CN115904612A - Virtual machine migration method and device - Google Patents
Virtual machine migration method and device Download PDFInfo
- Publication number
- CN115904612A CN115904612A CN202211307370.0A CN202211307370A CN115904612A CN 115904612 A CN115904612 A CN 115904612A CN 202211307370 A CN202211307370 A CN 202211307370A CN 115904612 A CN115904612 A CN 115904612A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- memory
- data
- migration
- destination
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
An embodiment of the present specification provides a virtual machine migration method and a virtual machine migration device, where the virtual machine migration method is applied to a source-end proxy virtual machine, and the source-end proxy virtual machine and the source-end virtual machine share a memory and have the same access right to the memory, and the virtual machine migration method includes: in response to a virtual machine migration instruction, decrypting data in a memory according to an encryption mechanism of the data in the memory, and determining target data; and sending the target data to a destination end virtual machine through the source end virtual machine. The source end virtual machine and the source end proxy virtual machine share the memory and have the same access right to the data in the memory, so that the source end proxy virtual machine can read the data in the memory and migrate the data in the memory. And because the source end virtual machine and the source end proxy virtual machine share the memory, the speed of reading the memory data by the source end proxy virtual machine can utilize the characteristic of high memory speed, thereby improving the migration speed of the virtual machine.
Description
Technical Field
The embodiment of the specification relates to the technical field of virtual machines, in particular to a virtual machine migration method.
Background
With the rapid development of cloud computing, security on the cloud is more and more concerned by users. Cloud Service Providers (CSPs) typically virtualize various physical resources to provide users with extreme flexibility. In the virtualization technology, the CSP is responsible for providing isolation between virtual machines and has absolute control over the resource usage of the virtual machines. However, isolation failure may be caused by software bugs in any cloud infrastructure, and thus, a tenant or a CSP is attacked; furthermore, under the current security model on the cloud, many users lack trust in the CSP, so the willingness to move items to the cloud is not strong.
In order to enhance isolation among tenants and solve the problem of too high permission of the CSP in the current virtualization architecture, processor manufacturers develop new hardware security features, namely, a technology for providing security protection at the virtual machine level, which is called a confidential virtual machine. Some current schemes provide confidentiality and integrity protection to varying degrees for memory and registers, etc. of virtual machines. However, these techniques pose significant challenges for thermomigration on the cloud. There is a need for a scheme that allows for fast migration.
Disclosure of Invention
In view of this, the embodiments of the present specification provide two virtual machine migration methods. One or more embodiments of the present disclosure relate to two virtual machine migration apparatuses, a virtual machine migration system, a computing device, a computer-readable storage medium, and a computer program, so as to solve technical deficiencies in the prior art.
According to a first aspect of the embodiments of the present specification, there is provided a virtual machine migration method, applied to a source-end proxy virtual machine, where the source-end proxy virtual machine and the source-end virtual machine share a memory and have the same access right to the memory, the method including:
responding to a virtual machine migration instruction, decrypting the data in the memory according to an encryption mechanism of the data in the memory, and determining target data;
and sending the target data to a destination end virtual machine through the source end virtual machine.
According to a second aspect of the embodiments of the present specification, there is provided a virtual machine migration method, which is applied to a destination proxy virtual machine, where the destination proxy virtual machine and the destination virtual machine share a memory and have the same access right to the memory, and the method includes:
receiving target data sent by a source end virtual machine through the target end virtual machine, and encrypting the target data according to an encryption mechanism of data in the memory;
and writing the encrypted target data into the memory.
According to a third aspect of the embodiments of the present specification, a virtual machine migration system is provided, including a source-end virtual agent machine, a source-end virtual machine, a destination-end virtual agent machine, and a destination-end virtual machine, where the source-end virtual agent machine and the source-end virtual machine share a first memory and have the same access right to the first memory, and the destination-end virtual machine share a second memory and have the same access right to the second memory;
the source end proxy virtual machine is configured to respond to a virtual machine migration instruction, decrypt data in the first memory according to an encryption mechanism of the data in the first memory, determine target data, and send the target data to the source end virtual machine;
the source end virtual machine is configured to send the target data to the destination end virtual machine;
the destination virtual machine is configured to send the target data to the destination proxy virtual machine;
the destination agent virtual machine is configured to encrypt the target data according to an encryption mechanism of the data in the memory, and write the encrypted target data into the second memory.
According to a fourth aspect of the embodiments of the present specification, there is provided a virtual machine migration apparatus, applied to a source-end proxy virtual machine, where the source-end proxy virtual machine and the source-end virtual machine share a memory and have the same access right to the memory, including:
the data acquisition module is configured to respond to a virtual machine migration instruction, decrypt data in the memory according to an encryption mechanism of the data in the memory, and determine target data;
and the data migration module is configured to send the target data to a destination virtual machine through the source virtual machine.
According to a fifth aspect of the embodiments of the present specification, there is provided a virtual machine migration apparatus, which is applied to a destination proxy virtual machine, where the destination proxy virtual machine and the destination virtual machine share a memory and have the same access right to the memory, and the apparatus includes:
the data encryption module is configured to receive target data sent by a source virtual machine through the destination virtual machine and encrypt the target data according to an encryption mechanism of data in the memory;
and the data writing module is configured to write the encrypted target data into the memory.
According to a sixth aspect of embodiments herein, there is provided a computing device comprising:
a memory and a processor;
the memory is configured to store computer-executable instructions, and the processor is configured to execute the computer-executable instructions, which when executed by the processor implement the steps of the virtual machine migration method described above.
According to a seventh aspect of embodiments herein, there is provided a computer-readable storage medium storing computer-executable instructions that, when executed by a processor, implement the steps of the virtual machine migration method described above.
According to an eighth aspect of embodiments herein, there is provided a computer program, wherein the computer program, when executed in a computer, causes the computer to perform the steps of the virtual machine migration method described above.
An embodiment of the present specification provides a virtual machine migration method and an apparatus, where the virtual machine migration method is applied to a source-end proxy virtual machine, and the source-end proxy virtual machine and the source-end virtual machine share a memory and have the same access right to the memory, and the virtual machine migration method includes: responding to a virtual machine migration instruction, decrypting the data in the memory according to an encryption mechanism of the data in the memory, and determining target data; and sending the target data to a destination virtual machine through the source virtual machine. The source end virtual machine and the source end proxy virtual machine share the memory and have the same access authority to the data in the memory, so that the source end proxy virtual machine can read the data in the memory and migrate the data in the memory. And because the source end virtual machine and the source end proxy virtual machine share the memory, the speed of reading the memory data by the source end proxy virtual machine can utilize the characteristic of high memory speed, thereby improving the migration speed of the virtual machine.
Drawings
Fig. 1 is a schematic view of a scenario of a virtual machine migration method according to an embodiment of the present specification;
fig. 2 is a flowchart of a virtual machine migration method according to an embodiment of the present specification;
FIG. 3 is a flow diagram of another method for virtual machine migration according to one embodiment of the present description;
FIG. 4 is an architecture diagram of a virtual machine migration system according to an embodiment of the present description;
fig. 5 is a schematic structural diagram of a virtual machine migration apparatus according to an embodiment of the present specification;
fig. 6 is a schematic structural diagram of another virtual machine migration apparatus provided in an embodiment of the present specification;
fig. 7 is a block diagram of a computing device according to an embodiment of the present disclosure.
Detailed Description
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present description. This description may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein, as those skilled in the art will be able to make and use the present disclosure without departing from the spirit and scope of the present disclosure.
The terminology used in the description of the one or more embodiments is for the purpose of describing the particular embodiments only and is not intended to be limiting of the description of the one or more embodiments. As used in one or more embodiments of the present specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used in one or more embodiments of the present specification refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It will be understood that, although the terms first, second, etc. may be used herein in one or more embodiments to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first can also be referred to as a second and, similarly, a second can also be referred to as a first without departing from the scope of one or more embodiments of the present description. The word "if," as used herein, may be interpreted as "at … …" or "at … …" or "in response to a determination," depending on the context.
First, the noun terms to which one or more embodiments of the present specification relate are explained.
Server Virtualization technology (Virtualization): server virtualization technology can use a single physical server as multiple computers, thereby saving the cost of more servers and workstations. Typically, the physical server is called Host and the virtualized server is called Guest. In the traditional virtualization technology, host has absolute control right on resources of Guest.
Confidential virtual machine (Confidential VM): the confidential virtual machine is a novel virtualization framework, and provides all-round protection such as memory, registers, interruption and the like for the running virtual machine by utilizing a trusted execution environment based on hardware, so that malicious Host is prevented from accessing or tampering with relevant data of Guest.
Live Migration (Live Migration): the method is also called dynamic migration and real-time migration, and generally, the running state of the virtual machine is completely stored, and meanwhile, the running state can be quickly restored to an original hardware platform or even different platforms. The live migration typically involves two physical servers, the migrator being called the source and the migrator being called the destination.
QEMU (Quick Emulator): QEMU is a VMM (Virtual Machine Monitor) on a host Machine that emulates the CPU through dynamic binary translation and provides a series of hardware models.
Multifd: is a property of QEMU thermophoresis.
KVM: the short name of Kernel-based Virtual Machine, chinese is virtualization technology, and is an open-source system virtualization module.
vCPU (virtual central processing unit): a virtual processor in a computer; a CPU within a virtual machine as opposed to a physical CPU.
Xbzrle: a memory difference data compression technology based on XOR operation is characterized in that memory page data differences are obtained through XOR operation and are compressed according to a certain format.
Transport Layer Security (TLS): for providing privacy and data integrity between two communicating applications, the protocol consists of two layers: the TLS Record protocol (TLS Record) and the TLS Handshake protocol (TLS Handshake).
AES: advanced Encryption Standard (Advanced Encryption Standard) in cryptography, also known as Rijndael Encryption.
Memory (Memory): the main components of a computer, also called an internal memory and a main memory, temporarily store operation data in a CPU and data exchanged with an external memory such as a hard disk.
Mirror image (Mirroring): the storage method is a file storage form and a redundant type, and data on one disk has an identical copy on another disk, namely the mirror image.
Context: in computer science, the context of a task is a set of data (which may be a process, a thread) that is essential to a task. These data allow the task to be interrupted, after which it can continue to execute in the same place.
Register: the function of the method is to store binary codes, and the method is formed by combining triggers with storage functions. One flip-flop can store 1-bit binary codes, so a register for storing n-bit binary codes needs to be formed by n flip-flops.
In the current solutions, some confidential virtual machine solutions do not provide a method for performing thermal migration, and in other solutions, in order to ensure confidentiality and integrity of memory data during transmission, extra processing such as encryption and the like of privileged hardware or components before migration is often required. Such privileged components generally have the disadvantages of low operation efficiency, high communication cost and the like, and are difficult to apply the existing hot migration optimization strategy, so that the problems of long migration and downtime are often faced in practice. Especially when a virtual machine with a memory as high as hundred G (Ji Zijie) is faced, the actual thermal migration transmission bandwidth of the native thermal migration scheme is only 3-6 MB/s, and the native thermal migration scheme basically cannot take effect, which has become an important obstacle that restricts the wide use of the confidential virtual machine on the cloud.
In order to solve the problems, a rapid thermal migration scheme based on a migration component is provided, a large number of CPUs with strong computing power can be used for acceleration, the migration speed can be improved by about two orders of magnitude, a tenant and a CSP are allowed to customize logic of memory thermal migration, memory data safety can be guaranteed at the same time of high efficiency, and finally elastic and safe extreme experience is provided for the tenant.
In view of this, in the present specification, two virtual machine migration methods are provided, and the present specification simultaneously relates to two virtual machine migration apparatuses, a virtual machine migration system, a computing device, and a computer-readable storage medium, which are described in detail one by one in the following embodiments.
Referring to fig. 1, fig. 1 is a schematic view of a scenario of a virtual machine migration method according to an embodiment of the present specification, where the scenario includes a source end virtual machine, a source end proxy virtual machine, a destination end virtual machine, and a destination end proxy virtual machine. The source end virtual machine is a confidential virtual machine, the source end proxy virtual machine and the source end virtual machine share a first memory and have the same access authority to the first memory, and the destination end proxy virtual machine and the destination end virtual machine share a second memory and have the same access authority to the second memory.
Under the condition that a source end virtual machine needs to be migrated to a destination end virtual machine, the source end virtual machine receives a virtual machine migration instruction and sends the virtual machine migration instruction to a source end proxy virtual machine, the source end proxy virtual machine reads first memory data according to the virtual machine migration instruction, decrypts the first memory data at the same time, stores the decrypted data in a memory page reserved in a first memory, and sends a feedback message to the source end virtual machine. After receiving the feedback message, the source end virtual machine reads out the data in the reserved memory page and sends the data to the destination end virtual machine.
After receiving the data sent by the source end virtual machine, the destination end virtual machine stores the data into the reserved memory page in the second memory, and the destination end proxy virtual machine reads the data in the reserved memory page in the second memory, encrypts the data, and stores the encrypted data in the second memory. The destination virtual machine can use the same memory data as the source virtual machine, and the virtual machine migration is completed.
In this embodiment of the present description, the source-end virtual machine and the source-end proxy virtual machine share a memory and have the same access right to data in the memory, so that the source-end proxy virtual machine can read the data in the memory and migrate the data in the memory. And because the source end virtual machine and the source end proxy virtual machine share the memory, the speed of reading the memory data by the source end proxy virtual machine can utilize the characteristic of high memory speed, thereby improving the migration speed of the virtual machine.
Referring to fig. 2, fig. 2 is a flowchart illustrating a virtual machine migration method according to an embodiment of the present disclosure, where the virtual machine migration method is applied to a source-end proxy virtual machine, and the source-end proxy virtual machine and the source-end virtual machine share a memory and have the same access right to the memory, and the virtual machine migration method specifically includes the following steps.
Step 202: and responding to a virtual machine migration instruction, decrypting the data in the memory according to an encryption mechanism of the data in the memory, and determining target data.
The source virtual machine may be a virtual machine to be migrated, for example, the source virtual machine may be a confidential virtual machine; the source end agent virtual machine can be a virtual machine for migration operation; the virtual machine migration instruction may be an instruction for migrating a certain virtual machine; the encryption mechanism may be an algorithmic mechanism that encrypts data, e.g., AES-256, AES-128, etc.; the target data may be data to be migrated.
In actual application, a source end virtual machine may be deployed with a QEMU, and a source end proxy virtual machine may be deployed with a migration component. In the process of migrating a certain virtual machine, the QEMU of the source-end virtual machine receives a migration instruction, then sends the virtual machine migration instruction to the migration component of the source-end proxy virtual machine, the migration component reads data in the shared memory in response to the virtual machine migration instruction, and in the process of reading, decryption can be performed by using the security capability of hardware.
It should be noted that before the source virtual machine performs migration, a source proxy virtual machine needs to be created. Specifically, after a source Virtual Machine (PVM) creates and initializes a secret Virtual Machine context, an interface calling a KVM creates a new Virtual Machine, called a source proxy Virtual Machine (MVM), and requests the KVM to copy a security context related to the secret Virtual Machine in the source Virtual Machine to the source Virtual Machine, so that hardware appears to be indistinguishable from the source Virtual Machine and the source Virtual Machine. And then, the memory bank inserted into the source end virtual machine is inserted into the source end proxy virtual machine again, so that the source end proxy virtual machine and the source end proxy virtual machine share the same memory. In addition, for the initialization of a virtual processor (vCPU) of the source virtual machine, a specified number of vcpus are initialized in the context of the source proxy virtual machine, initial values of registers of the vcpus, such as a stack, an IP, a control register and the like, are set as required, and then a specific interface of the confidential virtual machine is called to encrypt and measure the register value of the vCPU. Furthermore, the migration component needs to be initialized, and is responsible for assisting live migration, loading the mirror image of the migration component to a preset position, and calling an interface of the confidential virtual machine to measure and encrypt the mirror image.
Accordingly, the destination proxy virtual machine and the source proxy virtual machine are the same in creation method, and details are not repeated in this embodiment of the present description. Because the migration component is loaded into the memory and encrypted and measured by the confidential virtual machine, the credibility of the migration component is improved, and the safety of the system is also improved. In addition, because the number of the vCPUs can be specified, the vCPUs can be increased or decreased according to requirements, and the universality of the scheme is improved.
For example, virtual machine A needs to be migrated, which may be a confidential virtual machine with the encryption algorithm AES-256. The virtual machine A sends a virtual machine migration instruction to the corresponding proxy virtual machine A1, the proxy virtual machine A1 reads data from the shared memory, decrypts the data through an AES-256 algorithm, and the decrypted data are used as target data.
In practical applications, the target data may also be a part of the decrypted data.
As another example, virtual machine A may need to be migrated, which may be a confidential virtual machine with AES-256 as its encryption algorithm. The virtual machine A sends a virtual machine migration instruction to the corresponding proxy virtual machine A1, the proxy virtual machine A1 reads data from the shared memory, the data are decrypted through an AES-256 algorithm, and a part of needed data are selected from the decrypted data to serve as target data.
The embodiment of the description is based on the shared memory, so that the source-end proxy virtual machine can directly access the data in the memory of the source-end virtual machine, and thus the data can be directly read from the memory data of the source-end virtual machine and migrated without context switching, and the data migration speed is increased. In addition, the source-end proxy virtual machine can perform calculation based on a general processor and does not depend on specific high-authority hardware, so that the calculation capacity is improved. Furthermore, the source end proxy virtual machine is created, so that the source end proxy virtual machine and the source end virtual machine are completely isolated except for the shared memory, and the running stability of the source end virtual machine is improved.
In one possible implementation manner, before the responding to the virtual machine migration instruction, the method further includes:
determining migration parameters of the virtual machine with the destination agent, performing key agreement with the virtual machine with the destination agent, and determining a migration key.
The migration parameters may include a transmission protocol, whether data is compressed, and an algorithm and a method for optimizing transmission of the data, for example, the data needs to be compressed, and the algorithm for compression may be xbzlle. The migration key may be a key that encrypts the transmission data.
In practical application, before performing the live migration, the live migration initialization needs to be performed, first, the live migration context initialization of the trusted hardware of the source end and the destination end is performed according to the design of the native live migration of the confidential virtual machine, and the source end virtual machine and the destination end virtual machine verify the identity and negotiate a transmission key. And then starting the vCPU to perform version query and characteristic detection, and ensuring that the source end and the destination end adopt the same transmission optimization method. The version query refers to version query of the migration component, and the characteristic detection refers to detection of characteristics such as compression, encryption, transmission and the like, so that the source-end proxy virtual machine and the destination-end proxy virtual machine have the same configuration, and the source-end virtual machine and the destination-end virtual machine can process data according to the same configuration.
For example, the source proxy virtual machine and the destination proxy virtual machine perform the determination of whether to compress: data needs to be compressed, the compression algorithm is XBZRLE, and the mode of encrypting the compressed data is determined as follows: TLS encrypts to generate a corresponding key at the source proxy virtual machine.
In this embodiment of the present description, before responding to a virtual machine migration instruction, the source proxy virtual machine determines migration parameters of the destination proxy virtual machine, and performs key agreement with the destination proxy virtual machine, so as to ensure that transmitted data can be processed based on the same method, ensure integrity of the data, and improve security of the data.
In a possible implementation manner, the performing key negotiation with the destination proxy virtual machine includes:
generating a migration key according to a preset key generation rule;
and sending the migration key to the destination agent virtual machine.
The preset key generation rule may be generated according to a determined encryption rule, for example, if it is determined that TLS encryption is to be performed, a key is generated according to a rule of the TLS protocol.
In practical application, in order to protect data transmitted in fast live migration from being stolen, a symmetric key can be negotiated between a migration component in a source-end proxy virtual machine and a migration component in a destination-end proxy virtual machine through the migration component in the source-end proxy virtual machine and the migration component in the destination-end proxy virtual machine. At this time, the migration component in the source-end proxy virtual machine generates a symmetric key by using the cryptographically secure entropy, writes the symmetric key to the specified memory page, and then migrates the key to the destination end by using the native live migration mechanism. The native live migration mechanism refers to a method provided by a secret virtual machine vendor.
Following the above example, the source proxy virtual machine and the destination proxy virtual machine perform the determination of whether to compress: data needs to be compressed, the compression algorithm is XBZRLE, and the way of encrypting the compressed data is determined as follows: TLS is encrypted, so that a corresponding key is generated in the source-end proxy virtual machine according to the TLS protocol, the key is stored in a pre-specified memory page in a memory, and an Application Program Interface (API) for migration of a confidential virtual machine manufacturer is called, so that the key is sent to the destination-end virtual machine.
Accordingly, after receiving the key, the destination virtual machine writes the key into a pre-specified memory page in the memory, so that the destination proxy virtual machine can obtain the key.
In the embodiment of the specification, the decrypted memory data is encrypted, so that the memory data is kept secret in the transmission process, and the security of the data is improved.
It should be noted that, not only the key agreement may be performed by using the above method, but also the secret virtual machine supporting the run-time remote attestation may negotiate a key based on the remote attestation, and the embodiment of the present specification is not limited.
In a possible implementation manner, the sending, by the source virtual machine, the target data to the destination virtual machine includes:
processing the target data according to the migration parameters and the migration keys;
and sending the processed target data to a destination virtual machine through the source virtual machine.
In practical applications, data needs to be compressed and encrypted to be sent to the destination virtual machine.
For example, the source proxy virtual machine and the destination proxy virtual machine perform the determination of whether to compress: the data needs to be compressed, the compression algorithm is XBZRLE, and the encryption mode of the compressed data is determined, so that a corresponding key is generated in a source end proxy virtual machine, and the key is sent to a destination end proxy virtual machine. After the source-end proxy virtual machine acquires the target data, the target data are processed according to a compression algorithm XBZRLE and a TLS protocol, then the encrypted target data are sent to the source-end virtual machine, and the source-end virtual machine sends the data to the destination-end virtual machine.
In the embodiment of the specification, the target data is processed through the migration parameters and the migration key, and then the processed target data is sent to the destination virtual machine through the source virtual machine, so that the efficiency and the safety in the data transmission process are ensured.
In a possible implementation manner, the processing the target data according to the migration parameter and the migration key includes:
and determining a compression algorithm according to the migration parameters, compressing the target data according to the compression algorithm, and encrypting the compressed target data according to the migration key.
The compression algorithm may be Multifd, xbzlle, zero Page, lz4, and the like.
For example, after the source-end proxy virtual machine acquires the target data, the target data is compressed according to a compression algorithm xbzlle, and is encrypted through a TLS protocol.
In the embodiment of the description, the decrypted memory data is compressed and encrypted, so that the transmission efficiency and the security of the data are improved in the transmission process. And because the migration component is a component realized by software, various compression algorithms can be realized by the migration component, and the required hot migration technology can be dynamically realized and enabled according to the characteristics of user loads. The universality of the scheme is improved.
Step 204: and sending the target data to a destination end virtual machine through the source end virtual machine.
In practical application, after the target data is determined, the source end virtual machine and the destination end virtual machine may be used to send the target data based on a native migration mechanism, so as to perform migration of data in the memory.
For example, virtual machine A needs to be migrated, which may be a confidential virtual machine with the encryption algorithm AES-256. The virtual machine A sends a virtual machine migration instruction to the corresponding proxy virtual machine A1, the proxy virtual machine A1 reads data from the shared memory, the data are decrypted through an AES-256 algorithm, and a part of needed data are selected from the decrypted data to serve as target data. And processing the target data according to a compression algorithm XBZRLE and a TLS protocol, then sending the encrypted target data to the source end virtual machine, and sending the target data to the destination end virtual machine by the source end virtual machine.
The embodiment of the description uses the communication capability from the source end virtual machine to the destination end virtual machine to transmit data, and does not need to establish a new communication link, thereby reducing the complexity.
In a possible implementation manner, the sending, by the source virtual machine, the target data to the destination virtual machine includes:
and storing the target data to a preset memory page in the memory, and sending a feedback message to the source end virtual machine, so that the source end virtual machine acquires the target data from the preset memory page according to the feedback message, and sends the target data to a destination end virtual machine.
The preset memory page may be a memory page reserved in advance for storing the target data in the memory; the feedback message may be a feedback message to the virtual machine migration instruction.
In actual practice, the migration component exclusively reserves a number of shared memory pages for communication with the QEMU. At the source virtual machine, the live migration component of the QEMU sends a request (i.e., the physical address of the virtual machine to be migrated) to the migration component and listens for shared data waiting for a response. After receiving the response, QEMU copies the encrypted memory page data from the shared memory, and sends the memory page data and the physical address of the virtual machine to the channel. And the destination terminal copies the data into the memory shared with the migration component after receiving the data, and informs the destination terminal of the arrival of a new memory page through the shared memory. In the above flow, the migration component will use its capability of running to access data in the encrypted memory to complete the reading/writing of data and the validation of the page.
For example, virtual machine A needs to be migrated, which may be a confidential virtual machine with the encryption algorithm AES-256. The virtual machine A sends a virtual machine migration instruction to the corresponding proxy virtual machine A1, the proxy virtual machine A1 reads data from the shared memory, the data are decrypted through an AES-256 algorithm, and a part of needed data are selected from the decrypted data to serve as target data. And processing the target data according to a compression algorithm XBZRLE and a TLS protocol, then putting the processed target data into a reserved memory page in the memory, and sending a feedback message to the virtual machine A. Therefore, the virtual machine a can acquire the target data from the memory page reserved in the memory and send the target data to the destination virtual machine.
In the embodiment of the present specification, the memory page of the memory is reserved separately as a place for storing the target data, so that the source end virtual machine can directly obtain the target data, and the processing complexity of the data is reduced. Moreover, the migration component realized by software has stronger expansibility, and can meet different requirements of users on safety and performance, namely, users who are extremely sensitive to performance and less sensitive to safety can select an algorithm with high speed but weak safety so as to improve the migration speed. Users who are extremely sensitive to security and insensitive to performance can not only use the high-security cryptographic algorithm, but also apply other security techniques to enhance the transmission security of the memory page.
In one possible implementation manner, the method further includes:
and under the condition that the source end virtual machine is stopped, acquiring task data of uncompleted tasks of the source end virtual machine, and migrating the task data.
The shutdown can be understood as the shutdown of the virtual machine; the uncompleted tasks may be thread tasks in a virtual machine, etc., and accordingly, the task data may be context.
In practical application, under the condition that the source end virtual machine enters a shutdown state, the context information of the confidential virtual machine is migrated by using a native live migration mechanism, and after the memory transfer is completed, the execution of the vCPU of the source end proxy virtual machine is suspended to prepare for the next live migration transfer.
For example, after the migration of the memory data is completed, the source virtual machine needs to be shut down, and after the shutdown, because some thread tasks are interrupted, new contexts are generated, and then the contexts need to be migrated to the destination virtual machine.
An embodiment of the present specification provides a virtual machine migration method and a virtual machine migration device, where the virtual machine migration method is applied to a source-end proxy virtual machine, and the source-end proxy virtual machine and the source-end virtual machine share a memory and have the same access right to the memory, and the virtual machine migration method includes: in response to a virtual machine migration instruction, decrypting the data in the memory according to an encryption mechanism of the data in the memory, and determining target data; and sending the target data to a destination end virtual machine through the source end virtual machine. The source end virtual machine and the source end proxy virtual machine share the memory and have the same access right to the data in the memory, so that the source end proxy virtual machine can read the data in the memory and migrate the data in the memory. And because the source end virtual machine and the source end proxy virtual machine share the memory, the speed of reading the memory data by the source end proxy virtual machine can utilize the characteristic of high memory speed, thereby improving the migration speed of the virtual machine.
An embodiment of the present specification further provides another virtual machine migration method, which is applied to a destination-side proxy virtual machine, where the destination-side proxy virtual machine and the destination-side virtual machine share a memory and have the same access right to the memory, and referring to fig. 3, fig. 3 shows a flowchart of another virtual machine migration method, where the method includes:
step 302: and receiving target data sent by a source end virtual machine through the target end virtual machine, and encrypting the target data according to an encryption mechanism of the data in the memory.
In practical application, the destination proxy virtual machine and the source proxy virtual machine have similar processing modes, and before storing target data in a memory, the target data needs to be encrypted according to a based encryption method, and then the encrypted data is stored in the memory.
For example, after the destination proxy virtual machine receives the target data, it is determined that the target data is processed through the compression algorithms xbzlle and TLS protocol based on the migration parameters previously determined by the destination proxy virtual machine and the key obtained by performing key agreement, and then the target data needs to be decrypted by using the key obtained by the previous key agreement, decompressed by using the xbzlle, and encrypted by the AES-256 algorithm corresponding to the trusted execution environment after the target data is decrypted into the plaintext.
The embodiment of the specification is based on the shared memory, so that the destination proxy virtual machine can directly access data in the memory of the destination virtual machine, and thus the data can be directly read from the memory data of the destination virtual machine and encrypted and written, and the data processing efficiency is improved.
Step 304: and writing the encrypted target data into the memory.
In a possible implementation manner, the receiving, by the destination virtual machine, target data sent by a source virtual machine includes:
and acquiring the target data from a preset memory page, wherein the target data is received by the destination virtual machine from the source virtual machine and is stored in the preset memory page.
In practical application, the destination proxy virtual machine and the source proxy virtual machine are processed in a similar manner, that is, a memory page for storing target data is reserved in a memory in advance, so that after the destination virtual machine receives the target data, the target data can be stored in the memory page, and the destination proxy virtual machine can acquire and process the target data.
In the above example, the target data is processed by the compression algorithms xbzlle and TLS protocol, so that the target data needs to be decrypted by using the key obtained in the previous key negotiation, decompressed by using xbzlle, encrypted by using the AES-256 algorithm after being decrypted into plaintext, and written into the memory, so that the target data can be used by the destination virtual machine, and the purpose of virtual machine migration is achieved.
An embodiment of the present specification provides a virtual machine migration method and an apparatus, where the virtual machine migration method is applied to a destination proxy virtual machine, and the destination proxy virtual machine and the destination virtual machine share a memory and have the same access right to the memory, and the virtual machine migration method includes: and receiving target data sent by a source end virtual machine through the target end virtual machine, encrypting the target data according to an encryption mechanism of the data in the memory, and writing the encrypted target data into the memory. The source end virtual machine and the source end proxy virtual machine share the memory and have the same access authority to the data in the memory, so that the source end proxy virtual machine can read the data in the memory and migrate the data in the memory. And because the source end virtual machine and the source end proxy virtual machine share the memory, the speed of reading the memory data by the source end proxy virtual machine can utilize the characteristic of high memory speed, thereby improving the migration speed of the virtual machine.
An embodiment of the present specification further provides a virtual machine migration system, including a source end virtual agent machine, a source end virtual machine, a destination end virtual agent machine, and a destination end virtual machine, where the source end virtual agent machine and the source end virtual machine share a first memory and have the same access right to the first memory, and the destination end virtual agent machine and the destination end virtual machine share a second memory and have the same access right to the second memory;
the source end proxy virtual machine is configured to respond to a virtual machine migration instruction, decrypt data in the first memory according to an encryption mechanism of the data in the first memory, determine target data, and send the target data to the source end virtual machine;
the source end virtual machine is configured to send the target data to the destination end virtual machine;
the destination virtual machine is configured to send the target data to the destination proxy virtual machine;
the destination agent virtual machine is configured to encrypt the target data according to an encryption mechanism of the data in the memory, and write the encrypted target data into the second memory.
In one possible implementation, referring to fig. 4, fig. 4 shows an architecture diagram of a virtual machine migration system. The system comprises a source end virtual machine, a source end proxy virtual machine, a destination end virtual machine and a destination end proxy virtual machine. The source end virtual machine is a confidential virtual machine, the source end proxy virtual machine and the source end virtual machine share a first memory and have the same access authority to the first memory, and the destination end proxy virtual machine and the destination end virtual machine share a second memory and have the same access authority to the second memory. The source end virtual machine, the source end proxy virtual machine, the destination end virtual machine and the destination end proxy virtual machine all have at least one virtual CPU (vCPU), migration components are installed in the source end proxy virtual machine and the destination end proxy virtual machine, the source end proxy virtual machine can also determine migration parameters of the destination end proxy virtual machine through the migration components, the source end proxy virtual machine can generate a key for transmitting data, and the key is sent to the destination end proxy virtual machine.
Under the condition that the source end virtual machine needs to be migrated to the destination end virtual machine, the source end virtual machine receives a virtual machine migration instruction and sends the virtual machine migration instruction to the source end proxy virtual machine, the source end proxy virtual machine reads out the first memory data according to the virtual machine migration instruction, decrypts the first memory data at the same time, stores the decrypted data in a memory page reserved in a first memory, and sends a feedback message to the source end virtual machine. After receiving the feedback message, the source end virtual machine reads out the data in the reserved memory page and sends the data to the destination end virtual machine.
After receiving the data sent by the source end virtual machine, the destination end virtual machine stores the data into a reserved memory page in the second memory, and the destination end proxy virtual machine reads the data in the reserved memory page in the second memory, processes the data according to the determined migration parameters and the negotiated key, and encrypts the data, so that the encrypted data is stored in the second memory. The destination virtual machine can use the same memory data as the source virtual machine, and the virtual machine migration is completed.
An embodiment of the present specification provides a virtual machine migration system, including a source end virtual agent machine, a source end virtual machine, a destination end virtual agent machine, and a destination end virtual machine, where the source end virtual agent machine and the source end virtual machine share a first memory and have the same access right to the first memory, and the destination end virtual agent machine and the destination end virtual machine share a second memory and have the same access right to the second memory; the source end proxy virtual machine is configured to respond to a virtual machine migration instruction, decrypt data in the first memory according to an encryption mechanism of the data in the first memory, determine target data, and send the target data to the source end virtual machine; the source end virtual machine is configured to send the target data to the destination end virtual machine; the destination virtual machine is configured to send the target data to the destination proxy virtual machine; the destination agent virtual machine is configured to encrypt the target data according to an encryption mechanism of the data in the memory, and write the encrypted target data into the second memory. The source end virtual machine and the source end proxy virtual machine share the memory and have the same access right to the data in the memory, so that the source end proxy virtual machine can read the data in the memory and migrate the data in the memory. And because the source end virtual machine and the source end proxy virtual machine share the memory, the speed of reading the memory data by the source end proxy virtual machine can utilize the characteristic of high memory speed, thereby improving the migration speed of the virtual machines.
Corresponding to the above method embodiment, the present specification further provides an embodiment of a virtual machine migration apparatus, and fig. 5 illustrates a schematic structural diagram of a virtual machine migration apparatus provided in an embodiment of the present specification. As shown in fig. 5, the virtual machine migration apparatus is applied to a source-end proxy virtual machine, where the source-end proxy virtual machine and the source-end virtual machine share a memory and have the same access right to the memory, and includes:
a data obtaining module 502, configured to, in response to the virtual machine migration instruction, decrypt the data in the memory according to an encryption mechanism of the data in the memory, and determine target data;
a data migration module 504 configured to send the target data to a destination virtual machine through the source virtual machine.
In one possible implementation, the data obtaining module 502 is further configured to:
determining migration parameters of the virtual machine with the destination agent, performing key agreement with the virtual machine with the destination agent, and determining a migration key.
In one possible implementation, the data obtaining module 502 is further configured to:
processing the target data according to the migration parameters and the migration keys;
and sending the processed target data to a destination end virtual machine through the source end virtual machine.
In one possible implementation, the data obtaining module 502 is further configured to:
and determining a compression algorithm according to the migration parameters, compressing the target data according to the compression algorithm, and encrypting the compressed target data according to the migration key.
In one possible implementation, the data migration module 504 is further configured to:
and storing the target data to a preset memory page in the memory, and sending a feedback message to the source end virtual machine, so that the source end virtual machine acquires the target data from the preset memory page according to the feedback message, and sends the target data to a destination end virtual machine.
In one possible implementation, the data obtaining module 502 is further configured to:
generating a migration key according to a preset key generation rule;
and sending the migration key to the destination agent virtual machine.
In one possible implementation, the data migration module 504 is further configured to:
and under the condition that the source end virtual machine is stopped, acquiring task data of uncompleted tasks of the source end virtual machine, and migrating the task data.
An embodiment of the present specification provides a virtual machine migration method and a virtual machine migration device, where the virtual machine migration device is applied to a source-end proxy virtual machine, and the source-end proxy virtual machine and the source-end virtual machine share a memory and have the same access right to the memory, and the virtual machine migration device includes: in response to a virtual machine migration instruction, decrypting the data in the memory according to an encryption mechanism of the data in the memory, and determining target data; and sending the target data to a destination end virtual machine through the source end virtual machine. The source end virtual machine and the source end proxy virtual machine share the memory and have the same access right to the data in the memory, so that the source end proxy virtual machine can read the data in the memory and migrate the data in the memory. And because the source end virtual machine and the source end proxy virtual machine share the memory, the speed of reading the memory data by the source end proxy virtual machine can utilize the characteristic of high memory speed, thereby improving the migration speed of the virtual machine.
Corresponding to the above method embodiment, this specification further provides an embodiment of a virtual machine migration apparatus, and fig. 6 shows a schematic structural diagram of another virtual machine migration apparatus provided in an embodiment of this specification. As shown in fig. 6, the virtual machine migration apparatus is applied to a destination-side proxy virtual machine, where the destination-side proxy virtual machine and the destination-side virtual machine share a memory and have the same access right to the memory, and includes:
a data encryption module 602, configured to receive, by the destination virtual machine, target data sent by a source virtual machine, and encrypt the target data according to an encryption mechanism of data in the memory;
a data writing module 604 configured to write the encrypted target data into the memory.
In one possible implementation, the data writing module 604 is further configured to:
and acquiring the target data from a preset memory page, wherein the target data is received by the destination virtual machine from the source virtual machine and is stored in the preset memory page.
An embodiment of the present specification provides a virtual machine migration method and a virtual machine migration apparatus, where the virtual machine migration method is applied to a destination-side proxy virtual machine, the destination-side proxy virtual machine and the destination-side virtual machine share a memory and have the same access right to the memory, and the virtual machine migration apparatus includes: receiving target data sent by a source end virtual machine through the target end virtual machine, and encrypting the target data according to an encryption mechanism of the data in the memory; and writing the encrypted target data into the memory. The source end virtual machine and the source end proxy virtual machine share the memory and have the same access authority to the data in the memory, so that the source end proxy virtual machine can read the data in the memory and migrate the data in the memory. And because the source end virtual machine and the source end proxy virtual machine share the memory, the speed of reading the memory data by the source end proxy virtual machine can utilize the characteristic of high memory speed, thereby improving the migration speed of the virtual machine.
The foregoing is a schematic scheme of a virtual machine migration apparatus in this embodiment. It should be noted that the technical solution of the virtual machine migration apparatus and the technical solution of the virtual machine migration method belong to the same concept, and details that are not described in detail in the technical solution of the virtual machine migration apparatus can be referred to the description of the technical solution of the virtual machine migration method.
FIG. 7 illustrates a block diagram of a computing device 700, provided in accordance with one embodiment of the present description. The components of the computing device 700 include, but are not limited to, memory 710 and a processor 720. Processor 720 is coupled to memory 710 via bus 730, and database 750 is used to store data.
Computing device 700 also includes access device 740, access device 740 enabling computing device 700 to communicate via one or more networks 760. Examples of such networks include the Public Switched Telephone Network (PSTN), a Local Area Network (LAN), a Wide Area Network (WAN), a Personal Area Network (PAN), or a combination of communication networks such as the internet. Access device 740 may include one or more of any type of network interface, e.g., a Network Interface Card (NIC), wired or wireless, such as an IEEE802.11 Wireless Local Area Network (WLAN) wireless interface, a worldwide interoperability for microwave access (Wi-MAX) interface, an ethernet interface, a Universal Serial Bus (USB) interface, a cellular network interface, a bluetooth interface, a Near Field Communication (NFC) interface, and so forth.
In one embodiment of the present description, the above-described components of computing device 700, as well as other components not shown in FIG. 7, may also be connected to each other, such as by a bus. It should be understood that the block diagram of the computing device structure shown in FIG. 7 is for purposes of example only and is not limiting as to the scope of the description. Those skilled in the art may add or replace other components as desired.
Computing device 700 may be any type of stationary or mobile computing device, including a mobile computer or mobile computing device (e.g., tablet, personal digital assistant, laptop, notebook, netbook, etc.), mobile phone (e.g., smartphone), wearable computing device (e.g., smartwatch, smartglasses, etc.), or other type of mobile device, or a stationary computing device such as a desktop computer or PC. Computing device 700 may also be a mobile or stationary server.
Wherein the processor 720 is configured to execute computer-executable instructions that, when executed by the processor, implement the steps of the virtual machine migration method described above.
The above is an illustrative scheme of a computing device of the present embodiment. It should be noted that the technical solution of the computing device and the technical solution of the virtual machine migration method described above belong to the same concept, and details that are not described in detail in the technical solution of the computing device can be referred to the description of the technical solution of the virtual machine migration method described above.
An embodiment of the present specification further provides a computer-readable storage medium storing computer-executable instructions, which when executed by a processor implement the steps of the virtual machine migration method described above.
The above is an illustrative scheme of a computer-readable storage medium of the present embodiment. It should be noted that the technical solution of the storage medium and the technical solution of the virtual machine migration method belong to the same concept, and details that are not described in detail in the technical solution of the storage medium can be referred to the description of the technical solution of the virtual machine migration method.
An embodiment of the present specification further provides a computer program, wherein when the computer program is executed in a computer, the computer is caused to execute the steps of the virtual machine migration method.
The above is an illustrative scheme of a computer program of the present embodiment. It should be noted that the technical solution of the computer program and the technical solution of the virtual machine migration method belong to the same concept, and details that are not described in detail in the technical solution of the computer program can be referred to the description of the technical solution of the virtual machine migration method.
The foregoing description of specific embodiments has been presented for purposes of illustration and description. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The computer instructions comprise computer program code which may be in the form of source code, object code, an executable file or some intermediate form, or the like. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, read-Only Memory (ROM), random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer-readable medium may contain suitable additions or subtractions depending on the requirements of legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer-readable media may not include electrical carrier signals or telecommunication signals in accordance with legislation and patent practice.
It should be noted that, for the sake of simplicity, the foregoing method embodiments are described as a series of acts, but those skilled in the art should understand that the present embodiment is not limited by the described acts, because some steps may be performed in other sequences or simultaneously according to the present embodiment. Further, those skilled in the art should also appreciate that the embodiments described in this specification are preferred embodiments and that acts and modules referred to are not necessarily required for an embodiment of the specification.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
The preferred embodiments of the present specification disclosed above are intended only to aid in the description of the specification. Alternative embodiments are not exhaustive and do not limit the invention to the precise embodiments described. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the embodiments and the practical application, to thereby enable others skilled in the art to best understand and utilize the embodiments. The specification is limited only by the claims and their full scope and equivalents.
Claims (14)
1. A virtual machine migration method is applied to a source-end proxy virtual machine, wherein the source-end proxy virtual machine and the source-end virtual machine share a memory and have the same access authority to the memory, and the method comprises the following steps:
responding to a virtual machine migration instruction, decrypting the data in the memory according to an encryption mechanism of the data in the memory, and determining target data;
and sending the target data to a destination virtual machine through the source virtual machine.
2. The method of claim 1, prior to said responding to a virtual machine migration instruction, further comprising:
determining migration parameters of the virtual machine with the destination agent, performing key agreement with the virtual machine with the destination agent, and determining a migration key.
3. The method of claim 2, wherein sending the target data to a destination virtual machine by the source virtual machine comprises:
processing the target data according to the migration parameters and the migration keys;
and sending the processed target data to a destination end virtual machine through the source end virtual machine.
4. The method of claim 3, wherein the processing the target data according to the migration parameters and the migration key comprises:
and determining a compression algorithm according to the migration parameters, compressing the target data according to the compression algorithm, and encrypting the compressed target data according to the migration key.
5. The method of claim 1, wherein sending the target data to a destination virtual machine by the source virtual machine comprises:
and storing the target data to a preset memory page in the memory, and sending a feedback message to the source end virtual machine, so that the source end virtual machine acquires the target data from the preset memory page according to the feedback message, and sends the target data to a destination end virtual machine.
6. The method of claim 2, the key agreement with the destination proxy virtual machine comprising:
generating a migration key according to a preset key generation rule;
and sending the migration key to the destination agent virtual machine.
7. The method of claim 1, further comprising:
and under the condition that the source end virtual machine is stopped, acquiring task data of uncompleted tasks of the source end virtual machine, and migrating the task data.
8. A virtual machine migration method is applied to a destination proxy virtual machine, wherein the destination proxy virtual machine and the destination virtual machine share a memory and have the same access right to the memory, and the method comprises the following steps:
receiving target data sent by a source end virtual machine through the target end virtual machine, and encrypting the target data according to an encryption mechanism of data in the memory;
and writing the encrypted target data into the memory.
9. The method of claim 8, wherein receiving, by the destination virtual machine, target data sent by a source virtual machine comprises:
and acquiring the target data from a preset memory page, wherein the target data is received by the destination virtual machine from the source virtual machine and is stored in the preset memory page.
10. A virtual machine migration system comprises a source end virtual agent machine, a source end virtual machine, a destination end virtual agent machine and a destination end virtual machine, wherein the source end virtual agent machine and the source end virtual machine share a first memory and have the same access authority to the first memory, and the destination end virtual agent machine and the destination end virtual machine share a second memory and have the same access authority to the second memory;
the source end proxy virtual machine is configured to respond to a virtual machine migration instruction, decrypt data in the first memory according to an encryption mechanism of the data in the first memory, determine target data, and send the target data to the source end virtual machine;
the source end virtual machine is configured to send the target data to the destination end virtual machine;
the destination virtual machine is configured to send the target data to the destination agent virtual machine;
the destination agent virtual machine is configured to encrypt the target data according to an encryption mechanism of the data in the memory, and write the encrypted target data into the second memory.
11. A virtual machine migration device is applied to a source-end proxy virtual machine, wherein the source-end proxy virtual machine and the source-end virtual machine share a memory and have the same access authority to the memory, and the virtual machine migration device comprises:
the data acquisition module is configured to respond to a virtual machine migration instruction, decrypt data in the memory according to an encryption mechanism of the data in the memory, and determine target data;
and the data migration module is configured to send the target data to a destination virtual machine through the source virtual machine.
12. A virtual machine migration apparatus is applied to a destination proxy virtual machine, wherein the destination proxy virtual machine and the destination virtual machine share a memory and have the same access right to the memory, and the apparatus comprises:
the data encryption module is configured to receive target data sent by a source virtual machine through the destination virtual machine and encrypt the target data according to an encryption mechanism of data in the memory;
and the data writing module is configured to write the encrypted target data into the memory.
13. A computing device, comprising:
a memory and a processor;
the memory is configured to store computer-executable instructions and the processor is configured to execute the computer-executable instructions, which when executed by the processor, perform the steps of the virtual machine migration method of any one of claims 1 to 7 or 8 to 9.
14. A computer readable storage medium storing computer executable instructions which, when executed by a processor, carry out the steps of the virtual machine migration method of any one of claims 1 to 7 or 8 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211307370.0A CN115904612A (en) | 2022-10-24 | 2022-10-24 | Virtual machine migration method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211307370.0A CN115904612A (en) | 2022-10-24 | 2022-10-24 | Virtual machine migration method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115904612A true CN115904612A (en) | 2023-04-04 |
Family
ID=86475098
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211307370.0A Pending CN115904612A (en) | 2022-10-24 | 2022-10-24 | Virtual machine migration method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115904612A (en) |
-
2022
- 2022-10-24 CN CN202211307370.0A patent/CN115904612A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11704416B2 (en) | Computational operations in enclave computing environments | |
| US11971980B2 (en) | Using trusted execution environments to perform a communal operation for mutually-untrusted devices | |
| US20240126930A1 (en) | Secure Collaboration Between Processors And Processing Accelerators In Enclaves | |
| CN103069428B (en) | Secure virtual machine in insincere cloud infrastructure guides | |
| US9948616B2 (en) | Apparatus and method for providing security service based on virtualization | |
| EP3574441B1 (en) | Enclave abstraction model | |
| CA3048892A1 (en) | Data unsealing with a sealing enclave | |
| EP3846060A1 (en) | Key vault enclave | |
| US20210374232A1 (en) | Data distribution using a trusted execution environment in an untrusted device | |
| CA3048407A1 (en) | Data sealing with a sealing enclave | |
| US11949775B2 (en) | Network bound encryption for recovery of trusted execution environments | |
| WO2015062339A1 (en) | Method and device for running remote application program | |
| CA3046497A1 (en) | Abstract enclave identity | |
| US11741221B2 (en) | Using a trusted execution environment to enable network booting | |
| US20230319023A1 (en) | Network bound encryption for orchestrating workloads with sensitive data | |
| WO2022161182A1 (en) | Trusted computing method and apparatus based on data stream | |
| US11847253B2 (en) | Efficient launching of trusted execution environments | |
| US11947659B2 (en) | Data distribution across multiple devices using a trusted execution environment in a mobile device | |
| WO2017221979A1 (en) | Process control device, process control method, and recording medium having process control program recorded therein | |
| EP3736718B1 (en) | A tpm-based secure multiparty computing system using a non-bypassable gateway | |
| US8751819B1 (en) | Systems and methods for encoding data | |
| US11856002B2 (en) | Security broker with consumer proxying for tee-protected services | |
| US20230030816A1 (en) | Security broker for consumers of tee-protected services | |
| US20230036165A1 (en) | Security broker with post-provisioned states of the tee-protected services | |
| CN115904612A (en) | Virtual machine migration method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |