CN114491544A - Method for realizing virtual trusted platform module and related device - Google Patents

Method for realizing virtual trusted platform module and related device Download PDF

Info

Publication number
CN114491544A
CN114491544A CN202011353009.2A CN202011353009A CN114491544A CN 114491544 A CN114491544 A CN 114491544A CN 202011353009 A CN202011353009 A CN 202011353009A CN 114491544 A CN114491544 A CN 114491544A
Authority
CN
China
Prior art keywords
vtpm
request information
storage space
identifier
component
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011353009.2A
Other languages
Chinese (zh)
Inventor
张立肖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to EP21884358.9A priority Critical patent/EP4216087A4/en
Priority to PCT/CN2021/086100 priority patent/WO2022088615A1/en
Publication of CN114491544A publication Critical patent/CN114491544A/en
Priority to US18/307,041 priority patent/US20230267214A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a method for realizing a virtual trusted platform module vTPM, which is applied to a computer. The trusted execution environment of the computer runs a vTPM service component, and the rich execution environment of the computer runs a first Virtual Machine (VM) and a vTPM agent component. The method comprises the following steps: the vTPM service component acquires first request information from the vTPM agent component, wherein the first request information comprises an identification of the first VM, and the first request information is used for requesting to execute TPM operation. The vTPM service component processes the first request information based on data in a first storage space, wherein the first storage space is a storage space corresponding to the identifier of the first VM in the trusted execution environment, and the first storage space is used for storing TPM data of the first VM. By the method, the data security can be ensured on the basis of providing TPM services for the multiple VMs.

Description

Method for realizing virtual trusted platform module and related device
The present application claims priority of chinese patent application entitled "a trusted platform module implementation method and related apparatus" filed by the chinese patent office on 27/10/2020, application number 202011159996.2, which is incorporated herein by reference in its entirety.
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and a related apparatus for implementing a virtual Trusted Platform Module (vTPM).
Background
Trusted Platform Module (TPM) is an international standard for secure cryptographic processors. This standard provides for the use of a dedicated microcontroller (secure hardware) integrated in the device to handle the encryption keys in the device. A dedicated microcontroller conforming to the TPM standard is referred to as a TPM chip. A TPM chip is a small chip system that includes a cryptographic operation component and a storage component, and is used to securely store information used to verify the security of a platform (e.g., a network device such as a personal computer), such as a password, a certificate, or an encryption key. By storing the information through the TPM chip, the illegal user can be effectively prevented from changing the sensitive information.
Because the TPM chip is logically simple, it cannot support virtualization, i.e., it cannot provide TPM services for multiple Virtual Machines (VMs) at the same time. Therefore, in the related art, a plurality of functional modules are virtualized by software, and each functional module has a function of a TPM chip to ensure that TPM services can be provided for a plurality of VMs at the same time. The functional Module implemented virtually by software is called a virtual Trusted Platform Module (vTPM) chip, also referred to as vTPM for short.
However, since the vTPM chip is obtained through software virtualization, the security is poor compared with the hardware TPM chip, and it is difficult to ensure the security of data.
Disclosure of Invention
The application provides a vTPM implementation method, which is used for ensuring data security on the basis of providing TPM services for a plurality of VMs.
The application provides a vTPM realization method, which is applied to a computer. The trusted execution environment of the computer runs the vTPM service component, and the rich execution environment of the computer runs the first VM and the vTPM agent component. The method comprises the following steps: the vTPM service component acquires first request information from the vTPM agent component, wherein the first request information comprises an identification of the first VM, and the first request information is used for requesting to execute TPM operation. The vTPM service component is, for example, acquiring first request information passed by a trusted space Driver (TrustZone Driver) component in a monitoring mode. For example, the first request information is used to request to perform TPM operations such as generating keys, encrypting data, or decrypting data. Based on the identifier of the first VM in the first request message, the vTPM service component can determine a first storage space corresponding to the identifier of the first VM. The vTPM service component processes the first request information based on data in a first storage space, wherein the first storage space is a storage space corresponding to the identifier of the first VM in the trusted execution environment, and the first storage space is used for storing TPM data of the first VM.
In the scheme, the corresponding storage space is determined by the vTPM service component running in the trusted execution environment according to the identifier of the VM in the acquired request information, and the TPM service is provided for the VM corresponding to the identifier of the VM in the request information based on the data in the storage space corresponding to the identifier of the VM, so that the vTPM service component can provide the TPM service for different VMs based on different storage spaces. Therefore, the safety of data in the vTPM can be ensured on the basis of providing TPM services for a plurality of VMs.
Optionally, in an embodiment, the trusted execution environment of the computer further includes a second storage space, where the second storage space is used to store TPM data of a second VM in the computer, and the first storage space and the second storage space are storage spaces that do not overlap with each other. That is, a plurality of mutually isolated storage spaces are included in the trusted execution environment of the computer, and different storage spaces are used for storing TPM data of different VMs, so that the vTPM service component can provide TPM services for the VMs based on TPM data in the storage space uniquely corresponding to each VM.
Optionally, in an embodiment, the first request information further includes a command identifier and a parameter to be processed, and the command identifier is used to indicate a type of the TPM operation to be performed. The vTPM service component processes the first request information based on the data in the first storage space, and specifically includes: and the vTPM service component processes the to-be-processed parameters based on the command identifier in the first request information and the data in the first storage space to obtain target data. And the vTPM service component transmits target data to the TrustZone Driver component, and the target data is targeted to the vTPM proxy component.
Optionally, in an embodiment, the parameters to be processed include a key handle and data to be encrypted. And the vTPM service component calls a command call interface function to analyze the first request information so as to obtain a command identifier and a parameter to be processed in the first request information. And the vTPM service component encrypts the data to be encrypted by adopting a key according to the command identifier obtained by analysis, wherein the key is determined by the vTPM according to the key handle. For example, the first request information includes a command identifier, a key handle and data to be encrypted, and the command identifier is used for instructing to execute an RSA encryption operation. Based on the key handle, the vTPM service component searches a key corresponding to the key handle in the first storage space. And finally, the vTPM service component encrypts the data to be encrypted by adopting the key acquired from the first storage space based on the command identifier to obtain the target data.
Optionally, in an embodiment, the parameters to be processed include a key handle and data to be decrypted. And the vTPM service component calls a command call interface function to analyze the first request information so as to obtain a command identifier and a parameter to be processed in the first request information. And the vTPM service component decrypts the data to be decrypted by adopting the key according to the command identifier, wherein the key is determined by the vTPM according to the key handle.
Optionally, in an embodiment, before the vTPM service component processes the first request information based on the data in the first storage space, the method further includes: and if the storage space corresponding to the identifier of the first VM does not exist in the trusted execution environment, the vTPM service component allocates the storage space for the identifier of the first VM in the trusted execution environment. And the vTPM service component executes TPM initialization operation on the data in the allocated storage space, so that the data in the allocated storage space is updated to TPM initialization data, and the allocated storage space is used as a first storage space corresponding to the identifier of the first VM. The method for the TPM service component to execute the TPM initialization operation on the data in the storage space comprises the following steps: the vTPM service component divides the storage space to obtain a plurality of storage blocks, and the plurality of storage blocks are respectively used for storing data such as platform seeds, endorsement seeds, storage seeds, keys or PCRs. And the vTPM service component updates the data in the storage block to obtain TPM initialization data. For example, the vTPM service component updates data in the storage space storing the PCR, so as to assign an initialized value to the PCR, where the initialized value is an initial value of the PCR.
The corresponding storage space is distributed in the trusted execution environment for the identification of the VM by the vTPM service component, so that each VM can be guaranteed to have the corresponding storage space in the trusted execution environment, and the vTPM service component can provide TPM service for the plurality of VMs based on TPM data in different storage spaces.
Optionally, in an embodiment, the allocating, by the vTPM service component, a storage space for the identifier of the first VM in the trusted execution environment specifically includes: the vTPM service component looks up a storage space in volatile memory of the computer corresponding to the identification of the first VM. If the storage space corresponding to the identification of the first VM does not exist in the volatile memory, the vTPM service component allocates the corresponding storage space for the identification of the first VM in the volatile memory.
Optionally, in an embodiment, the first request information acquired by the vTPM service component is transmitted in a first session, where the first session is used to transmit information and/or target data for requesting execution of a TPM operation between the vTPM service component and the vTPM agent component, and the target data is data obtained after the vTPM service component executes the TPM operation. The method further comprises the following steps: after the first VM is started, the vTPM service component acquires second request information from the vTPM agent component, wherein the second request information comprises the identification of the first VM and is used for requesting to establish the first session. And the vTPM service component establishes a session according to the identification of the first VM, allocates a storage space in a volatile memory of the computer, and takes the allocated storage space as a first storage space. That is, after the VM boots, the vTPM service component is triggered to allocate storage space for the identity of the VM by a session establishment request passed by the vTPM agent component. Therefore, before the vTPM agent component acquires the TPM operation request, the corresponding storage space can be allocated for the identification of the VM in advance, and the efficiency of executing the TPM operation is improved.
Optionally, in an embodiment, the first session is a session corresponding to an identifier of the first VM, and the method further includes: and the vTPM service component calls a session open interface (TA _ OpenSessioneEntryPoint) function according to the identifier of the first VM included in the second request message, so as to establish a first session corresponding to the identifier of the first VM and obtain the identifier of the first session. The vTPM service component transmits the identification of the first session to the TrustZone Driver component in the rich execution environment of the computer, and the destination party of the identification of the first session is the vTPM agent component. That is, the vTPM service component establishes the first session by calling the TA _ OpenSessionEntryPoint function, and returns the obtained identifier of the first session to the vTPM agent component.
Optionally, in an embodiment, the allocating, by the vTPM service component, a storage space in the volatile memory specifically includes: the vTPM service component looks up a storage space in non-volatile memory of the computer that corresponds to the identification of the first VM.
If a storage space corresponding to the identification of the first VM exists in the non-volatile memory, the vTPM service component allocates the storage space in the volatile memory, and copies data in the storage space corresponding to the identification of the first VM in the non-volatile memory to the allocated storage space. That is, after allocating storage space in volatile memory for the identification of the first VM, the vTPM service component does not need to perform TPM initialization operations on data in the allocated storage space, but rather copies data in storage space in non-volatile memory corresponding to the identification of the first VM to the allocated storage space. In this way, in the scenario of restarting the first VM, TPM data used by the first VM before restarting can be restored in the volatile memory, and normal operation of the first VM is guaranteed.
If the storage space corresponding to the identifier of the first VM does not exist in the nonvolatile memory, the first VM may be considered as being created for the first time or the TPM data corresponding to the first VM may be discarded. The vTPM service component allocates storage space in volatile memory and performs TPM initialization operations on data in the allocated storage space.
Optionally, in an embodiment, after the vTPM service component allocates the storage space in the volatile memory, the method further includes: the vTPM service component marks the allocated storage based on the identification of the first VM so that subsequent vTPM service components can determine their corresponding storage based on the identification of the first VM.
Optionally, in an embodiment, the method further includes: when the first VM is closed, the vTPM service component acquires third request information from the vTPM agent component. The third request information is transmitted in the first session, the third request information includes an identifier of the first VM, and the third request information is used for requesting to close the first session. And the vTPM service component determines the first storage space according to the identifier of the first VM contained in the third request message. The vTPM service component copies data of the first storage space to a third storage space, the third storage space being located in the non-volatile memory. Optionally, after copying data in the storage space in the volatile memory is completed, the vTPM service component discards the data in the storage space of the volatile memory, so as to recycle the storage space in the volatile memory and improve the utilization rate of the storage space in the volatile memory. By copying the TPM data corresponding to the identifier of the first VM into the nonvolatile memory when the first VM is closed, the TPM data corresponding to the first VM can be recovered when the first VM is restarted, and the normal operation of the first VM is ensured.
Optionally, in an embodiment, the first request information is passed by the TrustZone Driver component to the vTPM service component in the monitoring mode, and the TrustZone Driver component runs in a rich execution environment of the computer.
A second aspect of the present application provides a method for implementing a vTPM, including: the vTPM agent component acquires first request information from the first VM, wherein the first request information is used for requesting the vTPM service component to execute TPM operation. The vTPM service component runs in a trusted execution environment of the computer, and the first VM runs in a rich execution environment of the computer. The vTPM agent component obtains an identification of the first VM. And the vTPM agent component adds the identifier of the first VM in the first request information to obtain second request information, wherein the second request information comprises the identifier of the first VM. And the vTPM agent component transmits second request information to the TrustZone Driver component running in the trusted execution environment of the computer, and the destination of the second request information is a vTPM service component. By adding the identifier of the VM to the TPM operation request, the vTPM service component may be enabled to determine the corresponding storage space based on the identifier of the VM included in the TPM operation request, and provide TPM service for the VM based on TPM data in the storage space corresponding to the identifier of the VM.
Optionally, in an embodiment, adding, by the vTPM agent component, the identifier of the first VM in the first request information includes: and the vTPM agent component calls a function through a call command, and adds the identifier of the first VM in the first request information to obtain second request information.
Optionally, in an embodiment, the method further includes: and the vTPM agent component acquires third request information from the second VM, wherein the third request information is used for requesting to execute TPM operation. The vTPM agent component obtains an identification of the second VM. And the vTPM agent component adds the identifier of the second VM in the third request information so as to obtain fourth request information, wherein the fourth request information comprises the identifier of the second VM. And the vTPM agent component transmits fourth request information to the TrustZone Driver component, and the destination of the fourth request information is a vTPM service component.
Optionally, in an embodiment, the method further includes: and the vTPM agent component acquires target data from the vTPM service component through the TrustZone Driver component, wherein the target data is data obtained after the vTPM service component executes TPM operation based on the second request information. The vTPM agent component passes the target data to the first VM.
Optionally, in an embodiment, the method further includes: when the first VM starts, the vTPM agent component obtains an identification of the first VM. And the vTPM agent component generates fifth request information, wherein the fifth request information is used for requesting to establish a session with the vTPM service component and comprises the identification of the first VM. And the vTPM agent component transmits fifth request information to the TrustZone Driver component, and the destination of the fifth request information is a vTPM service component.
Optionally, in an embodiment, the method further includes: and the vTPM agent component acquires sixth request information from the first VM, wherein the sixth request information is used for requesting to close the session with the vTPM service component. The vTPM agent component obtains an identification of the first VM. And the vTPM agent component adds the identifier of the first VM to the sixth request information to obtain seventh request information, wherein the seventh request information comprises the identifier of the first VM. And the vTPM agent component transmits seventh request information to the TrustZone Driver component, and the destination of the seventh request information is a vTPM service component.
A third aspect of the present application provides a computer system, where a trusted execution environment and a rich execution environment run on the computer system, the trusted execution environment runs on a vTPM service component, and the rich execution environment runs on a first VM and a vTPM agent component. The vTPM agent component is used for acquiring first request information from the first VM, acquiring an identifier of the first VM, adding the identifier of the first VM in the first request information to obtain second request information, and transmitting the second request information to the TrustZone Driver component, wherein the first request information is used for requesting the vTPM service component to execute TPM operation, the second request information comprises the identifier of the first VM, and a destination party of the second request information is the vTPM service component. The vTPM service component is used for acquiring second request information through the TrustZone Driver component and processing the second request information based on data in a first storage space, wherein the first storage space is a storage space corresponding to the identifier of the first VM in the trusted execution environment, and the first storage space is used for storing TPM data of the first VM.
Optionally, in an embodiment, the trusted execution environment further includes a second storage space, where the second storage space is used to store TPM data of a second VM, and the first storage space and the second storage space are storage spaces that do not overlap with each other.
Optionally, in an embodiment, the second request information further includes a command identifier and a parameter to be processed, and the command identifier is used to indicate a type of the TPM operation to be performed. The vTPM service component is further used for processing the parameters to be processed based on the command identifier in the second request information and the data in the first storage space to obtain target data and transmitting the target data to the TrustZone Driver, and the target party of the target data is a vTPM agent component. The vTPM agent component is further configured to obtain the target data and to communicate the target data to the first VM.
Optionally, in an embodiment, the parameters to be processed include a key handle and data to be encrypted. And the vTPM service component is also used for calling the command call interface function to obtain the command identifier and the parameters to be processed in the second request information. And the vTPM service component is also used for encrypting the data to be encrypted by adopting a key according to the command identifier, wherein the key is determined by the vTPM according to the key handle.
Optionally, in an embodiment, the parameters to be processed include a key handle and data to be decrypted. And the vTPM service component is also used for calling the command call interface function to obtain the command identifier and the parameters to be processed in the second request information. And the vTPM service component is also used for decrypting the data to be decrypted by adopting a key according to the command identifier, wherein the key is determined by the vTPM according to the key handle.
Optionally, in an embodiment, the vTPM agent component is further configured to obtain third request information from the second VM, where the third request information is used to request to perform a TPM operation. The vTPM agent component is further configured to obtain an identifier of the second VM, add the identifier of the second VM to the third request information, and obtain fourth request information, where the fourth request information includes the identifier of the second VM. The vTPM agent component is also used for transmitting fourth request information to the TrustZone Driver component, and the destination of the fourth request information is a vTPM service component. The vTPM service component is used for acquiring fourth request information through the TrustZone Driver component and processing the fourth request information based on data in a second storage space, wherein the second storage space is a storage space corresponding to the identifier of the second VM in the trusted execution environment, and the second storage space is used for storing TPM data of the second VM.
Optionally, in an embodiment, if there is no storage space corresponding to the identifier of the first VM in the trusted execution environment, the vTPM service component is further configured to allocate a storage space to the identifier of the first VM in the trusted execution environment, and perform a TPM initialization operation on data in the allocated storage space, so that the data in the allocated storage space is updated to TPM initialization data, and the allocated storage space is used as the first storage space.
Optionally, in an embodiment, the vTPM service component is further configured to look up a storage space corresponding to the identifier of the first VM in a volatile memory of the computer, and allocate the storage space in the volatile memory if the storage space corresponding to the identifier of the first VM does not exist in the volatile memory.
Optionally, in an embodiment, the second request information is transmitted in a first session, where the first session is used to transmit information and/or target data for requesting to perform the TPM operation between the vTPM service component and the vTPM agent component, and the target data is data obtained after performing the TPM operation. The vTPM agent component is further configured to, when the first VM is started, obtain an identifier of the first VM, generate fifth request information, where the fifth request information includes the identifier of the first VM, and transmit the fifth request information to the TrustZone Driver component, where the fifth request information is used to request establishment of a first session, and a destination of the fifth request information is a vTPM service component. The vTPM service component is further used for acquiring fifth request information through the TrustZone Driver component, and allocating a storage space in a volatile memory of the computer by the vTPM service component, wherein the allocated storage space is used as a first storage space.
Optionally, in an embodiment, the first session is a session corresponding to an identifier of the first VM, and the vTPM service component is further configured to call a session open interface function according to the identifier of the first VM included in the fifth request information, so as to establish the first session corresponding to the identifier of the first VM and obtain the identifier of the first session. The vTPM service component is also used for transmitting the identification of the first session to the TrustZone Driver component, and the destination party of the identification of the first session is the vTPM proxy component.
Optionally, in an embodiment, the vTPM agent component is further configured to obtain sixth request information from the first VM, where the sixth request information is used to request to close the first session, obtain an identifier of the first VM, and add the identifier of the first VM to the sixth request information, so as to obtain seventh request information, where the seventh request information includes the identifier of the first VM, and transmit the seventh request information to the TrustZone Driver component, and a destination of the seventh request information is a vTPM service component; the vTPM service component is further configured to acquire sixth request information, determine a first storage space according to an identifier of the first VM included in the sixth request information, and copy data of the first storage space to a third storage space, where the third storage space is located in the nonvolatile memory.
Optionally, in an embodiment, the second request information is passed by the TrustZone Driver component to the vTPM service component in the monitoring mode, and the TrustZone Driver component runs in a rich execution environment of the computer.
A fourth aspect of the present application provides a computer, comprising: a processor, a non-volatile memory, and a volatile memory; wherein the non-volatile memory or the volatile memory has stored therein computer readable instructions; the processor reads the computer readable instructions to cause the computer to implement a method as in any one of the embodiments of the first or second aspect.
A fifth aspect of the present application provides a computer-readable storage medium having stored thereon a computer program which, when run on a computer, causes the computer to perform a method as in any one of the embodiments of the first or second aspect.
A sixth aspect of the present application provides a computer program product which, when run on a computer, causes the computer to perform the method of any one of the embodiments of the first or second aspect.
A seventh aspect of the present application provides a chip comprising one or more processors. Part or all of the processor is used for reading and executing the computer program stored in the memory so as to execute the method in any possible implementation mode of any one aspect. Optionally, the chip further comprises a memory, and the memory and the processor are connected with the memory through a circuit or a wire. Optionally, the chip further includes a communication interface, and the processor is connected to the communication interface. The communication interface is used for receiving data and/or information needing to be processed, the processor acquires the data and/or information from the communication interface, processes the data and/or information, and outputs a processing result through the communication interface. Optionally, the communication interface is an input-output interface. The method provided by the application is realized by one chip or by a plurality of chips in a coordinated way.
Drawings
Fig. 1 is a schematic structural diagram of a TPM provided in an embodiment of the present application;
fig. 2 is a schematic diagram of a system software layer related to TrustZone technology provided in the embodiment of the present application;
FIG. 3 is a diagram illustrating a system architecture according to an embodiment of the present application;
FIG. 4 is a block diagram of a computer system according to an embodiment of the present disclosure;
fig. 5 is a flowchart illustrating a method 500 for implementing a vTPM according to an embodiment of the present application;
fig. 6 is a schematic flowchart of a method for allocating a storage space for a vTPM service component according to an embodiment of the present application;
fig. 7 is a schematic flowchart of another method for allocating a storage space for a vTPM service component according to an embodiment of the present application;
fig. 8 is a schematic flowchart of closing a session by a vTPM service component according to an embodiment of the present application;
FIG. 9 is a block diagram of a computer system according to an embodiment of the present disclosure;
fig. 10 is a schematic structural diagram of a computer according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present application are described below with reference to the accompanying drawings, and it is obvious that the described embodiments are only some embodiments of the present application, but not all embodiments. As can be known to those skilled in the art, with the emergence of new application scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.
The terms "first," "second," and the like in the description and in the claims of the present application and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
A TPM chip is a small chip system with cryptographic operations and storage components for securely storing information used to verify the security of a platform (e.g., a network device such as a personal computer), such as passwords, certificates, or encryption keys. Through a built-in algorithm, the TPM chip generates a credible secret Key, and confidentiality and integrity of the Root secret Key and other sensitive data are ensured through a Non-Volatile Random Access Memory (NVRAM) and a Storage Root Key (SRK).
Referring to fig. 1, fig. 1 is a schematic structural diagram of a TPM chip according to an embodiment of the present disclosure. As shown in FIG. 1, a TPM chip typically includes, but is not limited to, the following modules: a key generator, an asymmetric key engine, a symmetric key engine, a hash engine, a random number generator, an authorization module, non-volatile memory, and volatile memory. The introduction of the above-described respective modules may be as follows.
The key generator: the method is used for generating the key within the hardware boundary of the TPM chip and protecting the security of the key.
The asymmetric key engine: for performing encryption and decryption of asymmetric keys.
A symmetric key engine: for performing encryption and decryption of the symmetric key.
And (4) a hash engine: the hash algorithm is used for executing safe hash operation on input data and outputting summary information.
A random number generator: a true random number generator implemented on a hardware basis.
An authorization module: the access control module is used for controlling access to the entity in the TPM chip and providing access security guarantee for the TPM chip when the TPM chip is accessed.
Non-volatile memory: the nonvolatile memory can store data such as a key, a random number seed or a certificate which needs to be stored persistently.
A volatile memory: the power-down volatile memory may store temporary data such as a Platform Configuration Register (PCR) or a session at runtime.
Because the logic of the TPM chip is simple, the TPM chip cannot support virtualization characteristics, that is, the TPM chip cannot provide TPM services for multiple VMs at the same time, which makes it difficult to apply the TPM chip to a variety of cloud scenarios. Wherein a VM is a software container that is tightly isolated and contains an operating system and applications, each VM is completely independent. Through virtualization technology, multiple VMs can be run based on the hardware resources of one physical server. In the related art, a plurality of functional modules are virtualized through software, and each functional module has the function of a TPM chip to ensure that TPM services can be provided for a plurality of VMs at the same time. The above functional modules virtually implemented by software are called vTPM chips, also simply called vTPM. However, since the vTPM chip is obtained through software virtualization, the security is poor compared with the hardware TPM chip, and it is difficult to ensure the security of data.
In view of this, the embodiments of the present application provide a method for implementing a vTPM. The vTPM service component running in the trusted execution environment determines a corresponding storage space according to the identification of the VM, and provides TPM service for the VM based on data in the storage space corresponding to the VM, so that the vTPM service component can provide TPM service for different VMs based on different storage spaces. Therefore, the safety of data in the vTPM can be ensured on the basis of providing TPM services for a plurality of VMs.
For ease of understanding, some technical terms related to the embodiments of the present application will be described below.
In the related art, in order to provide a secure operating environment for applications or components in a computer, an ARM processor introduces a trusted space (TrustZone) technology. The ARM processor supporting the TrustZone technology divides the working state into two types during running: a safe state and an unsafe state, also referred to as a safe world state and a normal world state. A general operating system and most of applications run in a normal world state, development resources in the normal world state are Rich relative to a secure world state, and therefore the normal world state is generally called a Rich Execution Environment (REE). The Trusted operating system runs in a secure world state, which is usually called as a Trusted Execution Environment (TEE).
When the processor is in a safe state, the processor can only run codes on the trusted execution environment side and has access rights of the address space on the rich execution environment side. When the processing core is in an unsafe state, only the code of the rich execution environment side can be run, and only specific data in the trusted execution environment side can be acquired and specific functions can be called through a predefined client interface.
Referring to fig. 2, fig. 2 is a schematic diagram of a system software layer related to TrustZone technology according to an embodiment of the present application. As shown in FIG. 2, processors have different Execution Levels (EL) at runtime. Wherein the user mode is denoted by EL 0; privileged mode is denoted by EL 1; the Hyp mode is denoted by EL2, and is a mode for implementing virtualization technology; the Monitor (Monitor) mode is denoted by EL 3. The system can realize the switching between the safe state and the non-safe state only under the Monitor mode.
Referring to fig. 3, fig. 3 is a schematic diagram of a system architecture according to an embodiment of the present disclosure. As shown in fig. 3, in the system architecture, a trusted execution environment and a rich execution environment are included. The trusted execution environment is specially provided for high-security sensitive applications, and the confidentiality and integrity of resources and data of the applications can be guaranteed. A generic rich execution environment is provided for legacy operating systems as well as for general-purpose. An application executed on the rich execution environment side is called a Client Application (CA), a third party payment application such as a banking application, or the like. An application executed on the trusted execution environment side is called a Trusted Application (TA), and is an application that performs a key service such as signing, encryption/decryption calculation, and the like.
Since the TA runs in the trusted execution environment, the deployment/upgrade operations of the TA need to strictly comply with the security verification specification of the trusted execution environment issuer, for example, using measures such as digital signature to ensure that each link of the trusted execution environment is truly trusted. The trusted execution environment includes a trusted execution environment Internal application programming interface (TEE Internal API) and a trusted operating system component. The main roles of the TEE Internal API are: the functions of providing trusted operating system components upwards, communicating with the client application CA, enabling TA to communicate with the TA, and providing secure storage, cryptographic functions and time, etc. The trusted operating system component mainly comprises a trusted core framework, a trusted function, a trusted kernel and a trusted execution environment TEE communication agent. Wherein the trusted core framework provides operating system-like functionality for the TA. The trusted functionality provides support capabilities for application developers. The trusted kernel is used for interacting with trusted devices in the platform hardware. The trusted execution environment communication agent provides a secure communication channel for the TA and CA. For example, the trusted execution environment communication agent passes messages to the rich execution environment communication agent through the platform hardware, enabling interaction of the TA and CA.
The rich execution environment includes a trusted execution environment Client application programming interface (TEE Client API), a trusted execution environment function application programming interface (TEE Functional API), and a multimedia operating system. The multimedia operating system components mainly include common device drivers and rich execution environment communication agents. The rich execution environment communication agent is used for communicating with the trusted execution environment and providing a safe communication channel for the CA and the TA. The common device driver is used to drive a common device in the platform hardware. The CA uses the TEE Client API, the TEE Functional API to access the security services provided by the TA.
Having described some technical terms related to the embodiments of the present application, the following describes a computer system and a method for implementing a vTPM provided by the embodiments of the present application.
Fig. 4 is a schematic structural diagram of a computer system according to an embodiment of the present disclosure. As shown in fig. 4, a rich execution environment and a trusted execution environment are included in the computer system. In the rich execution environment, a VM, a vTPM Driver component (vTPM Driver), a vTPM Proxy component (vTPM Proxy), a trusted space Driver component (TrustZone Driver), and a HOST operating system (HOST OS) are running. Optionally, one or more VMs are run in the rich execution environment, each VM runs one vTPM driver component, and the vTPM driver component in each VM communicates with the vTPM agent component corresponding to the VM. Alternatively, each VM runs one vTPM driver component, and the rich execution environment runs only one vTPM agent component, which communicates with multiple vTPM driver components. In the trusted execution environment, a trusted execution environment operating system (TEE OS) and a vTPM Service component (vTPM Service) are running. Where a component refers to a self-contained, programmable, reusable, and language independent software unit. The vTPM driver component, the vTPM agent component and the trusted space driver component are software units.
Based on the computer system shown in fig. 4, an embodiment of the present application provides a method for implementing a vTPM, as shown in fig. 5. Fig. 5 is a flowchart illustrating a method 500 for implementing a vTPM according to an embodiment of the present application. As shown in fig. 5, the method 500 includes the following steps 501 to 510.
Step 501, the VM transmits first request information to the vTPM driver component, where a destination of the first request information is a vTPM service component.
In this embodiment, an Application (APP) runs in the VM. The APP is for example a key management component or a payment component. In the running process of the APP, the APP needs to access the vTPM service component to request the vTPM service component to execute TPM operations such as encrypting data or decrypting data. When the APP needs to access the vTPM, the VM generates first request information for requesting the vTPM service component to execute TPM operation, and transmits the first request information to the vTPM driving component. The destination of the first request message is the vTPM service component.
Optionally, the TPM operation that the first request information is used to request to be executed includes, but is not limited to, generating a key, encrypting data, decrypting data, or performing a hash operation on data, and the like.
In one possible example, when the APP needs to request the vTPM service component to generate a key so that the APP can subsequently encrypt or decrypt data based on the generated key, the VM calls a key generation function and inputs parameters such as the type of key that needs to be generated. The key generation function combines the parameters entered by the VM into a TPM command byte stream. The TPM command byte stream includes a first command identification to instruct execution of a key generation operation.
In another possible example, when the APP needs to request the vTPM service component to Encrypt data with the RSA algorithm, the VM calls the RSA encryption (Tss2_ Sys _ RSA _ Encrypt) function and inputs the command identification of the encryption operation and parameters such as the data that needs to be encrypted. Wherein the RSA algorithm is an asymmetric encryption algorithm. The Tss2_ Sys _ RSA _ Encrypt function synthesizes the parameters entered by the VM into a TPM command byte stream that includes the second command identification, the first key handle, and the data to be encrypted. The second command identifier is used for indicating to execute RSA encryption operation; the first key handle is the identification of the key and is used for indicating the key for executing data encryption; the data to be encrypted is data to be encrypted.
In yet another possible example, when the APP needs to request the vTPM service component to decrypt data with the RSA algorithm, the VM calls the RSA decryption function and inputs parameters such as the command identification of the decryption operation and the data that needs to be decrypted. The RSA decryption function synthesizes the parameters input by the VM into a TPM command byte stream, and the TPM command byte stream comprises a third command identification, a second key handle and data to be decrypted. The third command mark is used for indicating to execute RSA decryption operation; the second key handle is the identifier of the key and is used for indicating the key for executing data decryption; the data to be decrypted is the data needing to be decrypted.
It is understood that the TPM command byte stream in the above example is the first request message. After getting the TPM command byte stream, the VM passes the TPM command byte stream to the vTPM driver component by calling a write (write) function.
Optionally, one way to express the first request information is { TPM Command identifier (CMD ID), parameter (Parameters) }. Wherein the TPM CMD ID is used to identify a specific TPM operation type, such as encrypting data or decrypting data. Parameters are used to identify Parameters to be processed, such as plaintext to be encrypted or ciphertext to be decrypted.
At step 502, the vTPM driver component communicates the first request message to the vTPM agent component.
The vTPM driver component is used for implementing Input/Output (I/O) operation of TPM data related to the VM, that is, the vTPM driver component is responsible for transferring TPM request information generated by the VM to a component outside the VM, and transferring TPM response information returned by the component outside the VM to the VM.
Optionally, the VM runs a guest operating system (guest OS). The Guest OS provides a unified device file for APPs running on VMs. The device file refers to simulating a device into a file so that the APP can access the device through an interface of the file, for example, simulating devices such as a hard disk, an input device, and an output device into a file. That is to say, when the APP on the VM runs, the APP performs read-write operation on the device file provided by the operating system, so as to implement operation on the vTPM service component.
For example, assume that the path of the device file corresponding to the vTPM service component is/dev/tpm 0. Based on the path of the device file, the VM calls a write function of the system to perform a write operation on the device file to write the first request information. Since the vTPM driver component is used to implement specific I/O operations, after the VM writes the first request information, the vTPM driver component is triggered to transfer the first request information to the vTPM agent component.
Optionally, the manner in which the vTPM driver component transmits the first request information includes, but is not limited to: the first request information is transferred to the vTPM agent component by calling an Application Programming Interface (API), or based on inter-process communication. The inter-process communication mode includes, but is not limited to, communication based on a pipe, communication based on a message queue, communication based on a shared memory, or communication based on a socket. The method for transmitting the first request information by the vTPM driving component is not specifically limited in the embodiment of the present application.
Step 503, the vTPM agent component adds the identifier of the VM to the first request information, thereby obtaining second request information.
After the first request information is acquired, the vTPM agent component acquires the identifier of the VM based on the source of the first request information. The vTPM agent component then adds the identification of the retrieved VM to the first request information to identify the source of the first request information. Optionally, the Identifier of the VM is, for example, a Universal Unique Identifier (UUID). The UUID is a 128-bit value, and is generated by calculation of data such as the current time, a counter, a hardware identifier and the like.
Optionally, one way to represent the second request message is { VM UUID, TPM CMD ID, Parameters }.
There are various ways for the vTPM agent component to obtain the identifier of the VM.
Under the condition that one vTPM agent component only corresponds to one VM, namely the vTPM agent component only establishes connection with one vTPM driving component, the vTPM agent component acquires the identifier of the VM from a storage space for storing the identifier of the VM. After a VM is created by a Virtual Machine Monitor (VMM), the VMM assigns a unique identifier to the VM as the identifier of the VM and passes the identifier of the VM to the vTPM agent component. The VMM is also referred to as a hypervisor, among others. And the vTPM agent component stores the acquired identification of the VM in a specific storage space, and the specific storage space only stores the identification of one VM. Since the vTPM agent component corresponds to only one VM, after acquiring the first request information, the vTPM agent component can acquire the identifier of the VM from the specific storage space. The identification of this VM can be used to identify the source of the first request information.
Under the condition that one vTPM agent component corresponds to a plurality of VMs, namely the vTPM agent component establishes connection with a plurality of vTPM driving components, the vTPM agent component acquires the identification of the VM based on the connection with the vTPM driving components. After the VMM allocates the identifier for the newly created VM and transmits the identifier allocated for the newly created VM to the vTPM component, the vTPM agent component establishes connection with the vTPM driving component corresponding to the newly created VM, and the vTPM agent component obtains the identifier of the connection between the vTPM agent component and the vTPM driving component. Besides the obtained identifier of the VM, the vTPM agent component also stores the mapping relation between the identifier of the VM and the connected identifier. In this way, after the vTPM agent component acquires the first request information, the vTPM agent component determines the connection identifier (i.e., the identifier of the connection between the vTPM agent component and the vTPM driver component) according to the connection for transmitting the first request information. The connection for transmitting the first request information refers to the connection between the vTPM driver component and the vTPM agent component, and the connection is used for transmitting the first request information. And the vTPM agent component determines the identifier of the VM according to the connection identifier and the mapping relation, so as to obtain the identifier of the VM corresponding to the first request information.
Step 504, the vTPM agent component transmits the second request information to the TrustZone Driver component, and the destination of the second request information is the vTPM service component.
Because the vTPM agent component is located in the rich execution environment, and the vTPM service component is located in the trusted execution environment, the vTPM agent component cannot directly transmit the second request information to the vTPM service component, and therefore the vTPM agent component realizes information transmission between the vTPM agent component and the vTPM service component through the TrustZone Driver component. Specifically, the vTPM proxy component transmits the second request information to the TrustZone Driver component, and the TrustZone Driver component transmits the second request information to the vTPM service component. Optionally, the vTPM agent component transfers the second request information to the TrustZone Driver component by calling a command call (TEEC _ invoke) function.
Step 505, the TrustZone Driver component passes the second request information to the vTPM service component.
After the second request information is acquired, the TrustZone Driver component analyzes the second request information and reintegrates the second request information, so that the format of the integrated second request information is the format which can be identified by the vTPM service component. The TrustZone Driver component loads the integrated second request information into the shared memory, and triggers a Security Monitor Call (SMC) to enter a Monitor mode. After the TrustZone Driver component enters the monitoring mode, the TrustZone Driver component transmits an instruction to the vTPM service component, so that the vTPM service component can acquire the second request information in the shared memory based on the instruction, and the transmission of the second request information is realized.
At step 506, the vTPM service component processes the second request information based on the data in the first storage space, thereby obtaining the target data.
In this embodiment, the vTPM service component allocates an independent storage space to each VM, and different storage spaces do not overlap with each other. And the vTPM service component can uniquely determine a storage space corresponding to the identifier of the VM based on the acquired identifier of the VM. For example, the vTPM service component allocates a first storage space for the VM described above and a second storage space for another VM. Thus, based on the identity of the VM included in the second request information, the vTPM service component can determine a first storage space corresponding to the identity of the VM. The first storage space is located in the trusted execution environment, and the first storage space is used for storing TPM data of the VM. In this way, the vTPM service component processes the second request information based on the data in the first storage space.
Optionally, after obtaining the second request information, the vTPM service component calls a command call interface (TA _ invoke _ commandentrypoint) function to implement processing of the second request information. Specifically, the vTPM service component calls the TA _ invitecommandentrypoint function to analyze the second request information, and obtains the identifier of the VM in the second request information and the TPM command byte stream. Then, the vTPM service component searches a storage space corresponding to the identifier of the VM, determines to obtain a first storage space, and processes the TPM command byte stream based on data in the first storage space.
In one possible example, the TPM command byte stream includes a first command identification indicating that a key generation operation is to be performed. Based on the first command identification, the vTPM service component obtains a root key in the first storage space, and generates a key based on the root key. After the key is generated, the vTPM service component stores the key in the first storage space, and generates a key handle corresponding to the key, so as to obtain the target data. Wherein the key handle is an identifier for identifying the key.
In another possible example, the TPM command byte stream includes a second command identifier, which is used to instruct the RSA encryption operation to be performed, the first key handle, and data to be encrypted. Based on a first key handle in the TPM command byte stream, the vTPM service component looks up a key corresponding to the first key handle in the first storage space. And finally, the vTPM service component encrypts the data to be encrypted by adopting the key acquired from the first storage space based on a second command identifier in the TPM command byte stream to obtain the target data.
In yet another possible example, the TPM command byte stream includes a third command identification to indicate that an RSA decryption operation is performed, the second key handle, and the data to be decrypted. Based on a second key handle in the TPM command byte stream, the vTPM service component looks up a key corresponding to the second key handle in the first storage space. And finally, the vTPM service component decrypts the data to be decrypted by adopting the key acquired from the first storage space based on a third command identifier in the TPM command byte stream to obtain the target data.
Optionally, data obtained after the vTPM service component performs the TPM operation based on the second request information needs to be returned to the VM that transfers the second request information, that is, the VM represented by the identifier of the VM included in the second request information. Therefore, after the vTPM service component executes the TPM operation (e.g., the key generation operation, the RSA encryption operation, or the RSA decryption operation described above) and obtains the corresponding TPM data, the identifier of the VM included in the second request information is further added to the obtained TPM data to obtain the target data further including the identifier of the VM included in the second request information. In the process of transferring the target data, other subsequent components can determine to transfer the target data to the VM represented by the identifier of the VM included in the target data according to the identifier of the VM included in the target data.
And step 507, the vTPM service component transmits the target data to the TrustZone Driver component, and the destination party of the target data is a vTPM agent component.
After the target data are obtained, the vTPM service component loads the target data into a shared memory and transmits an instruction to the TrustZone Driver component. In this way, the TrustZone Driver component can acquire the target data in the shared memory based on the acquired instruction, so as to realize the transfer of the target data.
In step 508, the TrustZone Driver component passes the target data to the vTPM agent component.
Optionally, after the target data is acquired, the TrustZone Driver component transfers the target data to the vTPM proxy component by calling a command call (TEEC _ invoke command) function.
At step 509, the vTPM agent component passes the target data to the vTPM driver component.
Optionally, the vTPM agent component transfers the target data to the vTPM agent component by calling a command call (TEEC _ invoke command) function, or the vTPM agent component transfers the target data to the vTPM agent component by sending a response message carrying the target data.
Optionally, when the vTPM agent component is connected to multiple vTPM driver components, the vTPM agent component acquires an identifier of a VM included in the target data, and determines how to transfer the target data according to the acquired identifier of the VM. Since the vTPM agent component stores the mapping relationship between the identifier of the VM and the identifier of the connection (i.e., the identifier of the connection between the vTPM agent component and the vTPM driver component), based on the mapping relationship, the vTPM agent component can determine the identifier of the connection corresponding to the identifier of the VM. Based on the identification of the determined connection, the vTPM agent component can determine a connection with the vTPM driver component. And the vTPM agent component transmits the target data through the determined connection with the vTPM driving component, so that the target data is transmitted to the vTPM driving component corresponding to the VM identification.
At step 510, the vTPM driver component passes the target data to the VM.
After the vTPM driver component acquires the target data, the APP in the VM can read the target data returned by the vTPM driver component by calling a read function, thereby implementing the transfer of the target data.
As can be seen from the above description of the embodiments, the vTPM service component running in the trusted execution environment allocates different storage spaces to different VMs, and the different storage spaces do not overlap with each other. When the vTPM service component acquires request information for requesting execution of TPM operation, the vTPM service component determines a corresponding storage space according to the identifier of the VM in the request information, and provides TPM service for the VM represented by the identifier of the VM in the request information based on data in the storage space corresponding to the identifier of the VM, so that the vTPM service component can provide TPM service for different VMs based on different storage spaces. Therefore, the data security can be ensured on the basis of providing TPM services for a plurality of VMs.
The process of determining the corresponding storage space based on the identification of the VM and performing the TPM operation by the vTPM service component is described above, and the process of allocating the storage space for the VM by the vTPM service component will be described below.
The manner for triggering the vTPM service component to allocate the storage space for the VM includes, but is not limited to, the following two manners.
In a first mode, after a VM is created, a vTPM agent component corresponding to the VM transmits request information for requesting session establishment to a vTPM service component, so as to trigger the vTPM service component to allocate a storage space for the VM. That is, the vTPM service component is triggered to allocate storage for the VM by the request information for requesting the establishment of the session.
In a second mode, after the VM is created, the VM first transmits request information for requesting to execute TPM operation to the vTPM service component, and the request information for requesting to execute TPM operation can trigger the vTPM service component to allocate a storage space for the VM. That is, the vTPM service component is triggered to allocate storage space for the VM by the first passed request information for requesting the TPM operation to be performed.
For the sake of understanding, the two modes described above will be described below with reference to the drawings.
Fig. 6 is a flowchart illustrating a method for allocating a storage space for a vTPM service component according to an embodiment of the present application. The method shown in fig. 6 corresponds to the first method. As shown in fig. 6, the process of allocating storage space for the vTPM service component includes the following steps 601 to 606.
Step 601, initializing vTPM service components.
In this embodiment, the vTPM service component is a TA running in a trusted execution environment. In the starting phase of the vTPM service component, the integrity and authenticity of the TA file are ensured in a safe starting mode. Specifically, the TA file of the vTPM service component is signed by a Certificate authority-y (CA) system of the software publisher. In the starting stage of the physical server, a Basic Input Output System (BIOS) verifies the file signature of the vTPM service component, and the authenticity and integrity of the vTPM service component are ensured. After the file signature of the vTPM service component passes verification, the vTPM service component is loaded into a secure memory of a trusted execution environment to be initialized and operated, so that initialization of the vTPM service component is achieved.
At step 602, the vTPM agent component initializes.
In the case that one vTPM agent component corresponds to only one VM, since the vTPM agent component is part of the VMM, when the VMM starts a VM, the VMM starts the vTPM agent component corresponding to the VM at the same time. I.e., the vTPM agent component boots along with the boot of the VM. After the vTPM agent component is started, the vTPM agent component acquires and stores the identifier of the currently started VM corresponding to the vTPM agent component, so that the initialization process is completed.
In the case that one vTPM agent component corresponds to multiple VMs, the VMM will start the vTPM agent component at the same time when the VMM starts the first VM. After the vTPM agent component boots, the vTPM agent component obtains and saves the identification of the first boot VM, thereby completing the initialization process. Optionally, upon subsequent launches of other VMs by the VMM, the vTPM agent component continues to acquire and save the identity of the subsequently launched VMs.
Step 603, the vTPM driver component establishes a connection with the vTPM agent component.
After the VM boots, the VM loads the vTPM driver component. The vTPM driver component establishes a connection with the vTPM agent component. Under the condition that one vTPM agent component is connected with a plurality of vTPM driving components, after one vTPM driving component is connected with the vTPM agent component, the vTPM agent component obtains the identification of the connection and establishes the mapping relation between the identification of the connection and the identification of the VM where the vTPM driving component is located. For example, after the first VM is started, the vTPM driver component loaded by the first VM establishes a connection with the vTPM agent component. Assume that the first connection identification is used to identify a connection that the loaded vTPM driver component of the first VM establishes with the vTPM agent component. And the vTPM agent component obtains the first connection identifier and establishes a mapping relation between the first connection identifier and the first VM.
Step 604, the vTPM agent component transmits session establishment request information to the TrustZone Driver component, and the destination of the session establishment request information is the vTPM service component.
Because the VM is started for the first time, a session is not established between the VM proxy component and the vTPM service component, the vTPM proxy component transmits session establishment request information to the TrustZone Driver component, and the session establishment request information comprises the identification of the VM. The destination of the session establishment request information is the vTPM service component, and the session establishment request information is used for requesting the establishment of a session. After the VM agent component establishes a session with the vTPM service component, the session between the VM agent component and the vTPM service component is used to subsequently transfer various information and/or target data between the vTPM service component and the vTPM agent component. The target data is data obtained after the vTPM service component executes TPM operation.
Optionally, the vTPM agent component initializes a context between the VM and the executable environment by calling an initialization context (TEEC _ InitializeContext) function, and obtains a corresponding context (TEEC _ context). Then, the vTPM agent component calls a session open (TEEC _ OpenSession) function, and specifies an identifier of a VM when the TEEC _ OpenSession function is called, thereby implementing transfer of session establishment request information to the TrustZone Driver component.
Step 605, the TrustZone Driver component transfers the session establishment request information to the vTPM service component.
And the TrustZone Driver component analyzes the acquired session establishment request information and reintegrates the session establishment request information so as to adjust the format of the session establishment request information. And the TrustZone Driver component loads the integrated session establishment request information into a shared memory and triggers the SMC to enter a monitoring mode. After entering the monitoring mode, the TrustZone Driver component transmits an instruction to the vTPM service component, so that the vTPM service component can acquire the session establishment request information in the shared memory based on the instruction, and the transmission of the session establishment request information is realized.
Step 606, the vTPM service component establishes a session based on the session establishment request information and allocates a storage space for the VM.
After acquiring the session establishment request information, the vTPM service component calls a session open interface (TA _ OpenSessionEntryPoint) function. By executing the TA _ OpenSessionEntryPoint function, the vTPM service component parses the session establishment request information, and obtains the identifier of the VM included in the session establishment request information. Based on the identifier of the VM included in the session establishment request information, the vTPM service component establishes a session and obtains a session identifier corresponding to the identifier of the VM included in the session establishment request information. And the vTPM service component transmits a session identifier to the TrustZone Driver component, and the destination party of the session identifier is a vTPM proxy component, so that the vTPM proxy component can acquire the session identifier corresponding to the identifier of the VM included in the session establishment request information.
Since the vTPM agent component will pass session establishment request information to the vTPM service component upon initial startup of the VM. Thus, before the vTPM service component acquires the session establishment request information, the vTPM service component does not allocate storage space for the identification of the VM included in the session establishment request information. Based on this, after the session establishment request information is acquired, the vTPM service component allocates a storage space for the identifier of the VM in the trusted execution environment based on the identifier of the VM included in the session establishment request information. After the storage space is allocated, the vTPM service component marks the allocated storage space based on the identification of the VM included in the session establishment request information.
After allocating a storage space for the identification of the VM included in the session establishment request information, in order to ensure that the vTPM agent component can subsequently perform TPM operations based on data in the allocated storage space, the vTPM service component performs TPM initialization operations on the data in the storage space. The vTPM service component updates the data in the allocated storage space to TPM initialization data by performing the TPM initialization operation.
Illustratively, the TPM service component performing TPM initialization operations on data in the storage space includes: the vTPM service component divides the storage space to obtain a plurality of storage blocks, and the plurality of storage blocks are respectively used for storing data such as platform seeds, endorsement seeds, storage seeds, keys or PCRs. And the vTPM service component updates the data in the storage block to obtain TPM initialization data. For example, the vTPM service component updates data in the storage space storing the PCR, so as to assign an initialized value to the PCR, where the initialized value is an initial value of the PCR.
Optionally, if the VM is restarted after being shut down, the nonvolatile memory in the trusted execution environment may further have a storage space corresponding to the identifier of the VM. Therefore, before the vTPM service component allocates storage space for the VM's identification, the vTPM service component looks up whether storage space corresponding to the VM's identification exists in the non-volatile memory.
If storage space corresponding to the identification of the VM included in the session establishment request information exists in the nonvolatile memory, the vTPM service component allocates storage space for the identification of the VM in the volatile memory, and copies data in the storage space corresponding to the identification of the VM in the nonvolatile memory to the allocated storage space. That is, after allocating storage space in volatile memory for the VM's identification, the vTPM service component does not need to perform TPM initialization operations on data in the storage space, but rather copies data in the storage space in non-volatile memory corresponding to the VM's identification to the allocated storage space. Therefore, in the scene of restarting the VM, TPM data used by the VM before restarting can be recovered in the volatile memory, and the normal operation of the VM is ensured.
If the storage space corresponding to the identifier of the VM included in the session establishment request information does not exist in the nonvolatile memory, the VM corresponding to the identifier of the VM included in the session establishment request information is considered to be created for the first time or TPM data of the VM corresponding to the identifier of the VM included in the session establishment request information is discarded, the vTPM service component allocates the storage space for the identifier of the VM in the volatile memory, and performs TPM initialization operation on the data in the allocated storage space.
Fig. 7 is a flowchart illustrating another method for allocating a storage space for a vTPM service component according to an embodiment of the present application. The method shown in fig. 7 corresponds to the second embodiment described above. As shown in fig. 7, the process of allocating storage for the vTPM service component includes the following steps.
Step 701, initializing the vTPM service component.
At step 702, the vTPM agent component initializes.
Step 703, the vTPM agent component establishes a connection with the vTPM driver component.
In the embodiment, the step 701-703 is similar to the step 601-603, and please refer to the step 601-603 for details, which will not be described herein again.
Step 704, the VM transmits the third request information to the vTPM driver component, where the destination of the third request information is the vTPM service component.
In this embodiment, the third request information is used to request execution of TPM operations, and the third request information is request information that is first transmitted to the vTPM driver component after the VM is started.
Step 705, the vTPM driver component passes the third request message to the vTPM agent component.
In step 706, the vTPM agent component adds the identifier of the VM to the third request information, thereby obtaining fourth request information.
And step 707, the vTPM agent component transmits fourth request information to the TrustZone Driver component, and a destination of the fourth request information is the vTPM service component.
In step 708, the TrustZone Driver component passes the fourth request information to the vTPM service component.
In the present embodiment, the steps 705-708 are similar to the steps 502-505, and please refer to the steps 502-505, which will not be described herein again.
And step 709, the vTPM service component allocates a storage space to the VM according to the fourth request information.
After the fourth request information is acquired, the vTPM service component analyzes the fourth request information, and acquires the identifier of the VM included in the fourth request information. The vTPM service component looks up, in volatile memory of the trusted execution environment, a storage space corresponding to the identification of the VM based on the identification of the VM included in the fourth request information. Since the fourth request information is the request information first transferred by the vTPM agent component after the VM is started, a storage space corresponding to the identifier of the VM included in the fourth request information does not exist in the volatile memory of the trusted execution environment.
When the vTPM service component cannot search the volatile memory for the storage space corresponding to the identifier of the VM included in the fourth request information, the vTPM service component continues to search the non-volatile memory for the storage space corresponding to the identifier of the VM included in the fourth request information. If the nonvolatile memory has a storage space corresponding to the identifier of the VM included in the fourth request information, the vTPM service component allocates a storage space in the volatile memory for the identifier of the VM included in the fourth request information, and copies data in the storage space in the nonvolatile memory corresponding to the identifier of the VM to the allocated storage space. If the storage space corresponding to the identification of the VM included in the fourth request information does not exist in the nonvolatile memory, the vTPM service component allocates the storage space for the identification of the VM included in the fourth request information in the volatile memory, and performs TPM initialization operation on the data in the allocated storage space.
In this embodiment, the vTPM service component searches a corresponding storage space based on the identifier of the VM in the TPM operation request, and determines whether to allocate a storage space to the identifier of the VM in the TPM operation request according to a search result, so as to allocate a corresponding storage space to the identifier of the VM. The vTPM service component can realize the allocation of the storage space based on the TPM operation request, so that the process of establishing session connection in advance is omitted, and the processing resources are saved.
The process of allocating the storage space for the identifier of the VM by the vTPM service component when the VM is started is described above, and the process of recovering the storage space allocated for the identifier of the VM by the vTPM service component when the VM is shut down is described below.
Fig. 8 is a schematic flowchart of closing a session by a vTPM service component according to an embodiment of the present application. As shown in fig. 8, this includes the following steps.
Step 801, the vTPM driver component transmits fifth request information to the vTPM agent component, where a destination of the fifth request information is a vTPM service component.
And under the condition that the VM needs to be closed, the VM triggers the corresponding vTPM driving component to transmit fifth request information to the vTPM agent component, wherein the fifth request information is used for requesting to close the session between the VM and the vTPM service component.
In step 802, the vTPM agent component adds the identifier of the VM to the fifth request information, so as to obtain sixth request information.
Similarly, after acquiring the fifth request message, the vTPM agent component acquires the identifier of the VM based on the source of the fifth request message, and adds the acquired identifier of the VM to the fifth request message to identify the source of the fifth request message. The process of acquiring the identifier of the VM by the vTPM agent component is similar to step 503, and please refer to the description of step 503 for details, which is not described herein again.
And step 803, the vTPM agent component transmits sixth request information to the TrustZone Driver component, and the destination of the sixth request information is the vTPM service component.
Optionally, the vTPM agent component passes the sixth request information to the TrustZone Driver component by calling a close session (TEEC _ CloseSession) function. Further, upon closure of the session between the VM and the vTPM service component, the vTPM agent component terminates the context between the VM and the executable environment by calling an end context (TEEC _ FinalizeContext) function to close the connection between the VM and the executable environment.
Step 804, the TrustZone Driver component transmits the sixth request information to the vTPM service component.
In this embodiment, step 804 is similar to step 505 described above, and please refer to the related description of step 505 described above, which is not repeated herein.
At step 805, the vTPM service component closes the session based on the sixth request information.
After acquiring the sixth request information, the vTPM service component acquires the identifier of the VM in the sixth request information to determine the storage space corresponding to the identifier of the VM. Optionally, after acquiring the sixth request message, triggering the vTPM service component to call a session close interface (TA _ CloseSessionEntryPoint) function. By executing the TA _ CloseSessionEntryPoint function, the vTPM service component parses the sixth request information and obtains the identifier of the VM included in the sixth request information.
Based on the identifier of the VM included in the sixth request information, the vTPM service component searches the volatile memory for the storage space corresponding to the identifier of the VM included in the sixth request information, and obtains the storage space corresponding to the identifier of the VM included in the sixth request information in the volatile memory. Then, the vTPM service component allocates a storage space in the nonvolatile memory for the identifier of the VM included in the sixth request information, and copies the data in the found storage space in the volatile memory to the allocated storage space in the nonvolatile memory. After the data in the storage space in the volatile memory is copied, the vTPM service component discards the data in the storage space in the volatile memory, so that the recovery of the storage space in the volatile memory is realized, and the utilization rate of the storage space in the volatile memory is improved.
By copying TPM data corresponding to the identifier of the VM in the volatile memory to the nonvolatile memory when the VM is closed, the TPM data corresponding to the VM can be recovered when the VM is restarted, and the normal operation of the VM is ensured.
Fig. 9 is a schematic structural diagram of a computer system according to an embodiment of the present application. As shown in fig. 9, a trusted execution environment and a rich execution environment run on the computer system, the trusted execution environment running with a vTPM service component, the rich execution environment running with a first VM and a vTPM agent component. The vTPM proxy component is used for acquiring first request information from the first VM, acquiring an identifier of the first VM, adding the identifier of the first VM into the first request information to obtain second request information, and transmitting the second request information to the TrustZone Driver component. The first request information is used for requesting the vTPM service component to execute TPM operation, the second request information comprises the identification of the first VM, and the destination of the second request information is the vTPM service component. The vTPM service component is used for acquiring second request information through the TrustZone Driver component and processing the second request information based on data in a first storage space, wherein the first storage space is a storage space corresponding to the identifier of the first VM in the trusted execution environment, and the first storage space is used for storing TPM data of the first VM.
Optionally, the trusted execution environment further includes a second storage space, where the second storage space is used to store TPM data of a second VM, and the first storage space and the second storage space are storage spaces that are not overlapped with each other.
Optionally, the second request information further includes a command identifier and a parameter to be processed, where the command identifier is used to indicate a type of the TPM operation to be performed. The vTPM service component is further used for processing the parameters to be processed based on the identifier of the second VM and the data in the first storage space to obtain target data and transmitting the target data to the TrustZone Driver, and the target party of the target data is a vTPM agent component. The vTPM agent component is further configured to obtain the target data and to communicate the target data to the first VM.
Optionally, the to-be-processed parameter includes a key handle and data to be encrypted. And the vTPM service component is also used for calling the command call interface function to obtain the command identifier and the parameters to be processed in the second request information. And the vTPM service component is also used for encrypting the data to be encrypted by adopting a key according to the command identifier, wherein the key is determined by the vTPM according to the key handle.
Optionally, the to-be-processed parameter includes a key handle and data to be decrypted. And the vTPM service component is also used for calling the command call interface function to obtain the command identifier and the parameters to be processed in the second request information. And the vTPM service component is also used for decrypting the data to be decrypted by adopting a key according to the command identifier, wherein the key is determined by the vTPM according to the key handle.
Optionally, the vTPM agent component is further configured to obtain third request information from the second VM, where the third request information is used to request to execute TPM operation, obtain an identifier of the second VM, add the identifier of the second VM to the third request information, to obtain fourth request information, where the fourth request information includes the identifier of the second VM, and transmit the fourth request information to the TrustZone Driver component, and a destination of the fourth request information is the vTPM service component. The vTPM service component is used for acquiring fourth request information through the TrustZone Driver component and processing the fourth request information based on data in a second storage space, wherein the second storage space is a storage space corresponding to the identifier of the second VM in the trusted execution environment, and the second storage space is used for storing TPM data of the second VM.
Optionally, if the storage space corresponding to the identifier of the first VM does not exist in the trusted execution environment, the vTPM service component is further configured to allocate a storage space to the identifier of the first VM in the trusted execution environment, and perform TPM initialization operation on data in the allocated storage space, so that the data in the allocated storage space is updated to TPM initialization data, and the allocated storage space is used as the first storage space.
Optionally, the vTPM service component is further configured to look up a storage space corresponding to the identifier of the first VM in a volatile memory of the computer, and allocate the storage space in the volatile memory if the storage space corresponding to the identifier of the first VM does not exist in the volatile memory.
Optionally, the second request information is transmitted in the first session, the first session is used for transmitting information and/or target data for requesting execution of the TPM operation between the vTPM service component and the vTPM agent component, and the target data is data obtained after execution of the TPM operation. The vTPM agent component is further configured to, when the first VM is started, obtain an identifier of the first VM, generate fifth request information, where the fifth request information includes the identifier of the first VM, and transmit the fifth request information to the TrustZone Driver component, where the fifth request information is used to request establishment of a first session, and a destination of the fifth request information is a vTPM service component. The vTPM service component is further used for acquiring fifth request information through the TrustZone Driver component, and allocating a storage space in a volatile memory of the computer by the vTPM service component, wherein the allocated storage space is used as a first storage space.
Optionally, the first session is a session corresponding to the identifier of the first VM, and the vTPM service component is further configured to invoke a session open interface function according to the identifier of the first VM included in the fifth request information, so as to establish the first session corresponding to the identifier of the first VM and obtain the identifier of the first session; the vTPM service component is also used for transmitting the identification of the first session to the TrustZone Driver component, and the destination party of the identification of the first session is the vTPM agent component.
Optionally, the vTPM service component is further configured to look up a storage space corresponding to the identifier of the first VM in a non-volatile memory of the computer. If the nonvolatile memory has a storage space corresponding to the identifier of the first VM, the storage space is allocated in the volatile memory, and data in the storage space corresponding to the identifier of the first VM in the nonvolatile memory is copied to the allocated storage space. If the nonvolatile memory does not have a memory space corresponding to the identifier of the first VM, the memory space is allocated in the volatile memory.
Optionally, the vTPM service component is further configured to mark the allocated storage space based on the identification of the first VM.
Optionally, the vTPM agent component is further configured to obtain sixth request information from the first VM, where the sixth request information is used to request to close the first session, obtain an identifier of the first VM, and add the identifier of the first VM to the sixth request information, so as to obtain seventh request information, where the seventh request information includes the identifier of the first VM, and transmit the seventh request information to the TrustZone Driver component, and a destination of the seventh request information is a vTPM service component; the vTPM service component is further configured to acquire sixth request information, determine a first storage space according to an identifier of the first VM included in the sixth request information, and copy data of the first storage space to a third storage space, where the third storage space is located in the nonvolatile memory.
Optionally, the second request information is passed by the TrustZone Driver component to the vTPM service component in the monitoring mode, and the TrustZone Driver component runs in a rich execution environment of the computer.
It should be understood that, for each component in the computer system, in order to implement various steps and methods implemented by the vTPM driving component, the vTPM agent component, the TrusZone driving component, and the vTPM service component in the method embodiment, specific details may refer to the above method embodiment, and for brevity, no further description is provided herein.
Fig. 10 is a schematic structural diagram of a computer according to an embodiment of the present application. The computer 1000 is loaded with the above-described computer system. The computer 1000 is implemented by a general bus architecture.
The computer 1000 includes at least one processor 1001, a communication bus 1002, memory 1003, and at least one communication interface 1004.
Optionally, the processor 1001 is a general-purpose CPU, NP, microprocessor, or one or more integrated circuits for implementing the present invention, such as an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The aforementioned PLD is a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof.
A communication bus 1002 is used to communicate information between the above components. The communication bus 1002 is divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
Alternatively, memory 1003 is a read-only memory (ROM) or other type of static storage device that may store static information and instructions. Alternatively, memory 1003 is a Random Access Memory (RAM) or other type of dynamic storage device that may store information and instructions. Alternatively, the Memory 1003 may be, but is not limited to, an electrically erasable programmable read-only Memory (EEPROM), a compact disk read-only Memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disk, laser disk, optical disk, digital versatile disk, Blu-ray disk, and the like), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. Optionally, the memory 1003 is separate and coupled to the processor 1001 via a communication bus 1002. Optionally, the memory 1003 is integrated with the processor 1001.
The communication interface 1004 uses any transceiver or the like for communicating with other devices or a communication network. The communication interface 1004 includes a wired communication interface. Optionally, the communication interface 1004 also includes a wireless communication interface. The wired communication interface is, for example, an ethernet interface. The ethernet interface is an optical interface, an electrical interface, or a combination thereof. The wireless communication interface is a Wireless Local Area Network (WLAN) interface, a cellular network communication interface, or a combination thereof.
In particular implementations, processor 1001 includes one or more CPUs, such as CPU0 and CPU1 shown in fig. 10, as one embodiment.
In particular implementations, computer 1000 includes multiple processors, such as processor 1001 and processor 1005 shown in FIG. 10, as one embodiment. Each of these processors is a single-core processor (single-CPU) or a multi-core processor (multi-CPU). A processor herein refers to one or more devices, circuits, and/or processing cores that process data, such as computer program instructions.
In some embodiments, the memory 1003 is used to store program code 1010 for implementing aspects of the present application, and the processor 1001 executes the program code 1010 stored in the memory 1003. That is, the computer 1000 implements the above-described method embodiments through the processor 1001 and the program code 1010 in the memory 1003.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: u disk, removable hard disk, read only memory, random access memory, magnetic disk or optical disk, etc. for storing program codes.

Claims (37)

1. A method for realizing a virtual trusted platform module vTPM is characterized by comprising the following steps:
the vTPM service component acquires first request information from a vTPM agent component, wherein the first request information comprises an identification of a first Virtual Machine (VM), and the first request information is used for requesting to execute TPM operation, the vTPM service component runs in a trusted execution environment of a computer, and the first VM and the vTPM agent component run in a rich execution environment of the computer;
the vTPM service component processes the first request information based on data in a first storage space, wherein the first storage space is a storage space corresponding to the identifier of the first VM in the trusted execution environment, and the first storage space is used for storing TPM data of the first VM.
2. The method of implementing a vTPM of claim 1, further comprising a second storage space in the trusted execution environment, wherein the second storage space is used to store TPM data of a second VM in the computer, and the first storage space and the second storage space are non-overlapping storage spaces.
3. The vTPM implementation method according to claim 1 or 2, wherein the first request information further includes a command identifier and a parameter to be processed, and the command identifier is used to indicate a type of TPM operation to be performed;
the vTPM service component processes the first request information based on the data in the first storage space, and the processing method comprises the following steps:
the vTPM service component processes the to-be-processed parameters based on the command identification and the data in the first storage space to obtain target data;
and the vTPM service component transmits the target data to a trusted space Driver TrustZone Driver component, and the target party of the target data is the vTPM agent component.
4. The vTPM implementation method according to claim 3, wherein the parameters to be processed comprise a key handle and data to be encrypted;
the vTPM service component processes the to-be-processed parameter based on the command identifier and the data in the first storage space to obtain target data, and the target data processing method comprises the following steps:
the vTPM service component calls a command call interface function to obtain the command identification and the to-be-processed parameter in the first request information;
and the vTPM service component encrypts the data to be encrypted by adopting a key according to the command identifier, wherein the key is determined by the vTPM according to the key handle.
5. The vTPM implementation method according to claim 3, wherein the parameters to be processed comprise a key handle and data to be decrypted;
the vTPM service component processes the to-be-processed parameter based on the command identifier and the data in the first storage space to obtain target data, and the target data processing method comprises the following steps:
the vTPM service component calls a command call interface function to obtain the command identification and the to-be-processed parameter in the first request information;
and the vTPM service component decrypts the data to be decrypted by adopting a key according to the command identifier, wherein the key is determined by the vTPM according to the key handle.
6. The vTPM implementation method according to any one of claims 1 to 5, wherein before the vTPM service component processes the first request information based on the data in the first storage space, the method further comprises:
if the storage space corresponding to the identifier of the first VM does not exist in the trusted execution environment, the vTPM service component allocates a storage space for the identifier of the first VM in the trusted execution environment;
the vTPM service component executes TPM initialization operation on the data in the allocated storage space, so that the data in the allocated storage space are updated to TPM initialization data, and the allocated storage space is used as the first storage space.
7. The method of implementing a vTPM of claim 6, wherein the assigning, by the vTPM service component, storage space in the trusted execution environment for the identity of the first VM comprises:
the vTPM service component searches a volatile memory of the computer for a storage space corresponding to the identifier of the first VM;
and if the storage space corresponding to the identification of the first VM does not exist in the volatile memory, the vTPM service component allocates the storage space in the volatile memory.
8. The vTPM implementation method according to any one of claims 1 to 7, wherein the first request information is transmitted in a first session, and the first session is used for transmitting the first request information and/or the target data between the vTPM service component and the vTPM proxy component;
the method further comprises the following steps:
the vTPM service component acquires second request information from the vTPM agent component, wherein the second request information comprises an identifier of the first VM and is used for requesting to establish the first session;
and the vTPM service component allocates a storage space in a volatile memory of the computer according to the second request information, and takes the allocated storage space as the first storage space.
9. The method of implementing a vTPM of claim 8, wherein the first session is a session corresponding to an identity of the first VM, the method further comprising:
the vTPM service component calls a session open interface function according to the identifier of the first VM included in the second request information to establish the first session and obtain the identifier of the first session;
and the vTPM service component transmits the identification of the first session to a TrustZone Driver component in a rich execution environment of the computer, wherein the destination party of the identification of the first session is the vTPM agent component.
10. The vTPM implementation method of any of claims 7 to 9, wherein the vTPM service component allocates storage space in the volatile memory, and wherein the method comprises:
the vTPM service component searches a nonvolatile memory of the computer for a storage space corresponding to the identifier of the first VM;
if the storage space corresponding to the identification of the first VM exists in the nonvolatile memory, the vTPM service component allocates the storage space in the volatile memory, and copies data in the storage space corresponding to the identification of the first VM in the nonvolatile memory to the allocated storage space;
and if the storage space corresponding to the identifier of the first VM does not exist in the nonvolatile memory, the vTPM service component allocates the storage space in the volatile memory.
11. The vTPM implementation method of any of claims 8-10, wherein after the vTPM service component allocates storage space in volatile memory, the method further comprises:
the vTPM service component marks allocated storage space based on the identification of the first VM.
12. The method of implementing a vTPM of any of claims 8-11, further comprising:
the vTPM service component acquires third request information, wherein the third request information is transmitted in the first session, the third request information comprises an identifier of the first VM, and the third request information is used for requesting to close the first session;
the vTPM service component determines the first storage space according to the identifier of the first VM included in the third request message;
the vTPM service component copies data of the first storage space to a third storage space, and the third storage space is located in a nonvolatile memory.
13. The vTPM implementation method according to any one of claims 1 to 12, characterized in that the first request information is passed by a TrustZone Driver component running in a rich execution environment of the computer to the vTPM service component in monitoring mode.
14. A method for implementing vTPM is characterized by comprising the following steps:
the method comprises the steps that a vTPM agent component acquires first request information from a first VM, wherein the first request information is used for requesting a vTPM service component to execute TPM operation, the first VM and the vTPM agent component run in a rich execution environment of a computer, and the vTPM service component runs in a trusted execution environment of the computer;
the vTPM agent component acquires an identifier of the first VM;
the vTPM agent component adds the identifier of the first VM in the first request information so as to obtain second request information, wherein the second request information comprises the identifier of the first VM;
and the vTPM agent component transmits the second request information to a TrustZone Driver component running in a trusted execution environment of the computer, wherein the destination party of the second request information is the vTPM service component.
15. The vTPM implementation method of claim 14, wherein the adding, by the vTPM agent component, the identifier of the first VM in the first request message includes:
and the vTPM agent component calls a function through a call command, and adds the identifier of the first VM in the first request information to obtain second request information.
16. The method of implementing a vTPM of claim 14 or 15, further comprising:
the vTPM agent component acquires third request information from a second VM, wherein the third request information is used for requesting to execute TPM operation;
the vTPM agent component acquires an identifier of the second VM;
the vTPM agent component adds the identifier of the second VM to the third request information so as to obtain fourth request information, wherein the fourth request information comprises the identifier of the second VM;
and the vTPM agent component transmits the fourth request information to the TrustZone Driver component, and the destination of the fourth request information is the vTPM service component.
17. The method of implementing a vTPM of any of claims 14-16, further comprising:
the vTPM agent component acquires target data from the vTPM service component through the TrustZone Driver component, wherein the target data are data obtained after the vTPM service component executes TPM operation based on the second request information;
the vTPM agent component communicates the target data to the first VM.
18. The method of implementing a vTPM of any of claims 14-17, further comprising:
when the first VM is started, the vTPM agent component acquires an identifier of the first VM;
the vTPM agent component generates fifth request information, the fifth request information is used for requesting to establish a session with the vTPM service component, and the fifth request information comprises an identifier of the first VM;
and the vTPM agent component transmits the fifth request information to the TrustZone Driver component, and the destination of the fifth request information is the vTPM service component.
19. The method of implementing a vTPM of any of claims 14-18, further comprising:
the vTPM agent component acquires sixth request information from the first VM, wherein the sixth request information is used for requesting to close the session with the vTPM service component;
the vTPM agent component acquires an identifier of the first VM;
the vTPM agent component adds the identifier of the first VM to the sixth request information, so as to obtain seventh request information, wherein the seventh request information comprises the identifier of the first VM;
and the vTPM agent component transmits the seventh request information to the TrustZone Driver component, and the destination of the seventh request information is the vTPM service component.
20. An electronic device comprising a processor; coupled to the processor and a memory storing program instructions which, when executed by the processor, implement the method of any of claims 1-13.
21. An electronic device comprising a processor; coupled to the processor and a memory, the memory storing program instructions that, when executed by the processor, implement the method of any of claims 14-19.
22. A computer system having a trusted execution environment and a rich execution environment running thereon, the trusted execution environment running a vTPM service component and the rich execution environment running a first VM and a vTPM agent component;
the vTPM proxy component is configured to obtain first request information from the first VM, obtain an identifier of the first VM, add the identifier of the first VM to the first request information, obtain second request information, and transmit the second request information to a TrustZone Driver component, where the first request information is used to request the vTPM service component to execute TPM operations, the second request information includes the identifier of the first VM, and a destination of the second request information is the vTPM service component;
the vTPM service component is configured to acquire the second request information through the TrustZone Driver component, and process the second request information based on data in a first storage space, where the first storage space is a storage space corresponding to the identifier of the first VM in the trusted execution environment, and the first storage space is used to store TPM data of the first VM.
23. The computer system of claim 22, further comprising a second storage space in the trusted execution environment, the second storage space configured to store TPM data of a second VM, wherein the first storage space and the second storage space are non-overlapping storage spaces.
24. The computer system of claim 22 or 23, wherein the second request information further comprises a command identifier and a parameter to be processed, and the command identifier is used for indicating the type of TPM operation to be performed;
the vTPM service component is further configured to process the parameter to be processed based on the command identifier in the second request information and the data in the first storage space to obtain target data, and transmit the target data to the TrustZone Driver, where a destination of the target data is the vTPM proxy component;
the vTPM agent component is further configured to obtain the target data and transfer the target data to the first VM.
25. The computer system of claim 24, wherein the parameters to be processed include a key handle and data to be encrypted;
the vTPM service component is further used for calling a command call interface function to obtain the command identifier and the to-be-processed parameter in the second request information;
and the vTPM service component is further used for encrypting the data to be encrypted by adopting a key according to the command identifier, wherein the key is determined by the vTPM according to the key handle.
26. The computer system of claim 24, wherein the parameters to be processed include a key handle and data to be decrypted;
the vTPM service component is further used for calling a command call interface function to obtain the command identifier and the to-be-processed parameter in the second request information;
and the vTPM service component is further used for decrypting the data to be decrypted by adopting a key according to the command identifier, wherein the key is determined by the vTPM according to the key handle.
27. The computer system of any one of claims 22 to 26, wherein the vTPM agent component is further configured to obtain third request information from a second VM, where the third request information is used to request to perform TPM operations, obtain an identifier of the second VM, add the identifier of the second VM to the third request information to obtain fourth request information, where the fourth request information includes the identifier of the second VM, and transmit the fourth request information to the TrustZone Driver component, where a destination of the fourth request information is the vTPM service component;
the vTPM service component is configured to acquire the fourth request information through the TrustZone Driver component, and process the fourth request information based on data in the second storage space, where the second storage space is a storage space corresponding to the identifier of the second VM.
28. The computer system of any one of claims 22 to 27, wherein if the storage space corresponding to the identifier of the first VM does not exist in the trusted execution environment, the vTPM service component is further configured to allocate a storage space for the identifier of the first VM in the trusted execution environment, and perform TPM initialization operations on data in the allocated storage space, so that the data in the allocated storage space is updated to TPM initialization data, and the allocated storage space is used as the first storage space.
29. The computer system of claim 28, wherein the vTPM service component is further configured to look up storage space in volatile memory of the computer corresponding to the identity of the first VM, and allocate storage space in the volatile memory if storage space in the volatile memory corresponding to the identity of the first VM does not exist.
30. The computer system of any one of claims 22 to 29, wherein the second request message is transmitted in a first session, the first session being used to transmit, between the vTPM serving component and the vTPM agent component, information and/or target data for requesting performance of a TPM operation, the target data being data obtained after performance of a TPM operation;
the vTPM agent component is further configured to, when the first VM is started, obtain an identifier of the first VM, generate fifth request information, where the fifth request information includes the identifier of the first VM, and transmit the fifth request information to the TrustZone Driver component, where the fifth request information is used to request establishment of the first session, and a destination of the fifth request information is the vTPM service component;
the vTPM service component is further used for acquiring the fifth request information through the TrustZone Driver component, and the vTPM service component allocates a storage space in a volatile memory of the computer and takes the allocated storage space as the first storage space.
31. The computer system of claim 30, wherein the first session is a session corresponding to an identification of the first VM,
the vTPM service component is further configured to invoke a session open interface function according to the identifier of the first VM included in the fifth request information, so as to establish a first session corresponding to the identifier of the first VM and obtain an identifier of the first session;
the vTPM service component is further configured to transfer the identifier of the first session to the TrustZone Driver component, and a destination of the identifier of the first session is the vTPM agent component.
32. The computer system of any of claims 29 to 31, wherein the vTPM service component is further configured to locate a storage space in a non-volatile memory of the computer that corresponds to the identity of the first VM; if the nonvolatile memory has a storage space corresponding to the identifier of the first VM, allocating the storage space in the volatile memory, and copying data in the storage space corresponding to the identifier of the first VM in the nonvolatile memory to the allocated storage space; and if the nonvolatile memory does not have the storage space corresponding to the identifier of the first VM, allocating the storage space in the volatile memory.
33. The computer system of any of claims 30 to 32, wherein the vTPM service component is further configured to mark allocated storage based on an identification of the first VM.
34. The computer system of claims 30 to 33, wherein the vTPM agent component is further configured to obtain sixth request information from the first VM, where the sixth request information is used to request that the first session be closed, obtain an identifier of the first VM, add the identifier of the first VM to the sixth request information to obtain seventh request information, where the seventh request information includes the identifier of the first VM, and deliver the seventh request information to the TrustZone Driver component, where a destination of the seventh request information is the vTPM service component;
the vTPM service component is further configured to acquire sixth request information, determine the first storage space according to the identifier of the first VM included in the sixth request information, and copy data of the first storage space to a third storage space, where the third storage space is located in a nonvolatile memory.
35. The computer system of any of claims 22 to 34, wherein the second request message is passed by the TrustZone Driver component to the vTPM service component in monitor mode, the TrustZone Driver component running in a rich execution environment of the computer.
36. A computer readable storage medium comprising computer readable instructions which, when run on a computer, cause the computer to perform the method of any of claims 1 to 19.
37. A computer program product comprising computer readable instructions which, when run on a computer, cause the computer to perform the method of any one of claims 1 to 19.
CN202011353009.2A 2020-10-27 2020-11-26 Method for realizing virtual trusted platform module and related device Pending CN114491544A (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP21884358.9A EP4216087A4 (en) 2020-10-27 2021-04-09 Method for implementing virtual trusted platform module and related device
PCT/CN2021/086100 WO2022088615A1 (en) 2020-10-27 2021-04-09 Method for implementing virtual trusted platform module and related device
US18/307,041 US20230267214A1 (en) 2020-10-27 2023-04-26 Virtual trusted platform module implementation method and related apparatus

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202011159996 2020-10-27
CN2020111599962 2020-10-27

Publications (1)

Publication Number Publication Date
CN114491544A true CN114491544A (en) 2022-05-13

Family

ID=81490190

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011353009.2A Pending CN114491544A (en) 2020-10-27 2020-11-26 Method for realizing virtual trusted platform module and related device

Country Status (1)

Country Link
CN (1) CN114491544A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024051264A1 (en) * 2022-09-09 2024-03-14 华为技术有限公司 Data processing method, proxy apparatus and related device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024051264A1 (en) * 2022-09-09 2024-03-14 华为技术有限公司 Data processing method, proxy apparatus and related device

Similar Documents

Publication Publication Date Title
EP2577543B1 (en) Secure virtual machine bootstrap in untrusted cloud infrastructures
US9904557B2 (en) Provisioning of operating systems to user terminals
EP3087524B1 (en) Virtual machine assurances
US8364975B2 (en) Methods and apparatus for protecting data
US10505721B2 (en) Secure virtualized data volumes
US8812871B2 (en) Method and apparatus for trusted execution in infrastructure as a service cloud environments
US8990582B2 (en) Virtual machine memory compartmentalization in multi-core architectures
US9536063B2 (en) Methods and apparatus for protecting software from unauthorized copying
US11200300B2 (en) Secure sharing of license data in computing systems
US8108940B2 (en) Method for protecting data from unauthorised access
WO2020076408A2 (en) Trusted booting by hardware root of trust (hrot) device
US20220245255A1 (en) Systems and methods for processor virtualization
CN114238185A (en) Direct storage access and command data transmission method, device and related equipment
CN114296873A (en) Virtual machine image protection method, related device, chip and electronic equipment
CN114491544A (en) Method for realizing virtual trusted platform module and related device
US10824766B2 (en) Technologies for authenticated USB device policy enforcement
US20230267214A1 (en) Virtual trusted platform module implementation method and related apparatus
CN114600102A (en) Apparatus and method for protecting shared objects
aw Ideler Cryptography as a service in a cloud computing environment
Quaresma TrustZone Based Attestation in Secure Runtime Verification for Embedded Systems
Weiß et al. Integrity verification and secure loading of remote binaries for microkernel-based runtime environments
CN118101201A (en) DICE and pKVM-based privacy data protection system and method
JP2023553424A (en) Digital content management with on-die encryption and remote authentication
CN113485790A (en) Restarting method, migration method and related equipment of virtual machine
CN115756314A (en) NVRAM data processing method, electronic device and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination