CN102110197B - Method and system for multi-core processor to realize TMP (trusted platform module) in computing environment - Google Patents
Method and system for multi-core processor to realize TMP (trusted platform module) in computing environment Download PDFInfo
- Publication number
- CN102110197B CN102110197B CN200910243914XA CN200910243914A CN102110197B CN 102110197 B CN102110197 B CN 102110197B CN 200910243914X A CN200910243914X A CN 200910243914XA CN 200910243914 A CN200910243914 A CN 200910243914A CN 102110197 B CN102110197 B CN 102110197B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- tpm
- node
- computing environment
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000002955 isolation Methods 0.000 claims description 57
- 238000001914 filtration Methods 0.000 claims description 28
- 125000006850 spacer group Chemical group 0.000 claims description 20
- 230000008569 process Effects 0.000 claims description 13
- 238000004891 communication Methods 0.000 claims description 10
- 230000004913 activation Effects 0.000 claims description 9
- 238000012544 monitoring process Methods 0.000 claims description 6
- 238000001514 detection method Methods 0.000 claims description 3
- 230000006870 function Effects 0.000 description 14
- 238000005516 engineering process Methods 0.000 description 11
- 238000013507 mapping Methods 0.000 description 6
- 230000006399 behavior Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000013508 migration Methods 0.000 description 3
- 230000005012 migration Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 230000001276 controlling effect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000005259 measurement Methods 0.000 description 2
- 238000005192 partition Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000000712 assembly Effects 0.000 description 1
- 238000000429 assembly Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method and system for a multi-core processor to realize a TMP (trusted platform module) in a computing environment. The method comprises the following steps of: firstly, allowing one core of the processor to operate when a node in the computing environment is started, wherein the core runs a high-authority operating system, and the other cores are in a sleeping mode; secondly, after the operative core is in a normal operation state, a TPM function is written in to form a TPM emulator used for realizing the TPM function; and thirdly, the cores in the sleeping mode start to run a common operating system, and the high-authority operating system provides TPM security service for the common operating system when the common operating system is started. By applying the method and the system in the invention, a credible service can be provided for starting of the system and loading of subsequent application while the system comprises no TPM security chip.
Description
Technical field
The present invention relates to computer safety field, relate in particular to the method and the system thereof that realize TPM in the computing environment of polycaryon processor.
Background technology
In the current information age, the privacy of protection information, integrality, authenticity and reliability provide a reliable computing environment to become informationalized inevitable requirement.For this reason, must accomplish the credible of terminal, solve people and program, human and computer from the source and also have interpersonal information security transmission, and then form a believable network, set up the chain-of-trust of a safety.In order to solve the structural security of cyber-net, fundamentally improve its credibility, must comprehensively take measures from aspects such as chip, hardware configuration and operating systems.
In the prior art, use TPM(Trusted Platform Module, reliable platform module) chip guarantees Security of the system, but, also be in initial period with regard to present credible calculating and TPM chip, because the understanding on relevant criterion is different, cause current existing product to realize existing certain difference in reality simultaneously.
Wherein, the TPM safety chip; refer to meet the safety chip of TPM standard; essence is a device that can independently carry out key generation, encryption and decryption; inside has independently processor and storage unit, but storage key and sensitive data, for various computing platforms provide integrity measurement, data security protecting and identity authentication service; by functions such as integrity measurement, authentication, data encryptions, it can effectively be protected PC, prevent that the disabled user from accessing.
In addition, follow proposition and the development of the technology such as current Intel Virtualization Technology, cloud computing, more enterprise brings into use Intel Virtualization Technology, and it is applied in the data center of enterprises, to solve the safety problem of data.Current Amazon, Google have proposed cloud computing model separately in succession, but providing of data storage or application service mainly is provided for it, and reliability, the credibility of system do not proposed corresponding solution, especially for the behaviors such as credible control between the internal system machine.Simultaneously, because the development of Intel Virtualization Technology reaches its maturity, propose under Creditability Problems, the especially virtual environment in the virtual computation environmental, the security of data center and Dependability Problem will become and become increasingly conspicuous.
In the prior art, for the TPM chip, the TPM Emulator(TPM emulator of wherein simulating based on linux system), realized the function of TPM with the C language, for the system after installing, but it only is secondary analog TPM, does not realize the credible of system based on trusted root, so can not well solve the actual problem that faces.
In the credible computation model in current Intel Virtualization Technology Xen, each Dom0 all has a VTPM(virtual TPM) manager is in charge of the TPM example of virtual machine on this node.As shown in Figure 1, the VTPM manager will create (spawn) thread and monitor from operation information among the Xen, when node creates a virtual machine, the VTPM manager will be first the VTPM example of this rear end of virtual machine creating, this VTPM manager is the behavior of TPM chip under the Reality simulation environment or TPM emulator, for the virtual machine of correspondence provides the service for checking credentials to this machine internal applications.The needing in proof procedure of virtual machine communicates with the VTPM manager, finally served by bottom hardware TPM chip or TPM emulator.
Reliable computing technology depends on hardware TPM chip and constructs a believable computer system, and relates to BIOS to the support of this technology and the improvement on the related hardware etc.But most of system does not just in use at present consider the combination with credible calculating at the beginning of design, the firstth, because BIOS does not support this technology, and the secondth, because not for the interface of TPM chip.But the credible demand of these systems is therefore two minimizings not, on the contrary, more should utilize existing condition to make these systems reach the trusted status of our expectation.
Summary of the invention
For addressing the above problem, the invention provides the method and the system thereof that realize TPM in the computing environment of polycaryon processor, the present invention can not exist in the situation of TPM safety chip in system, but the ability of telecommunications services is provided for the loading of the startup of system and subsequent applications.
The invention discloses the method that realizes TPM in a kind of computing environment of polycaryon processor, comprise
Step 2 after the nuclear of described work enters normal operating conditions, writes the TPM function, forms the TPM simulator in order to the function that realizes TPM;
Described computing environment is virtualized computing environment,
Described method also comprises:
Step 21 adopts Xen to carry out virtual to node.
Also comprise after the described step 21:
Step 31, a virtual machine in the computing environment forms a VTPM manager;
Step 32, described VTPM manager create among the thread monitoring Xen and operate;
Step 33, when node created a virtual machine, described VTPM manager was VTPM example of described virtual machine creating;
Step 34, described VTPM example is by providing the TPM service with the communication of described TPM simulator for virtual machine.
Described method also comprises:
Step 41 connects described node with the front end agency;
Step 42, VTPM manager generating platform configuration information sends to described front-end proxy agent;
Step 43, described front-end proxy agent receives described platform configuration information, and stores in the platform configuration information table;
Step 44 when client-requested is accessed, is searched the platform configuration information with the relevant virtual machine of described client-access from described platform configuration information table, send to described client.
Described method also comprises:
Step 51, the network interface card of virtual machine is connected to virtual bridge by virtual interface;
Whether step 52, the isolator of node detect new virtual machine creating on the described node, if having, and execution in step 53;
Step 53, isolator are obtained the MAC Address of virtual machine and the type of virtual machine, formulate corresponding isolation rule according to described virtual machine type, and described isolation rule is added in the Link Filter table;
Step 54, when node receives packet, according to isolation rule in the described Link Filter table, with described package forward to virtual machine.
Also comprise after the described step 54:
Step 61, the MAC Address of the virtual machine that described node will newly create and type are broadcast to the isolator of other nodes;
Step 62, the isolator of described other nodes receive MAC Address and the type of broadcasting, according to the information of the virtual machine of this locality of node storage, formulate the isolation rule, and the isolation rule is added in the local Link Filter table;
Step 63, when node receives packet, according to isolation rule in the described Link Filter table, with described package forward to virtual machine.
Described method also comprises:
Step 71 behind the virtual machine activation, checks that the network configuration information of virtual machine this locality obtains IP address and subnet mask, calculates the described subnet address of virtual machine, the information of subnet address is issued the dummy spacer of virtual machine;
Step 72, described dummy spacer is formulated corresponding filtering rule according to the subnet address information of receiving, described filtering rule is stored in the network filtering table;
Step 73 when virtual machine receives the IP bag, according to isolation rule in the described network filtering table, is processed described IP bag.
Described step 73 also comprises:
Step 81, virtual machine be to the local network broadcast request message, the network address information of the virtual machine of the described node in acquisition request place;
Step 82 is added the network information of obtaining in the network filtering table to.
The invention also discloses the system that realizes TPM in a kind of computing environment of polycaryon processor, comprise node,
Described node is used for allowing a nuclear job of processor when starting, and described nuclear moves high limiting operation system, and other nuclears of described processor are in dormant state;
After the nuclear of described work enters normal operating conditions, write the TPM function, form the TPM simulator in order to the function that realizes TPM;
The described nuclear that the is in dormant state operation normal operations system that starts working provides the TPM security service by described high limiting operation system for the startup of described normal operations system.
Described computing environment is virtualized computing environment,
Described node also is used for adopting Xen to carry out virtual to described node.
Described system also comprises the VTPM manager,
A virtual machine in the computing environment forms a VTPM manager;
Described VTPM manager is used for creating a thread monitoring Xen and operates; When node creates a virtual machine, be VTPM example of described virtual machine creating; Described VTPM example is by providing the TPM service with the communication of described TPM simulator for virtual machine.
Described system also comprises the front-end proxy agent that connects with node;
Described VTPM manager also is used for the generating platform configuration information, sends to described front-end proxy agent;
Described front-end proxy agent is used for receiving described platform configuration information, and stores in the platform configuration information table; When client-requested is accessed, from described platform configuration information table, search the platform configuration information with the relevant virtual machine of described client-access, send to described client.
Described node comprises isolator, and the network interface card of virtual machine is connected to virtual bridge by virtual interface;
Described isolator, for detection of whether new virtual machine creating is arranged on the described node, if having, then obtain the MAC Address of virtual machine and the type of virtual machine, formulate corresponding isolation rule according to described virtual machine type, described isolation rule is added in the Link Filter table; When node receives packet, according to isolation rule in the described Link Filter table, with described package forward to virtual machine.
Described node is also for the MAC Address of the virtual machine that will newly create and the isolator that type is broadcast to other nodes;
Described isolator also is used for receiving MAC Address and the type of broadcasting, according to the information of the virtual machine of this locality storage of node, formulates the isolation rule, and the isolation rule is added in the local Link Filter table; When node receives packet, according to isolation rule in the described Link Filter table, with described package forward to virtual machine.
Described node also is used to the virtual machine creating dummy spacer,
After described node also is used for virtual machine activation, check that the network configuration information of virtual machine this locality obtains IP address and subnet mask, calculate the described subnet address of virtual machine, the information of subnet address is issued the dummy spacer of virtual machine;
Described dummy spacer is used for formulating corresponding filtering rule according to the subnet address information of receiving, described filtering rule is stored in the network filtering table; When virtual machine receives the IP bag, according to isolation rule in the described network filtering table, process described IP bag.
Described node also is used for by virtual machine to the local network broadcast request message;
Described dummy spacer also is used at virtual machine during to the local network broadcast request message, the network address information of the virtual machine of the described node in acquisition request place; The network information of obtaining is added in the network filtering table.
Beneficial effect of the present invention is, by making up a kind of so distributed credible computing architecture, can provide a kind of effective safety precautions for current cloud computing and enterprise data center, because the present invention has fully taken into account characteristics and the processing power of current commercial polycaryon processor, by allowing a certain fixedly nuclear that the credible service for checking credentials of bottom is provided, we can effectively promote the high efficiency of calculation services; Simultaneously, because we have carried out security control at the virtual machine of upper strata heterogeneous applications, some inner potential safety problems of current system have effectively been solved; In the distributed computing architecture based on multiple nucleus system, from multiple nucleus system, isolate one of them nuclear operation TPM Emulator, for the common application on other nuclears provides believable service, can in system, not exist in the situation of TPM safety chip, but the ability of telecommunications services is provided for the loading of the startup of system and subsequent applications; Utilize vlan technology will provide in the server virtual machines of different services be divided in the VLAN, can make between each service not can the phase mutual interference, a kind of paralysis of service can not have influence on another kind of service.
Description of drawings
Fig. 1 is the method for VTPM of the prior art;
Fig. 2 is the synoptic diagram that the present invention realizes the method for TPM;
Fig. 3 is the synoptic diagram that the present invention realizes front-end proxy agent;
Fig. 4 is that the present invention realizes the synoptic diagram of isolating.
Embodiment
Below in conjunction with accompanying drawing, the present invention is described in further detail.
The method that realizes TPM in the computing environment of polycaryon processor is as described below.
Step S100, node allows a nuclear job of processor in the computing environment when starting, the high limiting operation of this nuclear operation system, other nuclears are in dormant state.
This in running order nuclear exclusively enjoys a memory headroom in the internal memory of node, this memory headroom is forbidden other nuclear access, and this examines the high limiting operation of operation system, thereby realizes the isolation of this nuclear and other nuclears.
Step S200 after the nuclear of this work enters normal operating conditions, writes the TPM function, forms the TPM simulator in order to the function that realizes TPM.
Step S300, the nuclear that the is in dormant state operation normal operations system that starts working provides the TPM security function by high limiting operation system for the startup of normal operations system.
As shown in Figure 2, a plurality of nuclears of processor, nuclear 1, nuclear 2, nuclear 3, nuclear 4, the high limiting operation of its center 1 operation system.This security function is equivalent to monitor with a TPM of hardware the start-up course of normal operations system, and information in the record start-up course, thereby guarantees the credible start-up course of this node local system.
Based on multi-core CPU, fully by means of the isolation mech isolation test between the multinuclear and processor to virtualized support, finish credible authentication function and service that actual physical TPM chip is carried out, simultaneously in order to improve the efficient of TPM service, by means of in the polycaryon processor one independently nuclear, the TPM emulator will be monopolized a unique nuclear, provide the required service for checking credentials of TPM by this nuclear.
The interior all virtual machines of computing environment are realized unified management by a VTPM manager among the present invention, coming provides trusted root to virtual machine, trusted root refers to all trustworthy assemblies of operation and memory contents, as shown in Figure 2, virtual machine 1, virtual machine 5 belong to the VLAN 1 that the office service is provided, and virtual machine 2, virtual machine 3, virtual machine 4 belong to provides the WEB VLAN 2 of service.
Adopt Xen to carry out virtual to node.
A Dom0 in the computing environment has a VTPM manager, and DOM0 is a special virtual machine, and it can manage other virtual machine.
The embodiment one of carrying out the TPM method after virtual in computing environment is following described.
Step 201, a virtual machine in the computing environment forms a VTPM manager;
Step 202, described VTPM manager create among the thread monitoring Xen and operate;
Step 203, when node created a virtual machine, described VTPM manager was VTPM example of described virtual machine creating;
Step 204, described VTPM example is by providing the TPM service with the communication of described TPM simulator for virtual machine.
Because under traditional method of service, the needing in proof procedure of virtual machine communicates with the VTPM manager, finally by bottom hardware TPM chip or TPM emulator(TPM simulator) served.Simultaneously because the structure of VLAN has been realized cross-node, so in situation about guaranteeing under the normal Validation Mode of virtual machine, need to transmit necessary checking request for agency of each VLAN configuration.
Among the present invention, in the front-end proxy agent of computing environment, safeguard the platform configuration information of all virtual machines in the network.
Platform configuration information is the relevant information of safety on the virtual machine, open-ended situation for example, the version situation of antivirus software, the state of fire wall etc.
In the prior art, the client-requested Web service, virtual machine domainU1 and virtual machine domainU3 can provide Web service, in the situation that does not have the platform configuration information table, virtual machine domainU1 and virtual machine domainU3 will process respectively the request of client, need first to read own platform configuration information by each self-corresponding VTPM manager from the VTPM example and then pass to the client to bring in what prove oneself be believable.
In the present invention, as shown in Figure 3, directly provided the platform configuration information of virtual machine domainU1 and virtual machine domainU3 by front-end proxy agent.
Front-end proxy agent provides the platform configuration information method as described below.
Embodiment is as described below.
Step 301 connects the node in the computing environment with the front end agency.
Step 302, VTPM manager generating platform configuration information sends to described front-end proxy agent.
Step 303, described front-end proxy agent receives described platform configuration information, and stores in the platform configuration information table.
Step 304, when client-requested was accessed, front-end proxy agent was searched the platform configuration information with the relevant virtual machine of described client-access from this platform configuration information table, send to described client.
Platform configuration information acquisition module (Getinfo): being positioned on the VTPM manager, mainly is the function of expansion VTPM manager, makes the VTPM manager platform configuration information be passed to front-end proxy agent according to the requirement of front-end proxy agent,
Platform configuration information receiver module (Recvinfo): be positioned on the front-end proxy agent, make front-end proxy agent can receive the platform configuration information that the VTPM manager passes over, relevant information is stored into the platform configuration information table.
Credible authentication module (Trusttest): be positioned at client, whether the platform configuration information on the verifying virtual machines is credible.Client will compare with own local database from the configuration information that server end obtains, if it is just credible to meet the requirement of oneself, otherwise insincere, for example: the version of antivirus software and fire wall, open-ended situation etc.
Virtual machine distribution module (SelectDom): be positioned on the front-end proxy agent, distribute suitable virtual machine according to the loading condition of credible report and each virtual machine for client and come to provide service for client.
Select the virtual machine of the request of processing according to the number of request of waiting in line on current each virtual machine.
Transferring module (Migration): can realize the migration of each domainU on physical platform by front-end proxy agent.
Realize by the migration module of calling the VTPM the inside.
The partition method of VLAN is as described below.
In the partition method that the present invention realizes, according to the characteristics of Intel Virtualization Technology own, controlled respectively to realize isolation between the different VLAN from data link layer and network layer, as shown in Figure 4.
The specific implementation of data link layer isolation
In virtual Xen, all virtual machine DomU, comprise Dom0, the equal direct-connected virtual bridge Xenbr0 to Xen inside of network interface unit, bridge Xenbr0 is signal post's usefulness between virtual machine in the node, and this virtual bridge Xenbr0 is arranged in Dom0, in order to realize the network processes function of virtual machine, Xen distributes some virtual interfaces (virtual interface) for all virtual machines, and the network interface card of virtual machine is connected to virtual bridge by those virtual interfaces.
The present invention controls the data communication between the different virtual machine in Dom0.Used the link layer instrument, ebtables, the control virtual machine is positioned at the communication port of link layer.Link layer instrument ebtables can change the information such as frame head of link layer Frame, therefore can realize the control to Frame between the different application virtual machine.
Such as, as shown in Figure 2, virtual machine 2 and another virtual machine 1 that provides office to serve that web services is provided is arranged, because two class virtual machines provide different application services, thereby be among the different VLAN.If when virtual machine 2 needs remote access or login virtual machine 1, by control virtual bridge Xenbr0, limit the behavior of virtual machine 2, the operation of limited subscriber is to guarantee the security between the virtual machine.
Main modular and function declaration:
Isolator (Isolator): the Domain0 of node reaches the isolated controlling effect by the control virtual bridge.
Dummy spacer (visolator): be the module of virtual machine inside, filter the realization isolation effect by the IP bag to virtual machine internal virtual network interface card place.
Filter the Filter table: for realizing the filter table of network layer data packet filtering in the prior art netfilter/iptables framework, recorded the regular collection of finishing filtering function.For network layer and data link layer filter table is arranged all, the regular collection of wherein safeguarding is different.
Data link layer isolation flow process is as described below.
Step 401, in the time of each virtual machine activation, the isolator in the domain0 of this virtual machine place node utilizes ebtable to realize, gets access to the MAC Address of virtual machine and the VLAN at virtual machine place by the Xend order.
Virtual machine is being carried out VLAN when dividing, the service that provides according to virtual machine in the computing environment in the ban is divided into different VLAN with virtual machine.Provide the virtual machine of same application logically to form a VLAN, A provides high performance computing service such as virtual machine, to belong to VLAN1 be VLAN_ID=1 to this virtual machine simultaneously, the corresponding VLAN1 of high performance computing service, the type of virtual machine has reflected service that virtual machine can provide and VLAN ID number accordingly simultaneously.
Step 402, this isolator is broadcast to the isolator of the domain0 of every other node with the MAC Address of this virtual machine, having safeguarded the MAC Address of all virtual machines in each isolator, and consists of a filter table.
Source MAC(source MAC in this filter table)-" dst MAC(target MAC (Media Access Control) address) and value pair, be corresponding rule in this value to the back, show by or isolation.
Isolator is formulated corresponding isolation rule according to the VLAN at virtual machine place.For example, source MAC and the target MAC (Media Access Control) address rule of correspondence in same VLAN is for passing through.Wherein, determine that by VLAN ID corresponding to MAC Address whether source MAC and target MAC (Media Access Control) address are at same VLAN.
In an embodiment, acquisition virtual machine and its affiliated VLAN mapping relations method are as described below.
After other isolators were received the message of this broadcasting, the analysis request bag also obtained MAC Address and the type type of virtual machine, and type list is shown VLAN ID, sets up virtual machine with the mapping relations of VLAN.
Isolator is formulated the isolation rule by to existing virtual machine information in the local data base relatively.
Among another embodiment, it is as described below with its affiliated VLAN mapping relations method to obtain virtual machine.
In the starting stage, isolator assigns to determine virtual machine under this Frame and the type of this virtual machine by the frame header of analyzing each Frame of network interface card place, set up VLAN with the mapping table between virtual machine, this mapping table can reflect virtual machine and affiliated VLAN ID number.
Just can transmit control to the Frame in later stage according to this mapping table processes.
Step 403, when virtual machine will send a packet, isolator can check that the source address of this packet and destination address are whether in filter table; If in filter table then carry out source MAC and target MAC (Media Access Control) address value to the corresponding rule in back, if in filter table, do not find corresponding value to acquiescence is carried out the refusal operation.
For example, the MAC Address of certain virtual machine is 00-30-48-5b-12-53, and it will send packet is the virtual machine of 00-30-48-5b-15-53 to MAC Address.And the right working rule of this value is pass inside the filter table of isolator, and then this bag just can successfully be sent.
For isolator, finally call the API of ebtables module when realizing isolation, this module can be judged virtual machine under the frame according to the frame head relevant bits section of a Frame, and the MAC Address by the analyzing virtual machine realizes, carry out judging a virtual machine place VLAN ID number.
Network layer isolation flow process is as described below.
Except top in the virtual machine in addition access control of data link layer to different VLAN inside, the embodiment of another isolation of the present invention.Because inner at Xen, the communication between the same node virtual machine is undertaken by the Xen bridge.The instrument iptables of fire wall control has the functions such as IP Packet Filtering, address translation in the prior art.
So some strobe utility that provides by means of iptables is in the inner isolated controlling that realizes network layer of virtual machine.After the virtual machine activation of a certain application type is finished, the local virtual machine is by obtaining local address information automatic analysis local network information, number automatically add the isolation rule of network layer according to the network ID that parses, the realization of rule is to allow virtual machine and virtual machine place node of the same type to set up normal data communication, refuses for the virtual machine of different application type.
The isolation flow process of network layer is as follows:
Step 501, virtual machine activation success, the isolated process of virtual machine inside or isolation module self-starting operation.
Step 502, isolated process or isolation module are obtained the IP address of this virtual machine.
Step 503, isolated process or isolation module obtain the subnet of ip address of the application network segment at this virtual machine place.
Step 504, isolated process is transferred or isolation module iptables relevant interface, sets up the isolation rule.
When realizing the isolation of network layer, dissimilar virtual machines can be comprised of a network segment specially, all in the 10.10.1.0/24 network segment, and the virtual machine ip that web services is provided is all in the 10.10.2.0/24 network segment such as: the virtual machine ip that office service is provided.
Behind the virtual machine activation, automatically move dummy spacer (visolator) service and detector (detector) service;
Detector is watched the local network configuration information, obtains following information: the IP address, and subnet mask (netmask) information, and calculate accordingly the subnet address at local machine place, this subnet address is the address of this VLAN.
Detector is issued dummy spacer with the VLAN subnet information that calculates, and dummy spacer is corresponding regular according to the client's who receives request definition, and adds rule in the filter of trend iptables table.
Isolator is formulated corresponding isolation rule according to the VLAN at virtual machine place.For example, source IP address and the purpose IP address rule of correspondence in same VLAN is for passing through.Wherein, by IP address and subnet mask account network number, determine that by network number whether source IP and purpose IP are at same VLAN.
Detector is in network broadcast message, the IP information of acquisition request place node.
The network that all physical nodes that local network refers to form, because detector need to be known the physics host node at this virtual machine place, and VLAN is cross-node, so broadcast in the local network that needs.
Detector adds the physical node IP information of obtaining in the filter table of iptables maintenance to.
Adding rule in the Filter table is IP information.
Realize the system of TPM in a kind of computing environment of polycaryon processor, comprise node,
Described node is used for allowing a nuclear job of processor when starting, and described nuclear moves high limiting operation system, and other nuclears of described processor are in dormant state;
After the nuclear of described work enters normal operating conditions, write the TPM function, form the TPM simulator in order to the function that realizes TPM;
The described nuclear that the is in dormant state operation normal operations system that starts working provides the TPM security service by described high limiting operation system for the startup of described normal operations system.
Described computing environment is virtualized computing environment, and described node also is used for adopting Xen to carry out virtual to described node.
Better, described system also comprises the VTPM manager,
A virtual machine in the computing environment forms a VTPM manager;
Described VTPM manager is used for creating a thread monitoring Xen and operates; When node creates a virtual machine, be VTPM example of described virtual machine creating; Described VTPM example is by providing the TPM service with the communication of described TPM simulator for virtual machine.
Better, described system also comprises the front-end proxy agent that connects with node;
Described VTPM manager also is used for the generating platform configuration information, sends to described front-end proxy agent;
Described front-end proxy agent is used for receiving described platform configuration information, and stores in the platform configuration information table; When client-requested is accessed, from described platform configuration information table, search the platform configuration information with the relevant virtual machine of described client-access, send to described client.
Better, described node comprises isolator, the network interface card of virtual machine is connected to virtual bridge by virtual interface;
Described isolator, for detection of whether new virtual machine creating is arranged on the described node, if having, then obtain the MAC Address of virtual machine and the type of virtual machine, formulate corresponding isolation rule according to described virtual machine type, described isolation rule is added in the Link Filter table; When node receives packet, according to isolation rule in the described Link Filter table, with described package forward to virtual machine.
Better, described node is also for the MAC Address of the virtual machine that will newly create and the isolator that type is broadcast to other nodes;
Described isolator also is used for receiving MAC Address and the type of broadcasting, according to the information of the virtual machine of this locality storage of node, formulates the isolation rule, and the isolation rule is added in the local Link Filter table; When node receives packet, according to isolation rule in the described Link Filter table, with described package forward to virtual machine.
Better, described system also comprises: dummy spacer,
After described node also is used for virtual machine activation, check that the network configuration information of virtual machine this locality obtains IP address and subnet mask, calculate the described subnet address of virtual machine, the information of subnet address is issued the dummy spacer of virtual machine;
Described dummy spacer is used for formulating corresponding filtering rule according to the subnet address information of receiving, described filtering rule is stored in the network filtering table; When virtual machine receives the IP bag, according to isolation rule in the described network filtering table, process described IP bag.
Better, described node also is used for by virtual machine to the local network broadcast request message;
Described dummy spacer also is used at virtual machine during to the local network broadcast request message, the network address information of the virtual machine of the described node in acquisition request place; The network information of obtaining is added in the network filtering table.
Those skilled in the art can also carry out various modifications to above content under the condition that does not break away from the definite the spirit and scope of the present invention of claims.Therefore scope of the present invention is not limited in above explanation, but determined by the scope of claims.
Claims (16)
1. realize the method for TPM in the computing environment of a polycaryon processor, it is characterized in that, comprising:
Step 1, the node in the computing environment allow a nuclear job of processor when starting, described nuclear moves high limiting operation system, and other nuclears of described processor are in dormant state;
Step 2 after the nuclear of described work enters normal operating conditions, writes the TPM function, forms the TPM simulator in order to the function that realizes TPM;
Step 3, the described nuclear that the is in dormant state operation normal operations system that starts working provides the TPM security service by described high limiting operation system for the startup of described normal operations system.
2. realize the method for TPM in the computing environment of polycaryon processor as claimed in claim 1, it is characterized in that described computing environment is virtualized computing environment,
Described method also comprises:
Step 21 adopts Xen to carry out virtual to node.
3. realize the method for TPM in the computing environment of polycaryon processor as claimed in claim 2, it is characterized in that,
Also comprise after the described step 21:
Step 31, a virtual machine in the computing environment forms a VTPM manager;
Step 32, described VTPM manager create among the thread monitoring Xen and operate;
Step 33, when node created a virtual machine, described VTPM manager was VTPM example of described virtual machine creating;
Step 34, described VTPM example is by providing the TPM service with the communication of described TPM simulator for virtual machine.
4. realize the method for TPM in the computing environment of polycaryon processor as claimed in claim 3, it is characterized in that,
Described method also comprises:
Step 41 connects described node with the front end agency;
Step 42, VTPM manager generating platform configuration information sends to described front-end proxy agent;
Step 43, described front-end proxy agent receives described platform configuration information, and stores in the platform configuration information table;
Step 44 when client-requested is accessed, is searched the platform configuration information with the relevant virtual machine of described client-access from described platform configuration information table, send to described client.
5. realize the method for TPM in the computing environment of polycaryon processor as claimed in claim 2, it is characterized in that,
Described method also comprises:
Step 51, the network interface card of virtual machine is connected to virtual bridge by virtual interface;
Whether step 52, the isolator of node detect new virtual machine creating on the described node, if having, and execution in step 53;
Step 53, isolator are obtained the MAC Address of virtual machine and the type of virtual machine, formulate corresponding isolation rule according to described virtual machine type, and described isolation rule is added in the Link Filter table;
Step 54, when node receives packet, according to isolation rule in the described Link Filter table, with described package forward to virtual machine.
6. realize the method for TPM in the computing environment of polycaryon processor as claimed in claim 5, it is characterized in that,
Also comprise after the described step 54:
Step 61, the MAC Address of the virtual machine that described node will newly create and type are broadcast to the isolator of other nodes;
Step 62, the isolator of described other nodes receive MAC Address and the type of broadcasting, according to the information of the virtual machine of this locality of node storage, formulate the isolation rule, and the isolation rule is added in the local Link Filter table;
Step 63, when node receives packet, according to isolation rule in the described Link Filter table, with described package forward to virtual machine.
7. realize the method for TPM in the computing environment of polycaryon processor as claimed in claim 2, it is characterized in that,
Described method also comprises:
Step 71 behind the virtual machine activation, checks that the network configuration information of virtual machine this locality obtains IP address and subnet mask, calculates the subnet address at virtual machine place, the information of subnet address is issued the dummy spacer of virtual machine;
Step 72, described dummy spacer is formulated corresponding filtering rule according to the subnet address information of receiving, described filtering rule is stored in the network filtering table;
Step 73 when virtual machine receives the IP bag, according to isolation rule in the described network filtering table, is processed described IP bag.
8. realize the method for TPM in the computing environment of polycaryon processor as claimed in claim 7, it is characterized in that,
Described step 73 also comprises:
Step 81, virtual machine be to the local network broadcast request message, the network address information of the virtual machine of the described node in acquisition request place;
Step 82 is added the network information of obtaining in the network filtering table to.
9. realize the system of TPM in the computing environment of a polycaryon processor, it is characterized in that, comprise node,
Described node is used for allowing a nuclear job of processor when starting, and described nuclear moves high limiting operation system, and other nuclears of described processor are in dormant state;
After the nuclear of described work enters normal operating conditions, write the TPM function, form the TPM simulator in order to the function that realizes TPM;
The described nuclear that the is in dormant state operation normal operations system that starts working provides the TPM security service by described high limiting operation system for the startup of described normal operations system.
10. realize the system of TPM in the computing environment of polycaryon processor as claimed in claim 9, it is characterized in that described computing environment is virtualized computing environment,
Described node also is used for adopting Xen to carry out virtual to described node.
11. realize the system of TPM in the computing environment of polycaryon processor as claimed in claim 10, it is characterized in that,
Described system also comprises the VTPM manager,
A virtual machine in the computing environment forms a VTPM manager;
Described VTPM manager is used for creating a thread monitoring Xen and operates; When node creates a virtual machine, be VTPM example of described virtual machine creating; Described VTPM example is by providing the TPM service with the communication of described TPM simulator for virtual machine.
12. realize the system of TPM in the computing environment of polycaryon processor as claimed in claim 11, it is characterized in that,
Described system also comprises the front-end proxy agent that connects with node;
Described VTPM manager also is used for the generating platform configuration information, sends to described front-end proxy agent;
Described front-end proxy agent is used for receiving described platform configuration information, and stores in the platform configuration information table; When client-requested is accessed, from described platform configuration information table, search the platform configuration information with the relevant virtual machine of described client-access, send to described client.
13. realize the system of TPM in the computing environment of polycaryon processor as claimed in claim 10, it is characterized in that,
Described node comprises isolator, and the network interface card of virtual machine is connected to virtual bridge by virtual interface;
Described isolator, for detection of whether new virtual machine creating is arranged on the described node, if having, then obtain the MAC Address of virtual machine and the type of virtual machine, formulate corresponding isolation rule according to described virtual machine type, described isolation rule is added in the Link Filter table; When node receives packet, according to isolation rule in the described Link Filter table, with described package forward to virtual machine.
14. realize the system of TPM in the computing environment of polycaryon processor as claimed in claim 13, it is characterized in that,
Described node is also for the MAC Address of the virtual machine that will newly create and the isolator that type is broadcast to other nodes;
Described isolator also is used for receiving MAC Address and the type of broadcasting, according to the information of the virtual machine of this locality storage of node, formulates the isolation rule, and the isolation rule is added in the local Link Filter table; When node receives packet, according to isolation rule in the described Link Filter table, with described package forward to virtual machine.
15. realize the system of TPM in the computing environment of polycaryon processor as claimed in claim 10, it is characterized in that,
Described node also is used to the virtual machine creating dummy spacer,
After described node also is used for virtual machine activation, check that the network configuration information of virtual machine this locality obtains IP address and subnet mask, calculate the described subnet address of virtual machine, the information of subnet address is issued the dummy spacer of virtual machine;
Described dummy spacer is used for formulating corresponding filtering rule according to the subnet address information of receiving, described filtering rule is stored in the network filtering table; When virtual machine receives the IP bag, according to isolation rule in the described network filtering table, process described IP bag.
16. realize the system of TPM in the computing environment of polycaryon processor as claimed in claim 15, it is characterized in that,
Described node also is used for by virtual machine to the local network broadcast request message;
Described dummy spacer also is used at virtual machine during to the local network broadcast request message, the network address information of the virtual machine of the described node in acquisition request place; The network information of obtaining is added in the network filtering table.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910243914XA CN102110197B (en) | 2009-12-25 | 2009-12-25 | Method and system for multi-core processor to realize TMP (trusted platform module) in computing environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910243914XA CN102110197B (en) | 2009-12-25 | 2009-12-25 | Method and system for multi-core processor to realize TMP (trusted platform module) in computing environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102110197A CN102110197A (en) | 2011-06-29 |
| CN102110197B true CN102110197B (en) | 2013-04-03 |
Family
ID=44174357
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910243914XA Active CN102110197B (en) | 2009-12-25 | 2009-12-25 | Method and system for multi-core processor to realize TMP (trusted platform module) in computing environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102110197B (en) |
Families Citing this family (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102799560A (en) * | 2012-09-07 | 2012-11-28 | 上海交通大学 | Dynamic reconfigurable subnetting method and system based on network on chip |
| CN103812913B (en) * | 2012-11-14 | 2017-11-10 | 新华三技术有限公司 | A kind of remote access method and device based on Virtual Networking Computing |
| CN103138990A (en) * | 2013-03-12 | 2013-06-05 | 无锡城市云计算中心有限公司 | Virtual machine management method under cloud computing network and cloud computing network management device |
| CN103559436A (en) * | 2013-10-28 | 2014-02-05 | 曙光云计算技术有限公司 | Authentication method and device for virtualization startup |
| CN103995732B (en) | 2014-05-26 | 2017-02-22 | 华为技术有限公司 | Virtual trusted platform module function implementation method and management equipment |
| CN104182029B (en) * | 2014-08-25 | 2018-08-24 | 酷派软件技术(深圳)有限公司 | Program invocation time setting method, program invocation time setting device and terminal |
| CN105389513B (en) * | 2015-11-26 | 2018-10-12 | 华为技术有限公司 | A kind of credible execution method and apparatus of virtual credible platform module vTPM |
| CN105678173B (en) * | 2015-12-31 | 2018-06-29 | 武汉大学 | VTPM method for security protection based on hardware transaction memory |
| CN107346395B (en) * | 2016-05-05 | 2020-04-28 | 华为技术有限公司 | Trusted platform module TPM (trusted platform Module) deployment method, device and system |
| CN106559428A (en) * | 2016-11-25 | 2017-04-05 | 国云科技股份有限公司 | The method that a kind of anti-virtual machine IP and MAC is forged |
| EP3550781B1 (en) | 2016-12-30 | 2021-02-17 | Huawei Technologies Co., Ltd. | Private information distribution method and device |
| CN108460282A (en) * | 2017-02-22 | 2018-08-28 | 北京大学 | A kind of computer safety start method based on multi-core chip |
| CN107679393B (en) * | 2017-09-12 | 2020-12-04 | 中国科学院软件研究所 | Android integrity verification method and device based on trusted execution environment |
| CN109508272B (en) * | 2017-09-14 | 2022-04-05 | 佛山市顺德区顺达电脑厂有限公司 | Function verification method of trusted module |
| CN107861795B (en) * | 2017-11-20 | 2022-04-26 | 浪潮(北京)电子信息产业有限公司 | Method, system and device for simulating physical TCM chip and readable storage medium |
| CN109800050B (en) * | 2018-11-22 | 2021-11-23 | 海光信息技术股份有限公司 | Memory management method, device, related equipment and system of virtual machine |
| CN111949989B (en) * | 2020-07-27 | 2021-09-10 | 首都师范大学 | Safety control device and method of multi-core processor |
| CN112346789A (en) * | 2020-11-06 | 2021-02-09 | 中国电子信息产业集团有限公司 | Dual-system sleeping and awakening method, device, equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101425027A (en) * | 2008-11-20 | 2009-05-06 | 上海交通大学 | Virtual machine safety protocol method and system based on TPM |
| CN101488174A (en) * | 2009-01-15 | 2009-07-22 | 北京交通大学 | Implementing method for dynamically transparent virtual credible platform module |
| CN101539864A (en) * | 2009-02-10 | 2009-09-23 | 北京交通大学 | Method for self adaptedly safeguarding the normal starting of credible client virtual domain |
| CN101645873A (en) * | 2008-08-07 | 2010-02-10 | 联想(北京)有限公司 | Method for realizing network isolation in environments of computer and virtual machine |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090007104A1 (en) * | 2007-06-29 | 2009-01-01 | Zimmer Vincent J | Partitioned scheme for trusted platform module support |
-
2009
- 2009-12-25 CN CN200910243914XA patent/CN102110197B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101645873A (en) * | 2008-08-07 | 2010-02-10 | 联想(北京)有限公司 | Method for realizing network isolation in environments of computer and virtual machine |
| CN101425027A (en) * | 2008-11-20 | 2009-05-06 | 上海交通大学 | Virtual machine safety protocol method and system based on TPM |
| CN101488174A (en) * | 2009-01-15 | 2009-07-22 | 北京交通大学 | Implementing method for dynamically transparent virtual credible platform module |
| CN101539864A (en) * | 2009-02-10 | 2009-09-23 | 北京交通大学 | Method for self adaptedly safeguarding the normal starting of credible client virtual domain |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102110197A (en) | 2011-06-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102110197B (en) | Method and system for multi-core processor to realize TMP (trusted platform module) in computing environment | |
| US11469964B2 (en) | Extension resource groups of provider network services | |
| CN109254831B (en) | Virtual machine network security management method based on cloud management platform | |
| CN103608794B (en) | The method and apparatus serviced by pipe USB are remotely delivered by mobile computing device | |
| CN109067877B (en) | Control method for cloud computing platform deployment, server and storage medium | |
| CN107357660A (en) | The distribution method and device of a kind of virtual resource | |
| CN109314724A (en) | The methods, devices and systems of virtual machine access physical server in cloud computing system | |
| CN105991651B (en) | Network interface device with long-range storage control | |
| CN110764871A (en) | Cloud platform-based mimicry application packaging and control system and method | |
| CN108365994B (en) | Cloud security management platform for cloud computing security unified management | |
| CN109981367A (en) | Method based on the empty machine paas service management that Intranet penetrates | |
| CN109639705B (en) | Cloud platform security detection method | |
| CN102147763A (en) | Method, system and computer for recording weblog | |
| US11048543B2 (en) | Computer system and resource access control method for securely controlling access using roles with a plurality of users | |
| CN112099913A (en) | Method for realizing safety isolation of virtual machine based on OpenStack | |
| KR20150124001A (en) | System for web hosting based cloud service | |
| CN111818081B (en) | Virtual encryption machine management method, device, computer equipment and storage medium | |
| CN112003794B (en) | Floating IP current limiting method, system, terminal and storage medium | |
| CN103309722A (en) | Cloud computation system and application access method thereof | |
| CN109039823B (en) | Network system firewall detection method, device, equipment and storage medium | |
| CN113886153B (en) | Network card pressure testing method and device based on container | |
| CN115834075A (en) | Multi-tenant management-based password service and computing service integration method and device | |
| Song et al. | App’s auto-login function security testing via android os-level virtualization | |
| WO2016068902A1 (en) | Including node and process identifiers in a transaction | |
| CN114936067A (en) | Virtualization-oriented trusted dual-architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240320 Address after: Room 711C, Floor 7, Building A, Yard 19, Ronghua Middle Road, Daxing District, Beijing Economic-Technological Development Area, 100176 Patentee after: Beijing Zhongke Flux Technology Co.,Ltd. Country or region after: China Address before: 100190 No. 6 South Road, Zhongguancun Academy of Sciences, Beijing, Haidian District Patentee before: Institute of Computing Technology, Chinese Academy of Sciences Country or region before: China |