Summary of the invention
For addressing the above problem, the invention provides the method and the system thereof that realize TPM in the computing environment of polycaryon processor, the present invention can not exist in the situation of TPM safety chip in system, but the ability of telecommunications services is provided for the loading of the startup of system and subsequent applications.
The invention discloses the method that realizes TPM in a kind of computing environment of polycaryon processor, comprise
Step 1, the node in the computing environment allow a nuclear job of processor when starting, described nuclear moves high limiting operation system, and other nuclears of described processor are in dormant state;
Step 2 after the nuclear of described work enters normal operating conditions, writes the TPM function, forms the TPM simulator in order to the function that realizes TPM;
Step 3, the described nuclear that the is in dormant state operation normal operations system that starts working provides the TPM security service by described high limiting operation system for the startup of described normal operations system.
Described computing environment is virtualized computing environment,
Described method also comprises:
Step 21 adopts Xen to carry out virtual to node.
Also comprise after the described step 21:
Step 31, a virtual machine in the computing environment forms a VTPM manager;
Step 32, described VTPM manager create among the thread monitoring Xen and operate;
Step 33, when node created a virtual machine, described VTPM manager was VTPM example of described virtual machine creating;
Step 34, described VTPM example is by providing the TPM service with the communication of described TPM simulator for virtual machine.
Described method also comprises:
Step 41 connects described node with the front end agency;
Step 42, VTPM manager generating platform configuration information sends to described front-end proxy agent;
Step 43, described front-end proxy agent receives described platform configuration information, and stores in the platform configuration information table;
Step 44 when client-requested is accessed, is searched the platform configuration information with the relevant virtual machine of described client-access from described platform configuration information table, send to described client.
Described method also comprises:
Step 51, the network interface card of virtual machine is connected to virtual bridge by virtual interface;
Whether step 52, the isolator of node detect new virtual machine creating on the described node, if having, and execution in step 53;
Step 53, isolator are obtained the MAC Address of virtual machine and the type of virtual machine, formulate corresponding isolation rule according to described virtual machine type, and described isolation rule is added in the Link Filter table;
Step 54, when node receives packet, according to isolation rule in the described Link Filter table, with described package forward to virtual machine.
Also comprise after the described step 54:
Step 61, the MAC Address of the virtual machine that described node will newly create and type are broadcast to the isolator of other nodes;
Step 62, the isolator of described other nodes receive MAC Address and the type of broadcasting, according to the information of the virtual machine of this locality of node storage, formulate the isolation rule, and the isolation rule is added in the local Link Filter table;
Step 63, when node receives packet, according to isolation rule in the described Link Filter table, with described package forward to virtual machine.
Described method also comprises:
Step 71 behind the virtual machine activation, checks that the network configuration information of virtual machine this locality obtains IP address and subnet mask, calculates the described subnet address of virtual machine, the information of subnet address is issued the dummy spacer of virtual machine;
Step 72, described dummy spacer is formulated corresponding filtering rule according to the subnet address information of receiving, described filtering rule is stored in the network filtering table;
Step 73 when virtual machine receives the IP bag, according to isolation rule in the described network filtering table, is processed described IP bag.
Described step 73 also comprises:
Step 81, virtual machine be to the local network broadcast request message, the network address information of the virtual machine of the described node in acquisition request place;
Step 82 is added the network information of obtaining in the network filtering table to.
The invention also discloses the system that realizes TPM in a kind of computing environment of polycaryon processor, comprise node,
Described node is used for allowing a nuclear job of processor when starting, and described nuclear moves high limiting operation system, and other nuclears of described processor are in dormant state;
After the nuclear of described work enters normal operating conditions, write the TPM function, form the TPM simulator in order to the function that realizes TPM;
The described nuclear that the is in dormant state operation normal operations system that starts working provides the TPM security service by described high limiting operation system for the startup of described normal operations system.
Described computing environment is virtualized computing environment,
Described node also is used for adopting Xen to carry out virtual to described node.
Described system also comprises the VTPM manager,
A virtual machine in the computing environment forms a VTPM manager;
Described VTPM manager is used for creating a thread monitoring Xen and operates; When node creates a virtual machine, be VTPM example of described virtual machine creating; Described VTPM example is by providing the TPM service with the communication of described TPM simulator for virtual machine.
Described system also comprises the front-end proxy agent that connects with node;
Described VTPM manager also is used for the generating platform configuration information, sends to described front-end proxy agent;
Described front-end proxy agent is used for receiving described platform configuration information, and stores in the platform configuration information table; When client-requested is accessed, from described platform configuration information table, search the platform configuration information with the relevant virtual machine of described client-access, send to described client.
Described node comprises isolator, and the network interface card of virtual machine is connected to virtual bridge by virtual interface;
Described isolator, for detection of whether new virtual machine creating is arranged on the described node, if having, then obtain the MAC Address of virtual machine and the type of virtual machine, formulate corresponding isolation rule according to described virtual machine type, described isolation rule is added in the Link Filter table; When node receives packet, according to isolation rule in the described Link Filter table, with described package forward to virtual machine.
Described node is also for the MAC Address of the virtual machine that will newly create and the isolator that type is broadcast to other nodes;
Described isolator also is used for receiving MAC Address and the type of broadcasting, according to the information of the virtual machine of this locality storage of node, formulates the isolation rule, and the isolation rule is added in the local Link Filter table; When node receives packet, according to isolation rule in the described Link Filter table, with described package forward to virtual machine.
Described node also is used to the virtual machine creating dummy spacer,
After described node also is used for virtual machine activation, check that the network configuration information of virtual machine this locality obtains IP address and subnet mask, calculate the described subnet address of virtual machine, the information of subnet address is issued the dummy spacer of virtual machine;
Described dummy spacer is used for formulating corresponding filtering rule according to the subnet address information of receiving, described filtering rule is stored in the network filtering table; When virtual machine receives the IP bag, according to isolation rule in the described network filtering table, process described IP bag.
Described node also is used for by virtual machine to the local network broadcast request message;
Described dummy spacer also is used at virtual machine during to the local network broadcast request message, the network address information of the virtual machine of the described node in acquisition request place; The network information of obtaining is added in the network filtering table.
Beneficial effect of the present invention is, by making up a kind of so distributed credible computing architecture, can provide a kind of effective safety precautions for current cloud computing and enterprise data center, because the present invention has fully taken into account characteristics and the processing power of current commercial polycaryon processor, by allowing a certain fixedly nuclear that the credible service for checking credentials of bottom is provided, we can effectively promote the high efficiency of calculation services; Simultaneously, because we have carried out security control at the virtual machine of upper strata heterogeneous applications, some inner potential safety problems of current system have effectively been solved; In the distributed computing architecture based on multiple nucleus system, from multiple nucleus system, isolate one of them nuclear operation TPM Emulator, for the common application on other nuclears provides believable service, can in system, not exist in the situation of TPM safety chip, but the ability of telecommunications services is provided for the loading of the startup of system and subsequent applications; Utilize vlan technology will provide in the server virtual machines of different services be divided in the VLAN, can make between each service not can the phase mutual interference, a kind of paralysis of service can not have influence on another kind of service.
Embodiment
Below in conjunction with accompanying drawing, the present invention is described in further detail.
The method that realizes TPM in the computing environment of polycaryon processor is as described below.
Step S100, node allows a nuclear job of processor in the computing environment when starting, the high limiting operation of this nuclear operation system, other nuclears are in dormant state.
This in running order nuclear exclusively enjoys a memory headroom in the internal memory of node, this memory headroom is forbidden other nuclear access, and this examines the high limiting operation of operation system, thereby realizes the isolation of this nuclear and other nuclears.
Step S200 after the nuclear of this work enters normal operating conditions, writes the TPM function, forms the TPM simulator in order to the function that realizes TPM.
Step S300, the nuclear that the is in dormant state operation normal operations system that starts working provides the TPM security function by high limiting operation system for the startup of normal operations system.
As shown in Figure 2, a plurality of nuclears of processor, nuclear 1, nuclear 2, nuclear 3, nuclear 4, the high limiting operation of its center 1 operation system.This security function is equivalent to monitor with a TPM of hardware the start-up course of normal operations system, and information in the record start-up course, thereby guarantees the credible start-up course of this node local system.
Based on multi-core CPU, fully by means of the isolation mech isolation test between the multinuclear and processor to virtualized support, finish credible authentication function and service that actual physical TPM chip is carried out, simultaneously in order to improve the efficient of TPM service, by means of in the polycaryon processor one independently nuclear, the TPM emulator will be monopolized a unique nuclear, provide the required service for checking credentials of TPM by this nuclear.
The interior all virtual machines of computing environment are realized unified management by a VTPM manager among the present invention, coming provides trusted root to virtual machine, trusted root refers to all trustworthy assemblies of operation and memory contents, as shown in Figure 2, virtual machine 1, virtual machine 5 belong to the VLAN 1 that the office service is provided, and virtual machine 2, virtual machine 3, virtual machine 4 belong to provides the WEB VLAN 2 of service.
Adopt Xen to carry out virtual to node.
