, the SM2 random public key, and the like from the secure processor, the secure processor may confirm that the virtual machine platform initiates the virtual machine snapshot saving flow of the target virtual machine, and the secure processor may generate KEK, KIK, TEK and TIK for the data encryption and data integrity protection operations of the embodiments of the present application.

In step S521, the security processor transmits the key digest generated by the SM2 key negotiation process to the virtual machine platform.

In step S522, the virtual machine platform recalculates the key digest, and if the recalculated key digest is consistent with the key digest transmitted by the secure processor, the snapshot content of the target virtual machine is transmitted to the secure processor.

After obtaining the key digest transmitted by the secure processor, the virtual machine platform may recalculate the key digest generated in the SM2 key negotiation process based on the PDH certificate public key, the SM2 random public key, and other information obtained in step S512, and compare the recalculated key digest with the key digest transmitted by the secure processor to check whether the key negotiation process of the secure processor is successful; if the two are consistent, the snapshot content of the target virtual machine can be transmitted to the security processor, so that the security processor encrypts the snapshot content; if the two are inconsistent, the virtual machine platform can terminate the subsequent flow. It will be appreciated that the snapshot content of the target virtual machine may also be sent to the secure processor in advance, and is not limited to being sent to the secure processor after the target virtual machine checks the key negotiation process of the secure processor, for example, the target virtual machine platform may transmit an indication to the secure processor after the key negotiation process of the secure processor is checked, so as to instruct the secure processor to perform subsequent operations.

In step S523, the secure processor encrypts the snapshot content using the TEK and the first random number to obtain encrypted snapshot content.

In step S524, the secure processor uses the TIK to perform integrity protection on the encrypted snapshot content, and obtains encrypted snapshot integrity protection information.

In some further embodiments of the present application, the secure processor may further provide an integrity protection scheme for the encrypted snapshot content after encrypting the snapshot content. For example, the secure processor may calculate the HMAC of the encrypted snapshot content using the TIK to obtain the encrypted snapshot integrity protection information, thereby implementing integrity protection of the encrypted snapshot content.

In step S525, the secure processor transmits the encrypted snapshot content, the key encryption information (wrap_tk), the key integrity protection information (wrap_mac), the POLICY integrity protection information (policy_mac), the encrypted snapshot integrity protection information, and the first random number (warp_iv) to the virtual machine platform.

It should be noted that the encrypted snapshot content, the key encryption information (wrap_tk), the key integrity protection information (wrap_mac), the POLICY integrity protection information (policy_mac), the encrypted snapshot integrity protection information, and the first random number (warp_iv) are not necessarily transmitted to the virtual machine platform by the secure processor at the same time. For example, the secure processor may also transmit the encrypted snapshot content to the virtual machine platform after generating a certain item of information therein, and the secure processor may perform the step of encrypting the snapshot content later than the other steps, and the secure processor may finally transmit the encrypted snapshot content to the virtual machine platform.

In step S526, the virtual machine platform saves the encrypted snapshot content, the key encryption information (wrap_tk), the key integrity protection information (wrap_mac), the POLICY integrity protection information (policy_mac), the encrypted snapshot integrity protection information, the first random number (warp_iv), the POLICY information, the PDH certificate public key, the SM2 random public key, and the like, to the virtual machine snapshot of the target virtual machine, which is written in the virtual machine image file.

In some embodiments, the encrypted snapshot content, the key encryption information (wrap_tk) belongs to ciphertext information, and the key integrity protection information (wrap_mac), the POLICY integrity protection information (policy_mac), the encrypted snapshot integrity protection information, the POLICY information, the first random number (warp_iv), the PDH certificate public key, the SM2 random public key, and the like belong to plaintext information, and additional information in the form of plaintext may be set in the virtual machine snapshot, so that the plaintext information is saved in the additional information of the virtual machine snapshot.

In step S527, the secure processor destroys TEK, TIK, KEK and KIK.

In step S528, the virtual machine platform continues to run the target virtual machine.

After the virtual machine snapshot of the target virtual machine is saved, the security processor can destroy the relevant keys such as TEK, TIK, KEK and KIK, and the virtual machine platform can resume running the target virtual machine, so that the target virtual machine can continue running.

Based on the foregoing, it may be seen that, in some embodiments, the information stored in the virtual machine snapshot of the target virtual machine according to the embodiments of the present application may include at least: the snapshot content and key encryption information (WRAP TK) are encrypted. The key encryption information (wrap_tk) may be obtained by encrypting the TEK, or may be obtained by encrypting the TEK and the TIK as a whole.

In another possible embodiment or embodiments, the information stored in the virtual machine snapshot of the target virtual machine may include: the snapshot content, key encryption information (WRAP TK), and additional information are encrypted. The additional information may include at least one of the following (i.e., one or more of the following):

key agreement public key information (e.g., PDH certificate public key and SM2 random public key);

key integrity protection information (wrap_mac);

POLICY integrity protection information (policy_mac), POLICY information of the target virtual machine;

a first random number (WARP_IV);

the snapshot integrity protection information is encrypted.

It should be noted that, the storage of the additional information in the virtual machine snapshot is only an optional implementation, and the embodiment of the present application may also support the storage of the additional information in an external storage location or other storage locations of the virtual machine snapshot.

According to the embodiment of the application, the snapshot content can be stored in the virtual machine snapshot in a ciphertext form, so that the security of the virtual machine snapshot is improved; the encryption key information can be stored in the virtual machine snapshot in a ciphertext mode, and can be obtained by encrypting at least the TEK for encrypting the snapshot content, so that the security protection of the TEK can be realized, and the TEK can be recovered by decrypting the encryption key information when the virtual machine snapshot is read later, so that the decryption and the reading of the encrypted snapshot content can be realized. Furthermore, the embodiment of the application can also set additional information in a plaintext form to store information such as key integrity protection information for integrity protection of encryption key information, strategy integrity protection information for integrity protection of strategy information of the virtual machine and the like, thereby being convenient for realizing the integrity detection of related data when the snapshot of the virtual machine is read later, and further improving the security when the snapshot of the virtual machine is stored.

After the virtual snapshot of the target virtual machine is saved based on the virtual machine snapshot saving scheme described above, the embodiment of the application further provides a virtual machine snapshot reading scheme. The following description will be made with respect to a virtual machine snapshot reading scheme, and it will be understood that the virtual machine snapshot reading scheme described below relates to a portion related to the foregoing saving scheme, and may be referred to with reference to each other.

As an optional implementation, fig. 6a shows an optional flowchart of a virtual machine snapshot reading method provided by an embodiment of the present application. As shown in fig. 6a, the flow may include the following steps.

In step S610, the virtual machine platform obtains a virtual machine snapshot from a virtual machine image file of the target virtual machine, where the virtual machine snapshot includes encrypted snapshot content and key encryption information.

In step S611, the virtual machine platform transmits the virtual machine snapshot to the secure processor.

In some embodiments, the secure processor may obtain the virtual machine snapshot from the virtual machine image file of the target virtual machine through the virtual machine platform, e.g., by implementing the secure processor to obtain the virtual machine snapshot in step S610 and step S611. In other embodiments, the secure processor may also obtain the virtual machine snapshot directly from the virtual machine image file of the target virtual machine.

Reading the virtual machine snapshot of the target virtual machine is actually reading the snapshot content therein and restoring the state of the target virtual machine according to the snapshot content. Based on the virtual machine snapshot storage scheme provided by the embodiment of the application, the virtual machine snapshot at least comprises the encrypted snapshot content and the key encryption information, so that decryption of the encrypted snapshot content is involved when the snapshot content is read.

In step S612, the secure processor recovers the KEK.

In step S613, the secure processor decrypts the key encryption information based on the KEK to obtain the TEK.

In some embodiments, the key encryption information is obtained by encrypting at least the TEK based on the KEK, and the TEK is used for encrypting the snapshot content to obtain the encrypted snapshot content, so that in order to decrypt the encrypted snapshot content and thereby read the snapshot content of the target virtual machine, the embodiment of the application can restore the KEK, and decrypt the key encryption information by using the KEK to obtain the TEK.

In some embodiments, the virtual machine snapshot may further include additional information in plaintext (the additional information may also be stored in other storage locations), where the additional information may include at least key negotiation public key information; therefore, the security processor can acquire the additional information through the virtual machine platform or the security processor, recover the KEK based on the key negotiation public key information in the additional information and the key negotiation private key information of the security processor, and further decrypt the key encryption information by using the recovered KEK to obtain the TEK.

In further embodiments, if the secure processor is a combination of the KEK and the first random number (WARP_IV), encrypting at least the TEK to obtain key encryption information, the additional information may further include the first random number (WARP_IV); further, the secure processor may decrypt the key encryption information based on the KEK and the first random number (WARP_IV) in the additional information to obtain the TEK after recovering the KEK.

In step S614, the secure processor decrypts the encrypted snapshot content based on the TEK, to obtain the snapshot content of the target virtual machine.

After recovering the TEK, the security processor can decrypt the encrypted snapshot content in the virtual machine snapshot by using the TEK, so as to obtain the snapshot content of the target virtual machine, and realize reading the virtual machine snapshot of the target virtual machine. In some embodiments, the secure processor may decrypt the encrypted snapshot content directly based on the TEK, resulting in snapshot content of the target virtual machine. In other embodiments, if the secure processor encrypts the snapshot content in combination with the TEK and the first random number (WARP IV) to obtain the encrypted snapshot content, the secure processor may decrypt the encrypted snapshot content based on the recovered TEK and the first random number (WARP IV) in the additional information to obtain the snapshot content of the target virtual machine.

In further embodiments, the secure processor may transmit the obtained snapshot content of the target virtual machine to the virtual machine platform so that the virtual machine platform restores the state of the target virtual machine using the snapshot content.

In some embodiments, the embodiment of the application can check the integrity of the key encryption information through the key integrity protection information in the additional information on the basis of providing the integrity protection scheme of the key encryption information, and then decrypt the key encryption information on the basis of checking the integrity of the key encryption information. As an optional implementation, fig. 6b shows another optional flowchart of the virtual machine snapshot reading method provided by the embodiment of the present application, and as shown in fig. 6b, the flowchart may include the following steps.

In step S620, the secure processor acquires a virtual machine snapshot of the target virtual machine, where the virtual machine snapshot includes encrypted snapshot content and key encryption information, and additional information, where the additional information includes key integrity protection information, key negotiation public key information, and a first random number.

In some embodiments, the secure processor may obtain a virtual machine snapshot of the target virtual machine through the virtual machine platform along with additional information. Optionally, additional information may be saved in the virtual machine snapshot.

In step S621, the secure processor recovers the KEK and the KIK based on the key agreement public key information and the key agreement private key information itself.

In an alternative implementation, the secure processor may determine the public key using a key negotiation criterion based on the key negotiation public key information in the additional information and the key negotiation private key information of the secure processor itself; deriving a master key based on the public key; and deriving the KEK and the KIK based on the master key, thereby realizing recovery of the KEK and the KIK.

In step S622, the secure processor calculates the HMAC of the key encryption information based on the KIK to obtain recalculated key integrity protection information.

In step S623, the secure processor compares the recalculated key integrity protection information with the key integrity protection information saved in the additional information.

In step S624, if the secure processor determines that the comparison result is consistent, the secure processor decrypts the key encryption information based on the KEK and the first random number to obtain the TEK.

In step S625, the secure processor decrypts the encrypted snapshot content based on the TEK and the first random number, resulting in snapshot content of the target virtual machine.

It should be noted that, after the comparison in step S623, if the secure processor determines that the comparison result is inconsistent, the secure processor may determine that the key encryption information is incomplete, and the secure processor may terminate the subsequent flow, i.e. terminate reading the virtual machine snapshot of the target virtual machine.

In some embodiments, on the basis of providing an integrity protection scheme of the policy information of the target virtual machine, the additional information further includes the policy information and the policy integrity protection information of the target virtual machine; after the security processor acquires the additional information through the virtual machine platform or the security processor, the security processor can carry out integrity check on the strategy information of the target virtual machine, and only decrypt the encrypted snapshot content on the basis of checking the integrity of the strategy information of the target virtual machine.

On the basis of the above, as an alternative implementation, the key encryption information in the virtual machine snapshot may be obtained by encrypting the entire TIK and the TEK, so that the security processor can recover the TEK and the TIK after decrypting the key encryption information; further, the security processor may calculate an HMAC corresponding to the policy information in the additional information using the TIK to obtain recalculated policy integrity protection information. The security processor compares the recalculated strategy integrity protection information with strategy integrity protection information in the additional information; if the comparison results are consistent, indicating that the strategy information of the target virtual machine is not changed, and enabling the secure processor to continuously decrypt the encrypted snapshot content to obtain the snapshot content of the target virtual machine; if the comparison result is inconsistent, the strategy information of the target virtual machine is changed, and the embodiment of the application can terminate the subsequent flow and terminate reading the virtual machine snapshot of the target virtual machine.

In some embodiments, the additional information further includes the encrypted snapshot integrity protection information on the basis of providing an integrity protection scheme for the encrypted snapshot content; after the secure processor obtains the additional information through the virtual machine platform or itself, the secure processor can perform integrity check on the encrypted snapshot content in the virtual machine snapshot, and only decrypt the encrypted snapshot content on the basis of checking the integrity of the encrypted snapshot content.

On the basis of the above, as an alternative implementation, after recovering the TIK, the secure processor may use the TIK to calculate the HMAC corresponding to the encrypted snapshot content, so as to obtain the recalculated encrypted snapshot integrity protection information. The security processor compares the recalculated encrypted snapshot integrity protection information with the encrypted snapshot integrity protection information in the additional information; if the comparison results are consistent, the security processor can confirm that the encrypted snapshot content is complete, and the security processor can continuously decrypt the encrypted snapshot content to obtain the snapshot content of the target virtual machine; if the comparison result is inconsistent, the encrypted snapshot content is incomplete, and the embodiment of the application can terminate the subsequent flow and terminate reading the virtual machine snapshot of the target virtual machine.

In some further embodiments, the virtual machine platform may first suspend the running target virtual machine, and then initiate the virtual machine snapshot reading of the target virtual machine, so that after the virtual machine snapshot reading is completed in the embodiment of the present application, and the security processor destroys the related keys (for example, TEK, TIK, KEK and KIK), the virtual machine platform may resume running the target virtual machine again. It should be noted that, reading the virtual machine snapshot is essentially to restore the snapshot content of the virtual machine snapshot, and restore the virtual machine to the virtual machine state described by the snapshot content. On the basis, as further embodiments, after the snapshot content of the target virtual machine is read, the secure processor can further encrypt the snapshot content by using the VEK of the target virtual machine, so that when the target virtual machine is operated, the data loaded from the memory is ensured to belong to the encrypted data required by the secure virtualization technology.

In some further embodiments, before initiating the snapshot content reading of the target virtual machine, the virtual machine platform may parse and check an Image Header (Image Header) of the target virtual machine, and if the Image Header (Image Header) includes the snapshot Header, the virtual machine platform may request the secure processor to unbind the ASID (Address Space ID) of the target virtual machine and the target virtual machine. It will be appreciated that the Image Header (Image Header) contains a snapshot Header (i.e., the snapshot Header is not empty), then it is stated that there is a virtual machine snapshot in the snapshot Header indicated by the Image Header. The ASID is an address space mark of the virtual machine, and when the virtual machine is started, the secure processor can allocate the ASID to the virtual machine; in the conventional case, or in some implementations, different virtual machines have different ASIDs.

The embodiment of the application also provides a corresponding reading scheme of the virtual machine snapshot on the basis of providing the encryption and storage scheme of the virtual machine snapshot, so that decryption and reading of the encrypted snapshot content in the virtual machine snapshot are realized, and the application of the secure virtualization technology in the virtual machine snapshot storage and reading scene is perfected. It should be noted that, the virtual machine snapshot reading scheme is actually implemented adaptively based on the virtual machine snapshot saving scheme, so that the parts of the virtual machine snapshot reading scheme related to the virtual machine snapshot saving scheme can be referred to each other.

The foregoing describes several embodiments of the present application, and the various alternatives presented by the various embodiments may be combined, cross-referenced, with each other without conflict, extending beyond what is possible embodiments, all of which are considered to be embodiments of the present application disclosed and disclosed.

The embodiment of the application also provides a device for saving the snapshot of the virtual machine, which can be regarded as a functional module required by the security processor for realizing the method for saving the snapshot of the virtual machine. The apparatus content described below may be referred to in correspondence with the method content described above.

In an optional implementation, fig. 7 shows an optional block diagram of a virtual machine snapshot storage device provided by an embodiment of the present application. The device may be applied to a secure processor, for example to secure firmware of the secure processor. As shown in fig. 7, the apparatus may include:

a key generation module 710 for generating a TEK, and generating a KEK;

an encryption module 711, configured to encrypt at least the TEK based on the KEK to obtain key encryption information; encrypting the snapshot content of the target virtual machine based on the TEK to obtain the encrypted snapshot content of the target virtual machine;

and the storage module 712 is configured to store the key encryption information and the encrypted snapshot content in a virtual machine snapshot of the target virtual machine, where the virtual machine snapshot is written into a virtual machine image file of the target virtual machine.

In further embodiments, the apparatus may further be provided with one or more functional modules, or add functionality to one or more of the functional modules shown in fig. 7, to further: saving additional information of a plaintext, the additional information including at least one of the following information:

key negotiation public key information, wherein the key negotiation public key information is used for generating a KEK;

Key integrity protection information for integrity protecting the key encryption information;

policy integrity protection information for performing integrity protection on policy information of the target virtual machine;

and the encryption snapshot integrity protection information is used for carrying out integrity protection on the encryption snapshot content.

In some embodiments, the key generation module 710 for generating the KEK comprises:

generating a KEK based on the key agreement information; the key agreement information includes key agreement private key information and key agreement public key information.

In further embodiments, the apparatus may further be provided with one or more functional modules, or add functionality to one or more of the functional modules shown in fig. 7, to further: and storing the key negotiation public key information in the additional information.

In some embodiments, the key generation module 710 for generating the KEK based on the key agreement information comprises:

determining a public key using key negotiation criteria based on the key negotiation information;

deriving a master key based on the public key;

deriving a KEK based on the master key.

In some embodiments, the key agreement private key information includes: a secure certificate private key of the secure processor, and a random private key of a key agreement standard; the key negotiation public key information includes: a secure certificate public key of the secure processor, and a random public key of a key agreement standard.

In further embodiments, the apparatus may further be provided with one or more functional modules, or add functionality to one or more of the functional modules shown in fig. 7, to further:

generating a KIK;

based on the KIK, calculating the HMAC of the key encryption information to obtain key integrity protection information;

and storing the key integrity protection information in the additional information.

In some embodiments, the generating the KIK comprises:

deriving a master key based on the public key;

deriving a KIK based on the master key; wherein the key types of the KIK and the KEK are different.

In some embodiments, the key generation module 710 for generating the TEK includes:

and generating the TEK through a hardware true random number generator.

generating a TIK;

acquiring policy information of a target virtual machine;

based on the TIK, calculating HMAC of the policy information of the target virtual machine to obtain policy integrity protection information;

And storing the strategy integrity protection information or the strategy integrity protection information and the strategy information in the additional information.

generating a TIK;

performing integrity protection on the encrypted snapshot content by using the TIK to obtain encrypted snapshot integrity protection information;

and storing the encryption snapshot integrity protection information in the additional information.

Optionally, the generating the TIK includes:

generating TIK through a hardware true random number generator; wherein, the key types of TIK and TEK are different; the key encryption information is obtained by encrypting the TIK and the TEK integrally at least by the KEK.

transmitting the key abstract generated in the key negotiation process to the virtual machine platform so that the virtual machine platform can check whether the key negotiation process of the security processor is successful or not; after the virtual machine platform checks that the key negotiation process of the secure processor is successful, the secure processor executes the step of encrypting the snapshot content of the target virtual machine based on the TEK to obtain the encrypted snapshot content of the target virtual machine.

In further embodiments, the additional information further includes:

a first random number generated by a hardware true random number generator; the first random number is used for being combined with the KEK, at least encrypting the TEK, and obtaining the key encryption information; and/or the first random number is used for encrypting the snapshot content of the target virtual machine in combination with the TEK to obtain the encrypted snapshot content.

The embodiment of the application also provides a device for reading the snapshot of the virtual machine, which can be regarded as a functional module required by the security processor for realizing the method for reading the snapshot of the virtual machine. The apparatus content described below may be referred to in correspondence with the method content described above.

In an alternative implementation, fig. 8 shows an alternative block diagram of a virtual machine snapshot reading device provided by an embodiment of the present application. The device may be applied to a secure processor, for example to secure firmware of the secure processor. As shown in fig. 8, the apparatus may include:

an obtaining module 810, configured to obtain a virtual machine snapshot of a target virtual machine, where the virtual machine snapshot includes encrypted snapshot content and key encryption information;

a recovery module 811 for recovering the KEK;

A key decryption module 812, configured to decrypt the key encryption information based on the KEK to obtain a TEK;

and the snapshot decryption module 813 is configured to decrypt the encrypted snapshot content based on the TEK, to obtain the snapshot content of the target virtual machine.

In further embodiments, the apparatus may further be provided with one or more functional modules, or add functionality to one or more of the functional modules shown in fig. 8, to further: acquiring additional information, wherein the additional information comprises at least one of the following information:

key negotiation public key information, wherein the key negotiation public key information is used for recovering the KEK;

In some embodiments, the recovery module 811 for recovering the KEK comprises:

and recovering the KEK based on the key negotiation private key information of the security processor and the key negotiation public key information in the additional information.

In further embodiments, the apparatus may further be provided with one or more functional modules, or add functionality to one or more of the functional modules shown in fig. 8, to further:

recovering the KIK;

based on the KIK, calculating the HMAC of the key encryption information to obtain recalculated key integrity protection information;

comparing the recalculated key integrity protection information with the key integrity protection information stored in the additional information;

if the comparison result is consistent, the security processor executes the step of decrypting the key encryption information based on the KEK to obtain the TEK; and if the comparison results are inconsistent, terminating reading the virtual machine snapshot.

In some embodiments, recovering the KIK includes:

recovering the KIK based on the key negotiation private key information of the security processor and the key negotiation public key information in the additional information; the key types of the KIK and the KEK are different.

In further embodiments, the additional information further includes policy information for the target virtual machine; the apparatus may further be provided with one or more functional modules, or add functions on one or more functional modules shown in fig. 8, to further serve:

Recovering the TIK;

calculating HMAC corresponding to the strategy information in the additional information based on the TIK to obtain recalculated strategy integrity protection information;

comparing the recalculated policy integrity protection information with the policy integrity protection information in the additional information;

if the comparison result is consistent, the security processor executes the step of decrypting the encrypted snapshot content based on the TEK to obtain the snapshot content of the target virtual machine; and if the comparison results are inconsistent, terminating reading the virtual machine snapshot.

recovering the TIK;

calculating HMAC corresponding to the encrypted snapshot content based on the TIK to obtain recalculated encrypted snapshot integrity protection information;

comparing the recalculated encrypted snapshot integrity protection information with the encrypted snapshot integrity protection information in the additional information;

In some embodiments, recovering the TIK includes:

after decrypting the key encryption information based on the KEK, acquiring a TIK from a decryption result; the key encryption information is obtained by encrypting the TIK and the TEK integrally at least by the KEK.

In further embodiments, the additional information further includes: a first random number; the first random number is used to decrypt the key encryption information in conjunction with the KEK and/or the first random number is used to decrypt the encrypted snapshot content in conjunction with the TEK.

when the virtual machine platform checks that the snapshot head of the target virtual machine is not empty, unbinding the target virtual machine and the ASID of the target virtual machine based on the request of the virtual machine platform;

and/or after obtaining the snapshot content of the target virtual machine, encrypting the snapshot content by using the VEK of the target virtual machine.

The embodiment of the application also provides a secure processor, and the secure processor (such as secure firmware in the secure processor) can implement the method for storing the virtual machine snapshot by loading the device for storing the virtual machine snapshot; the secure processor (for example, secure firmware in the secure processor) may be configured to implement the method for reading a virtual machine snapshot provided by the embodiment of the present application by loading the above-mentioned device for reading a virtual machine snapshot. In the embodiment of the application, the secure processor may be configured to execute the virtual machine snapshot saving method and the virtual machine snapshot reading method which are executed by the secure processor and provided by the embodiment of the application.

The embodiment of the application also provides an electronic device (such as a physical host), and the structure of the electronic device can be combined with that shown in fig. 1b, and the electronic device comprises the security processor.

Although the embodiments of the present application are disclosed above, the present application is not limited thereto. Various changes and modifications may be made by one skilled in the art without departing from the spirit and scope of the application, and the scope of the application should be assessed accordingly to that of the appended claims.

Claims

1. A method for saving a snapshot of a virtual machine, the method being applied to a secure processor, the method comprising:

generating a Transmission Encryption Key (TEK), and generating a Key Encryption Key (KEK) based on key negotiation information, wherein the key negotiation information comprises key negotiation private key information and key negotiation public key information, the key negotiation private key information at least comprises a security certificate private key of a security processor, and the key negotiation public key information at least comprises a security certificate public key of the security processor;

2. The method according to claim 1, wherein the method further comprises: saving additional information of a plaintext, the additional information including at least one of the following information:

3. The method according to claim 2, wherein the method further comprises:

and storing the key negotiation public key information in the additional information.

4. The method of claim 3, wherein generating the KEK based on the key agreement information comprises:

deriving a master key based on the public key;

Deriving a KEK based on the master key.

5. The method of claim 4, wherein the key agreement private key information further comprises: a random private key of a key agreement standard; the key agreement public key information further includes: the key negotiates a standard random public key.

6. The method according to claim 2, wherein the method further comprises:

generating a Key Integrity Key (KIK);

based on the KIK, calculating a hash operation message authentication code HMAC of the key encryption information to obtain key integrity protection information;

7. The method of claim 6, wherein generating a key integrity key, KIK, comprises:

deriving a master key based on the public key;

8. The method of claim 2, wherein generating the transport encryption key TEK comprises:

and generating the TEK through a hardware true random number generator.

9. The method as recited in claim 2, further comprising:

Generating a transmission integrity key TIK;

acquiring policy information of a target virtual machine;

10. The method as recited in claim 2, further comprising:

generating a transmission integrity key TIK;

11. The method according to claim 9 or 10, wherein the generating a transmission integrity key, TIK, comprises:

12. The method of any one of claims 3-5, further comprising:

13. The method of claim 2, wherein the additional information further comprises:

a first random number generated by a hardware true random number generator; the first random number is used for encrypting at least the TEK in combination with the KEK to obtain the key encryption information; and/or the first random number is used for encrypting the snapshot content of the target virtual machine in combination with the TEK to obtain the encrypted snapshot content.

14. A method for virtual machine snapshot reading, applied to a secure processor, the method comprising:

restoring a Key Encryption Key (KEK), wherein the KEK is generated by a security processor based on key negotiation information, the key negotiation information comprises key negotiation private key information and key negotiation public key information, the key negotiation private key information at least comprises a security certificate private key of the security processor, and the key negotiation public key information at least comprises a security certificate public key of the security processor;

decrypting the key encryption information based on the KEK to obtain a transmission encryption key TEK;

15. The method as recited in claim 14, further comprising: acquiring additional information, wherein the additional information comprises at least one of the following information:

16. The method of claim 15, wherein the recovery key encryption key KEK comprises:

17. The method of claim 16, the key agreement private key information further comprising: a random private key of a key agreement standard; the key agreement public key information further includes: the key negotiates a standard random public key.

18. The method as recited in claim 15, further comprising:

recovering a Key Integrity Key (KIK);

based on the KIK, calculating a hash operation message authentication code HMAC of the key encryption information to obtain recalculated key integrity protection information;

19. The method of claim 18, wherein the recovering the key integrity key KIK comprises:

20. The method of claim 15, wherein the additional information further comprises policy information of the target virtual machine; the method further comprises the steps of:

recovering a transmission integrity key TIK;

21. The method as recited in claim 15, further comprising:

recovering a transmission integrity key TIK;

22. The method according to any of claims 20-21, wherein recovering the transmission integrity key, TIK, comprises:

23. The method of claim 15, wherein the additional information further comprises: a first random number; the first random number is used to decrypt the key encryption information in conjunction with the KEK and/or the first random number is used to decrypt the encrypted snapshot content in conjunction with the TEK.

24. The method as recited in claim 14, further comprising:

when the virtual machine platform checks that the snapshot head of the target virtual machine is not empty, unbinding the target virtual machine and the address space mark ASID of the target virtual machine based on the request of the virtual machine platform;

and/or after obtaining the snapshot content of the target virtual machine, encrypting the snapshot content by using the virtual machine encryption key VEK of the target virtual machine.

25. A virtual machine snapshot preservation device, for application to a secure processor, the device comprising:

the key generation module is used for generating a transmission encryption key TEK and generating a key encryption key KEK based on key negotiation information, wherein the key negotiation information comprises key negotiation private key information and key negotiation public key information, the key negotiation private key information at least comprises a security certificate private key of the security processor, and the key negotiation public key information at least comprises a security certificate public key of the security processor;

26. A virtual machine snapshot reading device, for application to a secure processor, the device comprising:

the recovery module is used for recovering a key encryption key KEK, the KEK is generated by the security processor based on key negotiation information, the key negotiation information comprises key negotiation private key information and key negotiation public key information, the key negotiation private key information at least comprises a security certificate private key of the security processor, and the key negotiation public key information at least comprises a security certificate public key of the security processor;

the key decryption module is used for decrypting the key encryption information based on the KEK to obtain a transmission encryption key TEK;

27. A secure processor configured to perform the virtual machine snapshot saving method of any of claims 1-13 and the virtual machine snapshot reading method of any of claims 14-24.