CN113703924A - Safe virtual machine system design method and system based on trusted execution environment - Google Patents

Abstract

The invention provides a method and a system for designing a secure virtual machine system based on a trusted execution environment, wherein the method comprises the following steps: dividing the trusted virtual machine monitor into a common world virtual machine monitor and a secure world virtual machine monitor: the common world virtual machine monitor is responsible for basic virtual machine scheduling, memory management, equipment management and other management functions; entering a trusted virtual machine when the common world virtual machine monitor completes configuration, and triggering cross-world switching; the safety world virtual machine monitor is responsible for safety inspection and cooperatively ensures the availability and safety of the trusted virtual machine; the secure world virtual machine monitor provides an I/O function for the trusted virtual machine by using methods such as paravirtualization and the like; the common world virtual machine monitor and the safe world virtual machine monitor cooperate with each other to dynamically manage physical memory resources. The invention fully utilizes the existing TrustZone hardware characteristic of ARM and is transparent to the virtual machine, which means that the bottom layer hardware and the upper layer virtual machine do not need to be modified, thus reflecting the availability of the design scheme.

Description

Safe virtual machine system design method and system based on trusted execution environment

Technical Field

The invention relates to the technical field of virtualization, in particular to a safe virtual machine system design method and system based on a trusted execution environment.

Background

The virtual machine monitor, which is an important software component in the operating system, is at a higher privilege level than the virtual machine. The method comprises the steps of performing downward unified management on resources such as bottom layer computing, storage and peripherals in a computer system, providing consistent abstraction of virtual machines for an application program upwards, and providing virtualization of hardware resources for each virtual machine, wherein the resources mainly comprise a CPU (central processing unit), a memory, I/O (input/output) equipment and the like, and the resources are one of core components of cloud computing.

The trusted virtual machine technology is a technology for realizing high-security isolation among different virtual machines by utilizing a security isolation mechanism of hardware. Trusted virtual machine technology is highly dependent on the isolation mechanism provided by the hardware. Most of the trusted virtual machine technologies design corresponding software isolation schemes at the upper layers based on a hardware isolation mechanism. Alternative hardware security mechanisms are Intel TDX, AMD SEV, etc. Wherein the Intel TDX hardware provides memory security isolation and provides encrypted memory protection. In the TDX mechanism, a TDX module is implemented on hardware to monitor interaction between a virtual machine monitor and a virtual machine, and the like. The security of the virtual machine is protected to a certain extent, and the virtual machine can be used for trusted virtual machine service. Intel TDX requires extensive modifications to the virtual machine and only supports a limited number of trusted virtual machines. The inconvenience of updating the hardware implemented TDX module also results in its low flexibility with respect to other solutions.

With the increasing concern of the society on personal information and data security, users put higher requirements on cloud computing security, and the great application of the trusted virtual machine technology in the cloud computing field is promoted. How to efficiently utilize the existing hardware isolation mechanism to provide a highly available and high-performance trusted virtual machine service has become an important technical problem of attention in the industry.

The trusted execution environment is an important hardware security mechanism, for example, TrustZone technology is an important security extension feature on ARM architecture, and also has the capability of supporting virtualization in the trusted execution environment. It divides the processor state into the Normal World (Normal World) and the Secure World (Secure World). The state, the memory and the peripheral equipment of the processor in the common world are isolated from the safe world. The safety world has own exclusive memory and external equipment, and only programs running in the safety world can be accessed. The general world and the safety world have a plurality of exception levels, respectively. In the common world, there are exception levels at the user level, kernel level, and virtualization level (e.g., EL0, EL1, and EL2 in ARMv8, respectively), where user mode programs run at the user level, the operating system kernel runs at the kernel level, and the virtual machine hypervisor runs at the virtualization level. The abnormal level in the safe world is similar to that of the common world, and the abnormal level and the kernel level (such as S-EL0 and S-EL1 in ARMv 8) exist. Secure applications run at the S-EL0 level and secure operating systems run at the S-EL1 level. The newly released SEL2 security extension feature in ARMv8.4 is the addition of a new exception level, S-EL2, in the secure world. The SEL2 security extension feature provides hardware convenience for implementing virtualization in the secure world, running multiple virtual machines. The TrustZone technology is an important security mechanism under an ARM architecture and is widely applied to mobile equipment and embedded equipment. TrustZone was not designed for trusted virtual machine services at the beginning of the design. One reason for this is that it statically partitions physical memory into secure and non-secure 2 parts at the beginning of boot-up, I/O devices are also statically partitioned into secure and non-secure devices. Such static partitioning creates great difficulties for operations such as dynamic creation, expansion, maintenance, migration, etc. of the virtual machine.

A straightforward implementation of TrustZone-based secure virtual machine services is to re-implement a feature-rich virtual machine monitor at S-EL 2. The amount of code to implement a virtual machine monitor with rich functions is enormous, and the enormous amount of code brings about a large-scale increase in the number of possible security holes. For example, KVM/Xen, although rich in functionality and tested over time, has a large amount of code and a large number of security holes, which is an unacceptable security risk for trusted virtual machines. One reason for this is that such a large amount of code can be considered as a Trusted Computing Base (TCB) in such a trusted virtual machine design, and the increase in TCB tends to increase the number of security holes.

Therefore, the invention innovatively provides an innovative design that the virtual machine monitor of the common world and the virtual machine monitor of the secure world cooperate to support the trusted virtual machine together. The virtual machine monitor in the common world is called N-Visor, the virtual machine monitor in the secure world is called S-Visor, and the trusted virtual machine in the secure world is called S-VM. In the aspect of usability, N-sensors which are rich in functions in the common world and are widely applied are reused to provide functional support, in the aspect of safety, the patent places an S-sensor with a small TCB in the safety world to provide safety check, and the design allows the N-sensor to be continuously evolved and updated without affecting the safety and reliability of the S-sensor.

At present, how to provide the trusted virtual machine service by using the trusted execution environment is a technical problem to be solved urgently, how to solve various problems including hardware mechanism limitation and the like has huge challenges, and the patent has innovative contribution to solving the problem of lack of trusted virtual machine service based on the trusted execution environment and the challenges in the process of solving.

Patent document CN101957900A (application number: CN201010518992.9) discloses a trusted virtual machine platform, comprising: hard disk (11), USBKey (10) and non-privileged virtual machine (6), still include: the system comprises trusted hardware (1), a security enhanced virtual machine monitor (2), a management virtual machine (3), a communication virtual machine (4) and a driving virtual machine (5). The security enhancement virtual machine monitor (2) is respectively connected with the trusted hardware (1) and the management virtual machine (3) in two directions. The management virtual machine (3), the drive virtual machine (5) and the communication virtual machine (4) are privileged virtual machines, and the management virtual machine (3) creates, manages, destroys and migrates other virtual machines; the driving virtual machine (5) provides driving required by the running of the virtual machine and management of the virtual trusted cryptographic module; the communication virtual machine (4) is responsible for communication between the internal virtual machine and the virtual machine platform. However, the invention is not convenient for updating and upgrading, and cannot give consideration to both safety and functionality.

Patent document CN108509250A (application number: CN201810078039.3) discloses an apparatus for securely executing consumer workloads in a public cloud environment, with a protected guest authentication host control, the apparatus comprising: a processor; and a memory coupled to the processor. However, the present invention is not convenient for updating and upgrading, and cannot give consideration to both security and functionality.

Patent document CN101246537A (application number: CN200810102971.1) implements a method for a trusted multitasking operating system to measure and monitor the behavior of an untrusted operating system. The trusted multitask operating system is composed of a trusted computing chip driving module, a trusted virtual machine module and a monitoring measurement module, the trusted multitask operating system runs one or more untrusted operating systems by using the trusted virtual machine module, all system calls and other actions of application programs on the untrusted operating systems are redirected by modifying methods such as a terminal vector table and the like, and then the actions are processed by the monitoring and measurement module of the trusted multitask operating system, so that the measurement and monitoring of the actions of the untrusted operating systems are realized. Untrusted operating systems include various versions of the Windows or Linux operating systems. However, the invention does not compromise security and functionality.

Disclosure of Invention

Aiming at the defects in the prior art, the invention aims to provide a method and a system for designing a secure virtual machine system based on a trusted execution environment.

The invention provides a design method of a safe virtual machine system based on a trusted execution environment, which comprises the following steps:

dividing the trusted virtual machine monitor into a common world virtual machine monitor and a secure world virtual machine monitor:

the common world virtual machine monitor is responsible for basic management functions;

entering a trusted virtual machine when the common world virtual machine monitor completes configuration, and triggering cross-world switching;

the safety world virtual machine monitor is responsible for safety inspection and cooperatively ensures the availability and safety of the trusted virtual machine;

the secure world virtual machine monitor provides I/O function for the trusted virtual machine;

the common world virtual machine monitor and the safe world virtual machine monitor cooperate with each other to dynamically manage physical memory resources.

Preferably, the trusted execution environment technique divides the processor state into 2 states, a normal execution environment and a trusted execution environment respectively;

the management functions of the common world virtual machine monitor comprise virtual machine scheduling, memory management and equipment management; the method comprises the steps of modifying the state of a virtual machine in the process of processing various virtualization function requirements of a trusted virtual machine, and utilizing a secure world virtual machine monitor to check the validity of a processing result before modification is effective, so that the secure world virtual machine monitor captures sensitive operation of a common world virtual machine monitor, and logically enables the secure world virtual machine monitor to have a higher privilege level than the common world virtual machine monitor.

Preferably, the fast cross-world switching comprises:

the trusted virtual machine is a virtual machine running in a trusted execution environment, and needs to enter the trusted virtual machine when the common world virtual machine monitor completes configuration, and the operation of entering the virtual machine triggers cross-world switching;

reducing the number of registers that need to be saved and restored in a cross-world switch operation:

storing the general register in a physical memory page, and loading the general register in the physical memory page after the common world virtual machine monitor is switched into the safe world virtual machine monitor;

the system register adopts register inheritance, and does not store and restore the part of register, so that the part of register is kept unchanged before and after the cross-world switching.

Preferably, the secure world virtual machine monitor comprises:

the secure world virtual machine monitor multiplexes an I/O frame and a device driver of the common world virtual machine monitor to provide an I/O function for the trusted virtual machine; the trusted virtual machine employs end-to-end encrypted I/O data protection.

Preferably, the cooperatively managing physical memory resources includes:

the common world virtual machine monitor and the safe world virtual machine monitor cooperate with each other to dynamically manage all physical memory resources, and the boundary of the safe memory and the non-safe memory is not statically divided at the initial starting stage any more.

The invention provides a system for designing a secure virtual machine system based on a trusted execution environment, which comprises the following steps:

dividing the trusted virtual machine monitor into a common world virtual machine monitor and a secure world virtual machine monitor:

the common world virtual machine monitor is responsible for basic management functions;

entering a trusted virtual machine when the common world virtual machine monitor completes configuration, and triggering cross-world switching;

the safety world virtual machine monitor is responsible for safety inspection and cooperatively ensures the availability and safety of the trusted virtual machine;

the secure world virtual machine monitor provides I/O function for the trusted virtual machine;

the common world virtual machine monitor and the safe world virtual machine monitor cooperate with each other to dynamically manage physical memory resources.

Preferably, the trusted execution environment technique divides the processor state into 2 states, a normal execution environment and a trusted execution environment respectively;

the management functions of the common world virtual machine monitor comprise virtual machine scheduling, memory management and equipment management; the method comprises the steps of modifying the state of a virtual machine in the process of processing various virtualization function requirements of a trusted virtual machine, and utilizing a secure world virtual machine monitor to check the validity of a processing result before modification is effective, so that the secure world virtual machine monitor captures sensitive operation of a common world virtual machine monitor, and logically enables the secure world virtual machine monitor to have a higher privilege level than the common world virtual machine monitor.

Preferably, the fast cross-world switching comprises:

the trusted virtual machine is a virtual machine running in a trusted execution environment, and needs to enter the trusted virtual machine when the common world virtual machine monitor completes configuration, and the operation of entering the virtual machine triggers cross-world switching;

reducing the number of registers that need to be saved and restored in a cross-world switch operation:

storing the general register in a physical memory page, and loading the general register in the physical memory page after the common world virtual machine monitor is switched into the safe world virtual machine monitor;

the system register adopts register inheritance, and does not store and restore the part of register, so that the part of register is kept unchanged before and after the cross-world switching.

Preferably, the secure world virtual machine monitor comprises:

the secure world virtual machine monitor multiplexes an I/O frame and a device driver of the common world virtual machine monitor to provide an I/O function for the trusted virtual machine; the trusted virtual machine employs end-to-end encrypted I/O data protection.

Preferably, the cooperatively managing physical memory resources includes:

the common world virtual machine monitor and the safe world virtual machine monitor cooperate with each other to dynamically manage all physical memory resources, and the boundary of the safe memory and the non-safe memory is not statically divided at the initial starting stage any more.

Compared with the prior art, the invention has the following beneficial effects:

1. the invention fully utilizes the existing hardware characteristic of the TrustZone of the ARM and is transparent to the virtual machine, which means that the bottom layer hardware and the upper layer virtual machine do not need to be modified, thus reflecting the availability of the design scheme;

2. the invention gives consideration to safety and functionality, allows the common world virtual machine monitor with rich multiplexing function to continuously iterate and develop, and simultaneously leads the safe world virtual machine monitor to concentrate on the TCB which is kept simple safely.

3. Compared with a TDX module realized by hardware, the S-player is decoupled from the hardware, so that updating and upgrading are facilitated;

4. the invention has the advantages of structural design and technical points suitable for similar architectures and better universality.

Drawings

Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments with reference to the following drawings:

FIG. 1 is a flow chart of the steps of the present invention;

FIG. 2 is a flow chart of the present invention;

FIG. 3 is a schematic diagram of a system architecture for designing a secure virtual machine according to the present invention;

FIG. 4 is a schematic diagram of the process flow for managing the security separation step in the present invention;

FIG. 5 is a schematic diagram of a process of cooperative management of memory resources according to the present invention;

FIG. 6 is a schematic diagram of the process flow of the fast cross-world handover in the present invention;

FIG. 7 is a schematic diagram of a procedure for secure virtualization of an I/O device according to the present invention.

Detailed Description

The present invention will be described in detail with reference to specific examples. The following examples will assist those skilled in the art in further understanding the invention, but are not intended to limit the invention in any way. It should be noted that it would be obvious to those skilled in the art that various changes and modifications can be made without departing from the spirit of the invention. All falling within the scope of the present invention.

Example 1:

according to the secure virtual machine system design method based on the trusted execution environment provided by the present invention, as shown in fig. 1 to fig. 6, the method includes:

dividing the trusted virtual machine monitor into a common world virtual machine monitor and a secure world virtual machine monitor:

the common world virtual machine monitor is responsible for basic scheduling, memory management and equipment management;

entering a trusted virtual machine when the common world virtual machine monitor completes configuration, and triggering cross-world switching;

the safety world virtual machine monitor is responsible for safety inspection and cooperatively ensures the availability and safety of the trusted virtual machine;

the secure world virtual machine monitor provides an I/O function for the trusted virtual machine by using methods such as paravirtualization and the like;

the common world virtual machine monitor and the safe world virtual machine monitor cooperate with each other to dynamically manage physical memory resources.

Specifically, the trusted execution environment technique divides the processor state into 2 states, which are a normal execution environment and a trusted execution environment, respectively;

the common world virtual machine monitor modifies the state of the virtual machine in the process of processing various virtualization function requirements of the trusted virtual machine, and the security world virtual machine monitor is used for checking the validity of a processing result before modification is effective, so that the security world virtual machine monitor captures sensitive operation of the common world virtual machine monitor (such as maliciously modifying the register state of the security virtual machine), and the security world virtual machine monitor logically has higher privilege level than the common world virtual machine monitor.

Specifically, the fast cross-world switching comprises:

the trusted virtual machine is a virtual machine running in a trusted execution environment, and needs to enter the trusted virtual machine when the common world virtual machine monitor completes configuration, and the operation of entering the virtual machine triggers cross-world switching;

reducing the number of registers that need to be saved and restored in a cross-world switch operation:

storing the general register in a physical memory page, and loading the general register in the physical memory page after the common world virtual machine monitor is switched into the safe world virtual machine monitor;

the system register adopts register inheritance, and does not store and restore the part of register, so that the part of register is kept unchanged before and after the cross-world switching.

Specifically, the secure world virtual machine monitor includes:

the secure world virtual machine monitor multiplexes an I/O frame and a device driver of a common world virtual machine monitor, and provides an I/O function for a trusted virtual machine by using methods such as paravirtualization and the like; the trusted virtual machine is protected by end-to-end encrypted I/O data.

Specifically, the cooperative management of the physical memory resources includes:

the common world virtual machine monitor and the safe world virtual machine monitor cooperate with each other to dynamically manage all physical memory resources, and the boundary of the safe memory and the non-safe memory is not statically divided at the initial starting stage any more.

Example 2:

example 2 is a preferred example of example 1, and the present invention will be described in more detail.

Those skilled in the art can understand that the method for designing a secure virtual machine system based on a trusted execution environment provided by the present invention is a specific implementation manner of a secure virtual machine system design system based on a trusted execution environment, that is, the secure virtual machine system design system based on a trusted execution environment can be implemented by executing a step flow of the method for designing a secure virtual machine system based on a trusted execution environment.

The invention provides a system for designing a secure virtual machine system based on a trusted execution environment, which comprises the following steps:

dividing the trusted virtual machine monitor into a common world virtual machine monitor and a secure world virtual machine monitor:

the common world virtual machine monitor is responsible for basic scheduling, memory management and equipment management;

entering a trusted virtual machine when the common world virtual machine monitor completes configuration, and triggering cross-world switching;

the safety world virtual machine monitor is responsible for safety inspection and cooperatively ensures the availability and safety of the trusted virtual machine;

the secure world virtual machine monitor provides an I/O function for the trusted virtual machine by using methods such as paravirtualization and the like;

the common world virtual machine monitor and the safe world virtual machine monitor cooperate with each other to dynamically manage physical memory resources.

Specifically, the trusted execution environment technique divides the processor state into 2 states, which are a normal execution environment and a trusted execution environment, respectively;

the common world virtual machine monitor modifies the state of the virtual machine in the process of processing various virtualization function requirements of the trusted virtual machine, and the safety world virtual machine monitor is used for checking the validity of a processing result before modification is effective, so that the safety world virtual machine monitor captures sensitive operation of the common world virtual machine monitor, and the safety world virtual machine monitor logically has a higher privilege level than the common world virtual machine monitor.

Specifically, the fast cross-world switching comprises:

the trusted virtual machine is a virtual machine running in a trusted execution environment, and needs to enter the trusted virtual machine when the common world virtual machine monitor completes configuration, and the operation of entering the virtual machine triggers cross-world switching;

reducing the number of registers that need to be saved and restored in a cross-world switch operation:

storing the general register in a physical memory page, and loading the general register in the physical memory page after the common world virtual machine monitor is switched into the safe world virtual machine monitor;

the system register adopts register inheritance, and does not store and restore the part of register, so that the part of register is kept unchanged before and after the cross-world switching.

Specifically, the secure world virtual machine monitor includes:

the secure world virtual machine monitor multiplexes an I/O frame and a device driver of a common world virtual machine monitor, and provides an I/O function for a trusted virtual machine by using methods such as paravirtualization and the like; the trusted virtual machine is protected by end-to-end encrypted I/O data.

Specifically, the cooperative management of the physical memory resources includes:

the common world virtual machine monitor and the safe world virtual machine monitor cooperate with each other to dynamically manage all physical memory resources, and the boundary of the safe memory and the non-safe memory is not statically divided at the initial starting stage any more.

Example 3:

example 3 is a preferred example of example 1, and the present invention will be described in more detail.

The whole invention aims to realize the safe virtual machine service (or called as trusted virtual machine service), guarantee the safety of the virtual machine and provide more comprehensive safety protection for the virtual machine.

The basic working principle of the whole method is to divide the management and safety guarantee functions of the virtual machines which are originally unified into 2 parts by using a trusted execution environment technology. A management part and a security part. The management part runs in the common world, and the safety part runs in the safety world. Since these functions were originally implemented in a virtual machine monitor (Hypervisor or VMM), we named the management part N-Visor and the security part S-Visor. Taking its suffix.

The separation of the management function and the security function brings benefits and simultaneously brings problems, such as the cooperative management of memory resources, and for the problems of the increase of the number of cross-world switching operations (the management and the security function need to be frequently interacted through cross-world switching), the control of security equipment from the common world and the like, the rest steps in the invention well solve the problems.

In particular to the point that,

memory resource cooperative management step: the secure memory is placed in a continuous physical memory interval by using mechanisms such as a continuous memory distributor and the like, the limitation of TrustZone on the number of secure memory areas is met, and the security attribute of the physical memory can be dynamically adjusted according to the respective memory use pressure of the secure world and the common world. The detailed description of the invention, and the like

Fast switching across the world: the S-VM needs to be entered when the N-hypervisor completes configuration, and the operation of entering the virtual machine triggers the cross-world switching. Frequent switching in and out of the virtual machine triggers frequent cross-world switching operations. The detailed description is provided in the summary of the invention, the detailed description of the invention, and the like

The safe virtualization step of the I/O device: the S-Visor fully multiplexes the I/O frame and device drivers of the N-Visor. I/O functionality is provided to the S-VM using paravirtualization and the like.

Example 4:

example 4 is a preferred example of example 1, and the present invention will be described in more detail.

The invention provides a design method of a safe virtual machine system based on a trusted execution environment, which comprises the following steps:

and (3) management security separation: the trusted virtual machine monitor is divided into 2 parts: a common world virtual machine monitor (N-Visor) and a secure world virtual machine monitor (S-Visor). The trusted execution environment technique divides the processor state into 2 states, namely a Normal execution environment and a trusted execution environment, or a Normal World and a Secure World. And in the safety management separation step, the originally unified function of the virtual machine monitor is divided into a management function and a safety function, and the N-Visor and the S-Visor respectively play corresponding roles. The method comprises the steps of allowing the N-player to modify the state of the virtual machine in the process of processing various virtualization function requirements of the trusted virtual machine, and utilizing the S-player to check the validity of a processing result before modification is effective, so that the S-player can capture all sensitive operations of the N-player, and logically enabling the S-player to have a higher privilege level than the N-player.

Memory resource cooperative management step: and the N-Visor and the S-Visor cooperate with each other to dynamically manage all physical memory resources, and the boundaries of the secure memory and the non-secure memory are not statically partitioned at the initial starting stage any more.

Fast switching across the world: a trusted virtual machine (S-VM) refers to a virtual machine that runs in a trusted execution environment. An S-VM needs to be entered when the N-hypervisor completes configuration, and this entry into the virtual machine triggers a cross-world switch. Frequent switching in and out of the virtual machine triggers frequent cross-world switching operations. While virtual machine sag is a major source of virtualization performance overhead. Because each S-VM subsides and needs to be switched to the N-visor to be processed across the world, the speed of switching across the world directly determines the overall performance of the S-VM.

Safe virtualization of IO equipment: the S-Visor fully multiplexes the IO frame and device drivers of the N-Visor. IO function is provided for the S-VM by using methods such as paravirtualization. The S-VM employs end-to-end encrypted I/O data protection. The method is transparent to the S-VM and ensures that the N-player cannot acquire the plaintext of the I/O data.

Specifically, the step of managing security separation includes: the S-hypervisor is used as a unique entrance for executing the trusted virtual machine, the N-hypervisor is allowed to freely configure the register of the trusted virtual machine and the state of the secondary page table, the S-hypervisor performs validity check on the register and the secondary page table before the configuration is effective, and the shadow secondary page table is used for ensuring that the N-hypervisor cannot modify the memory range which is actually used by the virtual machine.

Specifically, in the memory resource cooperative management step, the secure memory is placed in a continuous physical memory interval by using mechanisms such as a continuous memory distributor, so that the limitation of TrustZone on the number of secure memory areas is met, and the security attribute of the physical memory can be dynamically adjusted according to the respective memory use pressures of the secure world and the common world.

Specifically, in the fast cross-world switching step, in order to reduce the overhead of cross-world switching, the general registers of the virtual CPU are saved in a physical page shared by the N-Visor and the S-Visor, so that frequent saving and loading of the general registers in the security monitor of the EL3 are avoided. The save and restore operations of this portion of the general purpose registers may be deferred to reload until after the S-Visor check is complete and before the S-VM is actually entered. While we also utilize register inheritance to further avoid redundant system registers that hold restore EL1 and EL 2.

Specifically, in the step of secure virtualization of the I/O device, a shadow paravirtualization I/O mechanism is used. The shadow I/O ring and shadow DMA buffer are used to coordinate the demand of the N-Visor and S-VM for the I/O device. Specifically, the I/O ring and the DMA buffer created in the S-VM cannot be directly operated through the N-Visor within the range of the safe memory, so that the intermediate communication synchronization work is completed by using a shadow semi-virtualization I/O mechanism.

The invention provides a safe virtual machine system based on a trusted execution environment, which comprises

A management security separation module: the method allows the N-player to modify the state of the virtual machine in the process of processing various virtualization function requirements of the trusted virtual machine, and utilizes the S-player to check the validity of a processing result before modification is effective, so that the S-player can capture all sensitive operations of the N-player, and logically enables the S-player to have a higher privilege level than the N-player.

The memory resource collaborative management module: the N-Visor and the S-Visor dynamically manage all physical memory resources together, and the boundaries of the secure memory and the non-secure memory are not statically partitioned at the initial starting stage any more.

Fast cross-world switching module: an S-VM needs to be entered when the N-hypervisor completes configuration, and this entry into the virtual machine triggers a cross-world switch. Frequent switching in and out of the virtual machine triggers frequent cross-world switching operations.

The I/O device safety virtualization module: the S-Visor fully multiplexes the I/O frame and device drivers of the N-Visor. I/O functionality may be provided to the S-VM using paravirtualization and the like.

Specifically, the management security separation module includes: the S-hypervisor is used as a unique entrance for executing the trusted virtual machine, the N-hypervisor is allowed to freely configure the register of the trusted virtual machine and the state of the secondary page table, the S-hypervisor performs validity check on the register and the secondary page table before the configuration is effective, and the shadow secondary page table is used for ensuring that the N-hypervisor cannot modify the memory range which is actually used by the virtual machine.

Specifically, in the memory resource cooperative management module, a partitioned continuous memory allocator (Split CMA) is used to place the secure memory in a continuous physical memory interval, so that the limitation of TrustZone on the number of secure memory areas is met, and the security attribute of the physical memory can be dynamically adjusted according to the respective memory use pressures of the secure world and the common world.

Specifically, in the fast cross-world switching module, in order to reduce the overhead of cross-world switching, general registers of a virtual CPU are saved in a shared physical page, so that frequent saving and loading of the general registers are avoided. While we also utilize register inheritance to further avoid redundant system registers that hold restore ELs 1 and EL 2.

Specifically, in the I/O device security virtualization module, the invention designs a shadow PV I/O mechanism. The invention uses the shadow I/O ring and the shadow DMA buffer to coordinate the requirements of the N-Visor and the S-VM for the I/O equipment. Specifically, the I/O ring and the DMA buffer created in the S-VM cannot be directly operated through the N-Visor within the range of the safe memory, so that the shadow PV I/O mechanism is used for completing the intermediate communication synchronization work.

Example 5:

example 5 is a preferred example of example 1, and the present invention will be described more specifically.

As shown in fig. 1, the method for designing a secure virtual machine system based on a trusted execution environment provided by the present invention includes:

firstly, managing security separation: the trusted virtual machine monitor is divided into 2 parts: a common world virtual machine monitor (N-Visor) and a secure world virtual machine monitor (S-Visor). The trusted execution environment technique divides the processor states into 2 states, namely a Normal execution environment and a trusted execution environment, or a Normal World and a Secure World. And the safety management separation step divides the originally unified functions of the virtual machine monitor into a management function and a safety function, and the N-Visor and the S-Visor respectively play corresponding roles. The method allows the N-player to modify the state of the virtual machine in the process of processing each item of virtualization function requirement of the trusted virtual machine, and utilizes the S-player to check the legality of the processing result before modification is effective, so that the S-player can capture all sensitive operations of the N-player, and logically enables the S-player to have a higher privilege level than the N-player.

Secondly, cooperative management of memory resources: the traditional TrustZone using mode assumes that all hardware resources are statically divided and completed during starting, so that the security attribute of a physical memory cannot be dynamically changed at a page granularity. Secondly, the N-Visor cannot know the dynamic change of the security attribute of the physical memory. The cooperative management of memory resources step utilizes a continuous memory allocator to solve the 2 problems described above. The secure memory can be arranged to be continuous as much as possible by using the continuous memory distributor to manage the memory, so that the limitation of TrustZone hardware on the number of the divided regions of the secure memory is met. Next, as shown in fig. 4, in this step, the continuous memory allocator is divided into 2 sub-portions, namely, a normal memory portion and a secure memory portion, and the division between the two portions is dynamic, so that a portion of the memory can be dynamically converted from the secure memory to the normal memory, and vice versa. Specifically, when the pressure for using the memory in the secure world rises, the continuous memory distributor changes more common memories into the secure memories, so as to meet the memory requirement of the secure world.

Thirdly, rapidly switching across the world: the N-Visor is very frequent to access the S-VM, context switching is required to be performed for each access operation, and frequent and massive context switching is a main reason for high overhead of cross-world switching. The handover procedure is shown in fig. 5. Context switching is the saving and restoring of registers, which is divided into general purpose registers and system control registers. The design of the fast cross-world switching step is also divided into 2 parts, a general register and a system control register. Firstly, in this step, the general purpose register is saved in the shared physical page, when the N-Visor triggers the call gate to enter the S-Visor, the security monitor in the EL3 does not save and restore this part of general purpose register for many times, but after entering the S-Visor, the data of the general purpose register in the shared physical page is loaded into the real register by the S-Visor, and finally, the loaded register is subjected to security check before entering the S-VM. Secondly, regarding the system control register, the step utilizes register inheritance to further avoid the saving and restoring operation of the redundant system register. That is, the relevant system register is not additionally saved and restored, but the switching operation is directly performed, and the unsaved register is directly used by the switched world. Since both before and after the cross-world switch are within the exception level of the virtual machine monitor, the registers of EL1 and the registers of section EL2 are not used. Such omission does not present a functional problem.

Fourthly, safely virtualizing the I/O device: the invention designs a shadow paravirtualization I/O mechanism. The invention uses the shadow I/O ring and the shadow DMA buffer to coordinate the requirements of the N-Visor and the S-VM for the I/O equipment. The device request processing flow is shown in fig. 6. Specifically, the I/O ring and the DMA buffer created in the S-VM cannot be directly operated through the N-Visor within the range of the safe memory, so that the shadow PV I/O mechanism is used for completing the intermediate communication synchronization work. For example, when a front-end driver in the S-VM sends an I/O request, the S-hypervisor copies the I/O request and encrypted I/O data from the secure memory to the normal memory, that is, a region where the N-hypervisor can read and write is processed by a back-end driver in the N-hypervisor. After the back-end driver in the N-Visor completes the I/O request, the I/O ring and the DMA buffer in the common memory are modified, the interrupt is triggered, the S-Visor forwards the interrupt to the S-VM, the modification of the I/O ring in the common memory is synchronized to the secure memory, and the S-VM can obtain the processed result.

On the basis of the design method of the safe virtual machine system based on the trusted execution environment, the invention also provides a safe virtual machine system based on the trusted execution environment, which comprises

A management security separation module: the method allows the N-player to modify the state of the virtual machine in the process of processing each item of virtualization function requirement of the trusted virtual machine, and utilizes the S-player to check the validity of a processing result before modification is effective, so that the S-player can capture all sensitive operations of the N-player, and logically enables the S-player to have a higher privilege level than the N-player.

The memory resource collaborative management module: the N-Visor and the S-Visor dynamically manage all physical memory resources together, and the boundaries of the secure memory and the non-secure memory are not statically partitioned at the initial starting stage any more.

Fast cross-world switching module: the S-VM needs to be entered when the N-hypervisor completes configuration, and the operation of entering the virtual machine triggers the cross-world switching. Frequent switching in and out of the virtual machine triggers frequent cross-world switching operations.

The I/O device safety virtualization module: the S-Visor fully multiplexes the I/O frame and device drivers of the N-Visor. I/O functionality is provided to the S-VM using paravirtualization and the like.

Example 6:

example 6 is a preferable example of example 1, and the present invention will be described in more detail.

A design method of a safe virtual machine system based on a trusted execution environment comprises the following steps:

and (3) management security separation: the trusted virtual machine monitor is divided into 2 parts by using a trusted execution environment technology: a common world virtual machine monitor (N-Visor) and a secure world virtual machine monitor (S-Visor). The trusted execution environment technique divides the processor state into 2 states, namely a Normal execution environment and a trusted execution environment, or the common World (Normal World) and the Secure World (Secure World). The safety management separation step divides the originally unified functions of the virtual machine monitor into a management function and a safety function, wherein N-Visor is responsible for management, and S-Visor is responsible for safety guarantee;

the method comprises the steps of allowing the N-player to modify the state of the virtual machine in the process of processing various virtualization function requirements of the trusted virtual machine, and utilizing the S-player to check the legality of a processing result before modification is effective, so that the S-player can capture all sensitive operations of the N-player, and logically enabling the S-player to have a higher privilege level than the N-player.

The N-Visor is responsible for basic functions such as basic scheduling, memory management and equipment management, and the S-Visor is responsible for security inspection. And the usability and the safety of the trusted virtual machine are cooperatively guaranteed.

Memory resource cooperative management step: and the N-Visor and the S-Visor cooperate with each other to dynamically manage all physical memory resources, and the boundaries of the secure memory and the non-secure memory are not statically partitioned at the initial starting stage any more.

Fast switching across the world: a trusted virtual machine (S-VM) refers to a virtual machine that runs in a trusted execution environment. An S-VM needs to be entered when the N-hypervisor completes configuration, and this entry into the virtual machine triggers a cross-world switch. Frequent switching in and out of the virtual machine triggers frequent cross-world switching operations. While virtual machine sag is a major source of virtualization performance overhead. Because each S-VM subsides and needs to be switched to the N-visor to process across the world, the speed of switching across the world directly determines the overall performance of the S-VM. A World Switch operation (World Switch) is an operation that switches the state of a processor from one state to another. Cross-world operations may change processor states from one state to another (normal world to secure world or secure world to normal world) to provide isolation between different software modules. For example, to execute operations in the secure world, the processor state must first be switched to the secure world before operations can be performed. Software in the general world cannot perform special operations in the secure world.

The safe virtualization step of the I/O device: the S-Visor fully multiplexes the I/O frame and device drivers of the N-Visor. I/O functionality is provided to the S-VM using paravirtualization and the like. The S-VM employs end-to-end encrypted I/O data protection. The method is transparent to the S-VM and ensures that the N-player cannot acquire the plaintext of the I/O data.

And in the management security separation step, the N-hypervisor is allowed to modify the state of the virtual machine in the process of processing various virtualization function requirements of the trusted virtual machine, and the S-hypervisor is used for checking the legality of a processing result before modification is effective, so that the S-hypervisor can capture all sensitive operations of the N-hypervisor, and the S-hypervisor logically has a higher privilege level than the N-hypervisor.

In the memory resource collaborative management step, the N-Visor and the S-Visor collaboratively and dynamically manage all physical memory resources, and the boundary between the secure memory and the non-secure memory is not statically divided at the initial starting stage any more.

And in the fast cross-world switching step, when the configuration of the N-viewer is completed, the S-VM needs to be entered, and the operation of entering the virtual machine triggers the cross-world switching. Frequent switch in and out virtual opportunities trigger frequent cross-world switch operations. While virtual machine sag is a major source of virtualization performance overhead. Because each S-VM subsides and needs to be switched to the N-visor to be processed across the world, the speed of switching across the world directly determines the overall performance of the S-VM.

Register save and restore are involved in cross-world switch operations, and a large number of register save and restore operations are sources of overhead for cross-world switch operations. Thus reducing the overhead of switching across the world is to reduce the number of registers that need to be saved and restored in the switching operation. Specifically, the improvement of the present invention is divided into 2 sections.

(1) The general-purpose register is a register for performing basic operations, and is a register that only plays a role of data saving and does not affect functions such as system configuration. The invention reduces the number of general registers needed to be saved in the cross-world switching operation by saving the general registers in a physical memory page, and loading the general registers in the physical memory page after the N-Visor switching enters the S-Visor. In the native design, the general registers of this part are frequently saved and restored in the cross-world switching operation, which causes the overhead of the cross-world switching to be greatly increased.

(2) Regarding system registers, which are registers used to manage hardware configuration, modifying system registers changes hardware behavior. For the optimization of the part, the invention adopts a mode of register inheritance, namely, the part of register is not simply stored and restored, so that the part of register is kept unchanged before and after the world-crossing switching. Since a part of system registers N-Visor and S-Visor are not used before and after the cross-world switching, the modification and the non-modification have no influence, and therefore the maintenance and the recovery of the part of registers are directly ignored.

And in the step of safe virtualization of the I/O equipment, the S-Visor completely multiplexes an I/O frame and equipment drivers of the N-Visor. I/O functionality is provided to the S-VM using paravirtualization and the like. The S-VM employs end-to-end encrypted I/O data protection. The method is transparent to the S-VM and ensures that the N-player cannot acquire the plaintext of the I/O data.

A trusted execution environment based secure virtual machine system design system, comprising:

a management security separation module: the method allows the N-player to modify the state of the virtual machine in the process of processing various virtualization function requirements of the trusted virtual machine, and utilizes the S-player to check the validity of a processing result before modification is effective, so that the S-player can capture all sensitive operations of the N-player, and logically enables the S-player to have a higher privilege level than the N-player.

The memory resource collaborative management module: the N-Visor and the S-Visor dynamically manage all physical memory resources together, and the boundaries of the secure memory and the non-secure memory are not statically partitioned at the initial starting stage any more.

Fast cross-world switching module: an S-VM needs to be entered when the N-hypervisor completes configuration, and this entry into the virtual machine triggers a cross-world switch. Frequent switching in and out of the virtual machine triggers frequent cross-world switching operations.

The I/O device safety virtualization module: the S-Visor fully multiplexes the I/O frame and device drivers of the N-Visor. I/O functionality is provided to the S-VM using paravirtualization and the like.

The management security separation module allows the N-hypervisor to modify the state of the virtual machine in the process of processing various virtualization function requirements of the trusted virtual machine, and checks the legality of a processing result by using the S-hypervisor before modification is effective, so that the S-hypervisor can capture all sensitive operations of the N-hypervisor, and logically enables the S-hypervisor to have a higher privilege level than the N-hypervisor.

And the N-Visor and the S-Visor in the memory resource collaborative management module collaboratively and dynamically manage all physical memory resources, and the boundary between the secure memory and the non-secure memory is not statically divided at the initial starting stage any more.

And when the N-visor in the fast cross-world switching module completes configuration, the S-VM needs to be entered, and the operation of entering the virtual machine triggers the cross-world switching. Frequent switching in and out of the virtual machine triggers frequent cross-world switching operations. While virtual machine sag is a major source of virtualization performance overhead. Because each S-VM subsides and needs to be switched to the N-visor to be processed across the world, the speed of switching across the world directly determines the overall performance of the S-VM.

And the S-Visor in the I/O equipment safety virtualization module completely multiplexes an I/O frame and an equipment driver of the N-Visor. I/O functionality is provided to the S-VM using paravirtualization and the like. The S-VM employs end-to-end encrypted I/O data protection. The method is transparent to the S-VM and ensures that the N-player cannot acquire the plaintext of the I/O data.

The invention is based on TrustZone technology to display technical scheme, but the design scheme of the invention is not limited to TrustZone technology, and can be applied to any trusted execution environment with hardware virtualization capability. Various changes or modifications may be made by those skilled in the art within the scope of the claims without affecting the spirit of the invention.

Those skilled in the art will appreciate that, in addition to implementing the systems, apparatus, and individual modules thereof provided by the present invention in purely computer readable program code, the same procedures can be implemented entirely by logically programming method steps into logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Therefore, the system, the device and the modules thereof provided by the present invention can be considered as a hardware component, and the modules included in the system, the device and the modules thereof for implementing various programs can also be considered as structures in the hardware component; modules for performing various functions may also be considered to be both software programs for performing the methods and structures within hardware components.

The foregoing description of specific embodiments of the present invention has been presented. It is to be understood that the present invention is not limited to the specific embodiments described above, and that various changes or modifications may be made by one skilled in the art within the scope of the appended claims without departing from the spirit of the invention. The embodiments and features of the embodiments of the present application may be combined with each other arbitrarily without conflict.

Claims (10)

1. A design method of a safe virtual machine system based on a trusted execution environment is characterized by comprising the following steps:

dividing the trusted virtual machine monitor into a common world virtual machine monitor and a secure world virtual machine monitor:

the common world virtual machine monitor is responsible for basic management functions;

entering a trusted virtual machine when the common world virtual machine monitor completes configuration, and triggering cross-world switching;

the safety world virtual machine monitor is responsible for safety inspection and cooperatively ensures the availability and safety of the trusted virtual machine;

the secure world virtual machine monitor provides I/O function for the trusted virtual machine;

the common world virtual machine monitor and the safe world virtual machine monitor cooperate with each other to dynamically manage physical memory resources.

2. A method for designing a secure virtual machine system based on a trusted execution environment according to claim 1, wherein:

the trusted execution environment technology divides the processor state into 2 states, namely a common execution environment and a trusted execution environment;

the management functions of the common world virtual machine monitor comprise virtual machine scheduling, memory management and equipment management; the method comprises the steps of modifying the state of the virtual machine in the process of processing various virtualization function requirements of the trusted virtual machine, and utilizing the secure world virtual machine monitor to check the validity of a processing result before modification is effective, so that the secure world virtual machine monitor captures sensitive operation of the common world virtual machine monitor, and logically enables the secure world virtual machine monitor to have a higher privilege level than the common world virtual machine monitor.

3. The trusted execution environment based secure virtual machine system design method of claim 1, wherein said fast cross-world switching comprises:

the trusted virtual machine is a virtual machine running in a trusted execution environment, and needs to enter the trusted virtual machine when the common world virtual machine monitor completes configuration, and the operation of entering the virtual machine triggers cross-world switching;

reducing the number of registers that need to be saved and restored in a cross-world switch operation:

storing the general register in a physical memory page, and loading the general register in the physical memory page after the common world virtual machine monitor is switched into the safe world virtual machine monitor;

the system register adopts register inheritance, and does not store and restore the part of register, so that the part of register is kept unchanged before and after the cross-world switching.

4. A trusted execution environment based secure virtual machine system design method according to claim 1, wherein said secure world virtual machine monitor comprises:

the secure world virtual machine monitor multiplexes an I/O frame and a device driver of the common world virtual machine monitor to provide an I/O function for the trusted virtual machine; the trusted virtual machine employs end-to-end encrypted I/O data protection.

5. The trusted execution environment based secure virtual machine system design method of claim 1, wherein said cooperatively managing physical memory resources comprises:

the common world virtual machine monitor and the safe world virtual machine monitor cooperate with each other to dynamically manage all physical memory resources, and the boundary between the safe memory and the non-safe memory is not statically divided at the initial starting stage any more.

6. A system design system for a secure virtual machine based on a trusted execution environment, comprising:

dividing the trusted virtual machine monitor into a common world virtual machine monitor and a secure world virtual machine monitor:

the common world virtual machine monitor is responsible for basic management functions;

entering a trusted virtual machine when the common world virtual machine monitor completes configuration, and triggering cross-world switching;

the safety world virtual machine monitor is responsible for safety inspection and cooperatively ensures the availability and safety of the trusted virtual machine;

the secure world virtual machine monitor provides I/O function for the trusted virtual machine;

the common world virtual machine monitor and the safe world virtual machine monitor cooperate with each other to dynamically manage physical memory resources.

7. A trusted execution environment based secure virtual machine system design system according to claim 6, wherein:

the trusted execution environment technology divides the processor state into 2 states, namely a common execution environment and a trusted execution environment;

the management functions of the common world virtual machine monitor comprise virtual machine scheduling, memory management and equipment management; the method comprises the steps of modifying the state of the virtual machine in the process of processing various virtualization function requirements of the trusted virtual machine, and utilizing the secure world virtual machine monitor to check the validity of a processing result before modification is effective, so that the secure world virtual machine monitor captures sensitive operation of the common world virtual machine monitor, and logically enables the secure world virtual machine monitor to have a higher privilege level than the common world virtual machine monitor.

8. The trusted execution environment based secure virtual machine system design system of claim 6, wherein said fast cross-world switching comprises:

the trusted virtual machine is a virtual machine running in a trusted execution environment, and needs to enter the trusted virtual machine when the common world virtual machine monitor completes configuration, and the operation of entering the virtual machine triggers cross-world switching;

reducing the number of registers that need to be saved and restored in a cross-world switch operation:

storing the general register in a physical memory page, and loading the general register in the physical memory page after the common world virtual machine monitor is switched into the safe world virtual machine monitor;

the system register adopts register inheritance, and does not store and restore the part of register, so that the part of register is kept unchanged before and after the cross-world switching.

9. A trusted execution environment based secure virtual machine system design system according to claim 6, wherein said secure world virtual machine monitor comprises:

the secure world virtual machine monitor multiplexes an I/O frame and a device driver of the common world virtual machine monitor to provide an I/O function for the trusted virtual machine; the trusted virtual machine employs end-to-end encrypted I/O data protection.

10. The trusted execution environment based secure virtual machine system design system of claim 6, wherein said cooperatively managing physical memory resources comprises:

the common world virtual machine monitor and the safe world virtual machine monitor cooperate with each other to dynamically manage all physical memory resources, and the boundary between the safe memory and the non-safe memory is not statically divided at the initial starting stage any more.

Images