A Dom0 in the computing environment has a VTPM manager, and DOM0 is a special virtual machine, and it can manage other virtual machine.
The embodiment one of carrying out the TPM method after virtual in computing environment is following described.
Step 201, a virtual machine in the computing environment forms a VTPM manager;
Step 202, described VTPM manager create among the thread monitoring Xen and operate;
Step 203, when node created a virtual machine, described VTPM manager was VTPM example of described virtual machine creating;
Step 204, described VTPM example is by providing the TPM service with the communication of described TPM simulator for virtual machine.
Because under traditional method of service, the needing in proof procedure of virtual machine communicates with the VTPM manager, finally by bottom hardware TPM chip or TPM emulator(TPM simulator) served.Simultaneously because the structure of VLAN has been realized cross-node, so in situation about guaranteeing under the normal Validation Mode of virtual machine, need to transmit necessary checking request for agency of each VLAN configuration.
Among the present invention, in the front-end proxy agent of computing environment, safeguard the platform configuration information of all virtual machines in the network.
Platform configuration information is the relevant information of safety on the virtual machine, open-ended situation for example, the version situation of antivirus software, the state of fire wall etc.
In the prior art, the client-requested Web service, virtual machine domainU1 and virtual machine domainU3 can provide Web service, in the situation that does not have the platform configuration information table, virtual machine domainU1 and virtual machine domainU3 will process respectively the request of client, need first to read own platform configuration information by each self-corresponding VTPM manager from the VTPM example and then pass to the client to bring in what prove oneself be believable.
In the present invention, as shown in Figure 3, directly provided the platform configuration information of virtual machine domainU1 and virtual machine domainU3 by front-end proxy agent.
Front-end proxy agent provides the platform configuration information method as described below.
Embodiment is as described below.
Step 301 connects the node in the computing environment with the front end agency.
Step 302, VTPM manager generating platform configuration information sends to described front-end proxy agent.
Step 303, described front-end proxy agent receives described platform configuration information, and stores in the platform configuration information table.
Step 304, when client-requested was accessed, front-end proxy agent was searched the platform configuration information with the relevant virtual machine of described client-access from this platform configuration information table, send to described client.
Platform configuration information acquisition module (Getinfo): being positioned on the VTPM manager, mainly is the function of expansion VTPM manager, makes the VTPM manager platform configuration information be passed to front-end proxy agent according to the requirement of front-end proxy agent,
Platform configuration information receiver module (Recvinfo): be positioned on the front-end proxy agent, make front-end proxy agent can receive the platform configuration information that the VTPM manager passes over, relevant information is stored into the platform configuration information table.
Credible authentication module (Trusttest): be positioned at client, whether the platform configuration information on the verifying virtual machines is credible.Client will compare with own local database from the configuration information that server end obtains, if it is just credible to meet the requirement of oneself, otherwise insincere, for example: the version of antivirus software and fire wall, open-ended situation etc.
Virtual machine distribution module (SelectDom): be positioned on the front-end proxy agent, distribute suitable virtual machine according to the loading condition of credible report and each virtual machine for client and come to provide service for client.
Select the virtual machine of the request of processing according to the number of request of waiting in line on current each virtual machine.
Transferring module (Migration): can realize the migration of each domainU on physical platform by front-end proxy agent.
Realize by the migration module of calling the VTPM the inside.
The partition method of VLAN is as described below.
In the partition method that the present invention realizes, according to the characteristics of Intel Virtualization Technology own, controlled respectively to realize isolation between the different VLAN from data link layer and network layer, as shown in Figure 4.
The specific implementation of data link layer isolation
In virtual Xen, all virtual machine DomU, comprise Dom0, the equal direct-connected virtual bridge Xenbr0 to Xen inside of network interface unit, bridge Xenbr0 is signal post's usefulness between virtual machine in the node, and this virtual bridge Xenbr0 is arranged in Dom0, in order to realize the network processes function of virtual machine, Xen distributes some virtual interfaces (virtual interface) for all virtual machines, and the network interface card of virtual machine is connected to virtual bridge by those virtual interfaces.
The present invention controls the data communication between the different virtual machine in Dom0.Used the link layer instrument, ebtables, the control virtual machine is positioned at the communication port of link layer.Link layer instrument ebtables can change the information such as frame head of link layer Frame, therefore can realize the control to Frame between the different application virtual machine.
Such as, as shown in Figure 2, virtual machine 2 and another virtual machine 1 that provides office to serve that web services is provided is arranged, because two class virtual machines provide different application services, thereby be among the different VLAN.If when virtual machine 2 needs remote access or login virtual machine 1, by control virtual bridge Xenbr0, limit the behavior of virtual machine 2, the operation of limited subscriber is to guarantee the security between the virtual machine.
Main modular and function declaration:
Isolator (Isolator): the Domain0 of node reaches the isolated controlling effect by the control virtual bridge.
Dummy spacer (visolator): be the module of virtual machine inside, filter the realization isolation effect by the IP bag to virtual machine internal virtual network interface card place.
Filter the Filter table: for realizing the filter table of network layer data packet filtering in the prior art netfilter/iptables framework, recorded the regular collection of finishing filtering function.For network layer and data link layer filter table is arranged all, the regular collection of wherein safeguarding is different.
Data link layer isolation flow process is as described below.
Step 401, in the time of each virtual machine activation, the isolator in the domain0 of this virtual machine place node utilizes ebtable to realize, gets access to the MAC Address of virtual machine and the VLAN at virtual machine place by the Xend order.
Virtual machine is being carried out VLAN when dividing, the service that provides according to virtual machine in the computing environment in the ban is divided into different VLAN with virtual machine.Provide the virtual machine of same application logically to form a VLAN, A provides high performance computing service such as virtual machine, to belong to VLAN1 be VLAN_ID=1 to this virtual machine simultaneously, the corresponding VLAN1 of high performance computing service, the type of virtual machine has reflected service that virtual machine can provide and VLAN ID number accordingly simultaneously.
Step 402, this isolator is broadcast to the isolator of the domain0 of every other node with the MAC Address of this virtual machine, having safeguarded the MAC Address of all virtual machines in each isolator, and consists of a filter table.
Source MAC(source MAC in this filter table)-" dst MAC(target MAC (Media Access Control) address) and value pair, be corresponding rule in this value to the back, show by or isolation.
Isolator is formulated corresponding isolation rule according to the VLAN at virtual machine place.For example, source MAC and the target MAC (Media Access Control) address rule of correspondence in same VLAN is for passing through.Wherein, determine that by VLAN ID corresponding to MAC Address whether source MAC and target MAC (Media Access Control) address are at same VLAN.
In an embodiment, acquisition virtual machine and its affiliated VLAN mapping relations method are as described below.
After other isolators were received the message of this broadcasting, the analysis request bag also obtained MAC Address and the type type of virtual machine, and type list is shown VLAN ID, sets up virtual machine with the mapping relations of VLAN.
Isolator is formulated the isolation rule by to existing virtual machine information in the local data base relatively.
Among another embodiment, it is as described below with its affiliated VLAN mapping relations method to obtain virtual machine.
In the starting stage, isolator assigns to determine virtual machine under this Frame and the type of this virtual machine by the frame header of analyzing each Frame of network interface card place, set up VLAN with the mapping table between virtual machine, this mapping table can reflect virtual machine and affiliated VLAN ID number.
Just can transmit control to the Frame in later stage according to this mapping table processes.
Step 403, when virtual machine will send a packet, isolator can check that the source address of this packet and destination address are whether in filter table; If in filter table then carry out source MAC and target MAC (Media Access Control) address value to the corresponding rule in back, if in filter table, do not find corresponding value to acquiescence is carried out the refusal operation.
For example, the MAC Address of certain virtual machine is 00-30-48-5b-12-53, and it will send packet is the virtual machine of 00-30-48-5b-15-53 to MAC Address.And the right working rule of this value is pass inside the filter table of isolator, and then this bag just can successfully be sent.
For isolator, finally call the API of ebtables module when realizing isolation, this module can be judged virtual machine under the frame according to the frame head relevant bits section of a Frame, and the MAC Address by the analyzing virtual machine realizes, carry out judging a virtual machine place VLAN ID number.
Network layer isolation flow process is as described below.
Except top in the virtual machine in addition access control of data link layer to different VLAN inside, the embodiment of another isolation of the present invention.Because inner at Xen, the communication between the same node virtual machine is undertaken by the Xen bridge.The instrument iptables of fire wall control has the functions such as IP Packet Filtering, address translation in the prior art.
So some strobe utility that provides by means of iptables is in the inner isolated controlling that realizes network layer of virtual machine.After the virtual machine activation of a certain application type is finished, the local virtual machine is by obtaining local address information automatic analysis local network information, number automatically add the isolation rule of network layer according to the network ID that parses, the realization of rule is to allow virtual machine and virtual machine place node of the same type to set up normal data communication, refuses for the virtual machine of different application type.
The isolation flow process of network layer is as follows:
Step 501, virtual machine activation success, the isolated process of virtual machine inside or isolation module self-starting operation.
Step 502, isolated process or isolation module are obtained the IP address of this virtual machine.
Step 503, isolated process or isolation module obtain the subnet of ip address of the application network segment at this virtual machine place.
Step 504, isolated process is transferred or isolation module iptables relevant interface, sets up the isolation rule.
When realizing the isolation of network layer, dissimilar virtual machines can be comprised of a network segment specially, all in the 10.10.1.0/24 network segment, and the virtual machine ip that web services is provided is all in the 10.10.2.0/24 network segment such as: the virtual machine ip that office service is provided.
Behind the virtual machine activation, automatically move dummy spacer (visolator) service and detector (detector) service;
Detector is watched the local network configuration information, obtains following information: the IP address, and subnet mask (netmask) information, and calculate accordingly the subnet address at local machine place, this subnet address is the address of this VLAN.
Detector is issued dummy spacer with the VLAN subnet information that calculates, and dummy spacer is corresponding regular according to the client's who receives request definition, and adds rule in the filter of trend iptables table.
Isolator is formulated corresponding isolation rule according to the VLAN at virtual machine place.For example, source IP address and the purpose IP address rule of correspondence in same VLAN is for passing through.Wherein, by IP address and subnet mask account network number, determine that by network number whether source IP and purpose IP are at same VLAN.
Detector is in network broadcast message, the IP information of acquisition request place node.
The network that all physical nodes that local network refers to form, because detector need to be known the physics host node at this virtual machine place, and VLAN is cross-node, so broadcast in the local network that needs.
Detector adds the physical node IP information of obtaining in the filter table of iptables maintenance to.
Adding rule in the Filter table is IP information.
Realize the system of TPM in a kind of computing environment of polycaryon processor, comprise node,
Described node is used for allowing a nuclear job of processor when starting, and described nuclear moves high limiting operation system, and other nuclears of described processor are in dormant state;
After the nuclear of described work enters normal operating conditions, write the TPM function, form the TPM simulator in order to the function that realizes TPM;
The described nuclear that the is in dormant state operation normal operations system that starts working provides the TPM security service by described high limiting operation system for the startup of described normal operations system.
Described computing environment is virtualized computing environment, and described node also is used for adopting Xen to carry out virtual to described node.
Better, described system also comprises the VTPM manager,
A virtual machine in the computing environment forms a VTPM manager;
Described VTPM manager is used for creating a thread monitoring Xen and operates; When node creates a virtual machine, be VTPM example of described virtual machine creating; Described VTPM example is by providing the TPM service with the communication of described TPM simulator for virtual machine.
Better, described system also comprises the front-end proxy agent that connects with node;
Described VTPM manager also is used for the generating platform configuration information, sends to described front-end proxy agent;
Described front-end proxy agent is used for receiving described platform configuration information, and stores in the platform configuration information table; When client-requested is accessed, from described platform configuration information table, search the platform configuration information with the relevant virtual machine of described client-access, send to described client.
Better, described node comprises isolator, the network interface card of virtual machine is connected to virtual bridge by virtual interface;
Described isolator, for detection of whether new virtual machine creating is arranged on the described node, if having, then obtain the MAC Address of virtual machine and the type of virtual machine, formulate corresponding isolation rule according to described virtual machine type, described isolation rule is added in the Link Filter table; When node receives packet, according to isolation rule in the described Link Filter table, with described package forward to virtual machine.
Better, described node is also for the MAC Address of the virtual machine that will newly create and the isolator that type is broadcast to other nodes;
Described isolator also is used for receiving MAC Address and the type of broadcasting, according to the information of the virtual machine of this locality storage of node, formulates the isolation rule, and the isolation rule is added in the local Link Filter table; When node receives packet, according to isolation rule in the described Link Filter table, with described package forward to virtual machine.
Better, described system also comprises: dummy spacer,
After described node also is used for virtual machine activation, check that the network configuration information of virtual machine this locality obtains IP address and subnet mask, calculate the described subnet address of virtual machine, the information of subnet address is issued the dummy spacer of virtual machine;
Described dummy spacer is used for formulating corresponding filtering rule according to the subnet address information of receiving, described filtering rule is stored in the network filtering table; When virtual machine receives the IP bag, according to isolation rule in the described network filtering table, process described IP bag.
Better, described node also is used for by virtual machine to the local network broadcast request message;
Described dummy spacer also is used at virtual machine during to the local network broadcast request message, the network address information of the virtual machine of the described node in acquisition request place; The network information of obtaining is added in the network filtering table.
Those skilled in the art can also carry out various modifications to above content under the condition that does not break away from the definite the spirit and scope of the present invention of claims.Therefore scope of the present invention is not limited in above explanation, but determined by the scope of claims.