Background technology
Intel Virtualization Technology is born in the sixties in 20th century the earliest, is proposed by IBM Corporation, and this technology is applied to System 370 systems of IBM.Along with the widespread use of Intel Virtualization Technology, thing followed safety problem is also varied.Though Intel Virtualization Technology can guarantee certain security,, do not disturb mutually such as being isolated from each other between each virtual machine that operates on the physical platform.But because the safety problem that this not basic solution computer system faces.On the contrary, because VMM (Virtual Machine Monitor, monitor of virtual machine) has super authority, making becomes a big potential safety hazard of system to the attack of VMM.
Partly virtual is the notion that Cambridge University proposes, and what accompany with it is the research and development of Xen hypervisor project.Xen hypervisor is system-level virtual tool, is used for realizing dummy machine system in terminal.
Fig. 1 is the structural representation of Xen hypervisor virtual machine, and the bottom is a hardware resource among Fig. 1, and the VMM of Xen hypervisor runs on the hardware resource, hardware resource is managed, and virtual several virtual hardware environments that dissolves.Operation a plurality of Guest OS (child-operation system) are expressed as DomU on the VMM of Xen hypervi sor, and Guest OS is one and is installed on the virtual machine or the operating system in the disk partition except parent-operation system or master operating system.There is not the application layer that the user application of revising runs on DomU.Inner nuclear layer operation at DomU has front-end equipment to drive, and user application drives by front-end equipment hardware resource is operated.And the front-end equipment driving is not really operated hardware resource, and it drives by rear end equipment and realizes hardware resource is operated.Rear end equipment drives and is arranged in VMO, and VMO is expressed as DomO in Fig. 1.VMO is a special Guest OS, also is referred to as privileged Guest OS.Being called as privileged Guest OS is all to move in the application layer of VMO because of VMM hypervisor interfaces interface program, part resource manager, Guest OS supervisor control program, also is that VMO is the Guest OS that has administration authority; VMO can directly conduct interviews to peripherals, also is the authority that it has management and operates all peripherals.
Having moved a rear end equipment in the kernel of VMO drives, be used to accept from what other Guest OS sent hardware resource is carried out operation requests, hand to the device drives among the VMO, finish operation by device drives, and slave unit is driven the operating result that returns return to front-end equipment and drive hardware resource.
In such Intel Virtualization Technology framework, keep isolation between each system by Xen hypervisor, each VM (virtual machine) operates in the memory headroom of oneself, VM self perception is less than the existence of other VM, think and oneself monopolize whole physical platform, corresponding application operates on the VM kernel.Xen hypervisor isolates different VM, makes the various safety problems of one of them VM can not have influence on other VM on the identical platform.But still there is following safety problem in such framework.
Because VMO is authorized Guest OS for privilege by Xen hypervisor, can be directly and hardware carry out alternately, just may cause the leakage of other VM information so to the attack of VMO.
The VMM of Xen hypervisor also has privilege, the VMM of Xen hypervisor itself runs on the privilege level of CPU, with the operating system non-privilege level that runs on a bank, the safety problem of Xen hypervisor itself has been also referred to as a big potential safety hazard of total system.
Reliable computing technology is born in last century end, is exactly in order to improve the credibility of terminal system from the basis at the beginning of the birth.IBM (International Business Machines Corporation), HP (Hewlett-Packard), Intel (Intel), Microsoft IT enterprises such as (Microsofts) have been set up credible calculating platform alliance, and (Trusted ComputingPlatform Alliance, TCPA), the member is 190 families nearly.TCPA has defined the credible platform module (TPM) with safe storage and encryption function, is devoted to the Trusted Computing of data security, comprises development crypto chip, special CPU, mainboard or operating system security kernel.Subsequently, this tissue renames, and (Trusted Computing Group TCG), continues to advance the development of Trusted Computing to the Trusted Computing tissue.
The Trusted Computing tissue has proposed the standard of a series of promotion computer system securities, comprises TPM (Trusted Platform Module) safety chip standard, and the TPM chip is by implanting this chip in terminal, setting up the credible of terminal.Here TPM safety chip role is from computer starting, the module of terminal system is before control system, its integrality need be through excess vol, the tolerance here is meant does Hash operation to program, and be kept at register PCR (the PlatformConfiguration Register of TPM inside, the platform configuration storer) in, judges by the cryptographic hash that reads among the PCR whether terminal system is distorted, determine whether this terminal is credible.
But for various reasons, the use of TPM chip is greatly limited, and shows following several aspect.The problem that existence is supported TPM is not because existing most of computer system is considered the support to reliable computing technology at the beginning of design.The complicacy of TPM chip design itself, according to the standard of TCG, the TPM chip probably need be at general more than 120 power functions of self inside solidification.And in actual use, especially in the use of portable terminal, cost and portability are very important indexs.And the labyrinth of TPM itself has limited its being extensive use of in this equipment to a great extent.Support to Intel Virtualization Technology is not provided.TPM standard and TPM chip all do not relate to the support to Intel Virtualization Technology.
Summary of the invention
For addressing the above problem, the invention provides method and the device of creating polycaryon processor dummy machine system trusted context, can create trusted context for dummy machine system, solve the insincere problem of system of computer network terminal.
The invention discloses a kind of method of creating polycaryon processor dummy machine system trusted context, comprising:
Step 1 isolates a nuclear from polycaryon processor, the TPM chip simulator of operation customization on described nuclear;
Step 2, when creating trusted context, described TPM chip simulator is measured monitor of virtual machine.
Described step 2 further is,
Step 21, when creating trusted context, described TPM chip simulator carries out Hash operation to the code of virtual machine monitor, and preserves the cryptographic hash that calculates.
Described step 1 further is,
Step 31 isolates a nuclear from polycaryon processor, operation customization operations system on described nuclear;
Step 32, the TPM chip simulator of operation customization in described customization operations system.
Also comprise between described step 1 and the described step 2:
Step 41, the operation virtual tool carries out virtual, starts privileged child-operation system; Provide the nuclear of service for using nuclear for virtual machine in the polycaryon processor.
Before measuring monitor of virtual machine, the simulator of TPM chip described in the described step 2 also comprises:
Step 51 is closed described virtual tool;
Step 52 is closed the application nuclear in the polycaryon processor dummy machine system, forbids virtual memory, and forbids direct memory storage;
Step 53 is carried out initialization to the hardware of polycaryon processor dummy machine system;
Also comprise after the described step 2:
Step 54 is recovered the pent application nuclear and the virtual memory that is under an embargo, and forbidden direct memory storage; And start described virtual tool and set up virtual machine.
The invention also discloses a kind of device of creating polycaryon processor dummy machine system trusted context,
Comprise being used for when creating trusted context the TPM chip simulator that monitor of virtual machine is measured;
Described TPM chip simulator operates on the nuclear that isolates in the polycaryon processor.
Described TPM chip simulator is further used for when creating trusted context, the code of virtual machine monitor is carried out Hash operation, and preserve the cryptographic hash that calculates.
The described nuclear operation customization operations system that from polycaryon processor, isolates; Described TPM chip simulator operates in the described customization operations system.
Virtual instrument is moving before creating trusted context, and starts privileged child-operation system; Provide the nuclear of service for using nuclear for virtual machine in the polycaryon processor.
Described device also comprises:
Disabled module is used for before described TPM chip simulator is measured described virtual tool being closed; Close the application nuclear in the polycaryon processor dummy machine system, forbid virtual memory, and forbid direct memory storage;
The security initialization module, be used for described disabled module finish close and forbid after, the hardware of polycaryon processor dummy machine system is carried out initialization, start described TPM chip simulator after finishing initialization;
Recover module, be used for after described TPM chip simulator has been stored described cryptographic hash, recover pent application nuclear and forbidden virtual memory, and forbidden direct memory storage; And start the foundation that described virtual tool carries out dummy machine system.
Beneficial effect of the present invention is, in dummy machine system, realize TPM simulator (TPM FunctionModule), because the TPM simulator can be according to the demand for security customization of concrete dummy machine system, do not really want all to realize the standard of TCG, thus can be at the cost that guarantees to reduce under the believable prerequisite of terminal mobile device; By the start-up course of record virtual tool, before the control of virtual tool catcher system, the integrality of virtual tool is measured, and preserve the tolerance result, and then guarantee the credibility of start-up course; Carry out safe calculating by from the multinuclear of processor, isolating a nuclear, can improve the utilization factor of entire process device, and strengthen the safety of dummy machine system; Create trusted context by starting the back at dummy machine system, make that BIOS no longer is the part of credible base, dwindled trusted computing base, more little credible base can guarantee the safety of system more, and then increases the dummy machine system security.
Embodiment
Below in conjunction with accompanying drawing, the present invention is described in further detail.
The present invention create polycaryon processor dummy machine system trusted context method flow process as shown in Figure 2.
Step S100 isolates a nuclear from polycaryon processor, the TPM chip simulator of operation customization on described nuclear.
Isolate one of them and examine the TPM chip simulator that moves customization in multi-core CPU, can guarantee that the operation of TPM chip simulator is not subjected to the influence of other nuclears, other nuclear perception are less than the existence of TPM chip simulator.
Step S200, when creating trusted context, described TPM chip simulator is measured VMM (monitor of virtual machine).
By said method, TPM chip simulator operates in the environment of isolation, and its sightless to external world characteristic has guaranteed the robustness of itself on the one hand; On the other hand, the starting state that it also can register system, whether the start-up course of authentication system is distorted.
After dummy machine system starts end, set up the dummy machine system of credible startup, the dummy machine system of described credible startup is meant from initial trust initial point, dummy machine system module or assembly that each has started, its integrality has all been passed through tolerance, just hash operations.
Described tolerance realizes that by calculating cryptographic hash described TPM chip simulator carries out Hash operation to the code of virtual machine monitor, and preserves the cryptographic hash that calculates.
Creating trusted context can be to create when dummy machine system starts, and directly measure VMM this moment.Also can start the back and when security threat takes place, create trusted context at dummy machine system.
The concrete implementing procedure that starts establishment trusted context in back at dummy machine system is as described below.
Virtual instrument is Xen hypervisor or Vmware.
Step S201 isolates a nuclear from polycaryon processor, the TPM chip simulator of operation customization on described nuclear.
From polycaryon processor, isolate a nuclear, operation customization operations system on described nuclear; The TPM chip simulator of operation customization in described customization operations system.
The customization operations system writes down the information of virtual instrument and virtual machine activation process thereof for but virtual instrument provides telecommunications services.
But provide for virtual instrument in the process of telecommunications services in the customization operations system, the communication process of the two is to read or fill message is realized by the identical file in disk.Like this, the custom operation system both can write down the information of virtual instrument start-up, also can realize hiding virtual instrument.
Step S202, the operation virtual tool carries out virtual, starts privileged child-operation system; Provide the nuclear of service for using nuclear for virtual machine in the polycaryon processor.
Step S203 closes described virtual tool.
Step S204 closes the application nuclear in the polycaryon processor dummy machine system, forbids virtual memory, and forbids direct memory storage.
Step S205 carries out initialization to the hardware of polycaryon processor dummy machine system.
Step S206, TPM chip simulator carries out Hash operation to the code of virtual machine monitor, and preserves the cryptographic hash that calculates.
Step S207 recovers pent application nuclear and forbidden virtual memory, and forbidden direct memory storage; And start described virtual tool and set up virtual machine.
Embodiment
The present invention create polycaryon processor dummy machine system trusted context method embodiment as shown in Figure 3.Comprise four core processors in this dummy machine system, wherein virtual tool is Xen hypervisor.
Wherein the band arrow line of solid line is represented the property finished tolerance, and the band arrow line of dotted line is represented the storage to metric.
In polycaryon processor, isolate one of them nuclear, nuclear 1 moves the customization operations system, and the TPM chip simulator of operation customization thereon, with this customization operations system and the binding of TPM chip simulator, externally provide the TPM function interface simultaneously, make its TPM safety chip that is virtually reality like reality.Like this simulating the TPM safety chip in the multiple nucleus system arbitrarily, for the credible of system provides support.
In the virtualized environment of Xen hypervisor, Xen hypervisor VMM runs directly on the hardware, the virtual machine (being called Domain) of a plurality of mutual isolation of the last operation of VMM, the DomO that a privilege is wherein arranged, be called GuestOS, be in charge of other DomU on the whole Xen hypervisor.When dummy machine system was attacked or is injected into wooden horse, total system was faced with serious security threat., thereby need to create trusted context.It is described to create being implemented as follows of trusted context.
Step S301 starts the customization operations system, operation TPM chip simulator.
Step S302 starts Xen Hypersior and DomO.
After DomO start to finish, continue start-up system, the system of this moment is not credible startup, treats that certain Domain of a certain moment when higher, carries out step S303 to safety requirements.
Step S303 sends credible reconstruction order Sec-restart, XenHypersior cycle power then by DomO.
Step S304, the security initialization program brings into operation, and the security initialization program is carried out a series of action, comprises closing interruption, forbid virtual memory, forbid DMA (directly memory storage), and close application by the IPI instruction and examine, make to use to examine to be in dormant state.
Step S305, security initialization program initialization system hardware.
Step S306, in the final stage of security initialization program run, TPM chip simulator is measured Xen hypervisor VMM by the security initialization program, and the security initialization program sends to TPM chip simulator with the result and preserves.
Step S307 recovers other just at the application nuclear of dormancy by the IPI instruction, and previous forbidden function in the open system as interruption, DMA, is given Xen Hypersior with control.
Step S308, Xen Hypersior brings into operation, and then the startup of DomainO and DomainU just is based upon on the safe Xen Hypersior.
In order to guarantee that said process is not destroyed, top series of steps all is that atomic form is carried out.Through this process of tolerance before loading, set up the execution environment of a safety for Xen hypervisor VMM.In the present invention, do not use real TPM chip, utilize the function of general multi-core CPU simulation TPM chip, wherein metrics process is exactly the process that code or memory address to each object carry out hash.In the process that system begins most, by TPM chip simulator, utilize its hash function, safe loading procedure and Xen hypervisor are moved, and write down its hash value, use during for authentic authentication.
The present invention is a kind of technology of strick precaution, and it guarantees that each link of system all is controllable, all be complete do not have ruined.Owing to trust to transmit and always need a source, just must be by the node that be trusted, so from the beginning, just set up the execution environment of a believable isolation, guarantee that Xenhypervisor operates in this reliable environment, and with trust chain one-level one-level hand on, the application that needs up to the user moves, like this, from the bottom to the upper strata a complete system of not distorted, make the user know the situation of the platform that oneself is using.
The device that the present invention creates polycaryon processor dummy machine system trusted context comprises and being used for when creating trusted context, the TPM chip simulator that monitor of virtual machine is measured; Described TPM chip simulator operates in and isolates in the polycaryon processor on the nuclear.
Described TPM chip simulator is further used for when creating trusted context, the code of virtual machine monitor is carried out Hash operation, and preserve the cryptographic hash that calculates.
The described nuclear operation customization operations system that from polycaryon processor, isolates; Described TPM chip simulator operates in the described customization operations system.
Virtual instrument is moving before creating trusted context, and starts privileged child-operation system; Provide the nuclear of service for using nuclear for virtual machine in the polycaryon processor.
Device also comprises described in the preferred implementation: disabled module, security initialization module and recovery module.
Disabled module is used for before TPM chip simulator is measured described virtual tool being closed; Close the application nuclear in the polycaryon processor dummy machine system, forbid virtual memory, and forbid direct memory storage;
The security initialization module, be used for described disabled module finish close and forbid after, the hardware of polycaryon processor dummy machine system is carried out initialization, start described TPM chip simulator after finishing initialization;
Recover module, be used for after described TPM chip simulator has been stored described cryptographic hash, recover pent application nuclear and forbidden virtual memory, and forbidden direct memory storage; And start the foundation that described virtual tool carries out dummy machine system.
The hardware of dummy machine system with polycaryon processor of trusted context is realized as shown in Figure 4.
Internal memory comprises two parts, TPM environment internal memory and Xen hypervisor internal memory, the nuclear of polycaryon processor also is divided into two big classes, nuclear 1 and examine 2 to nuclear 4, be respectively TPM chip simulator and Xenhypervisor service is provided, TPM chip simulator and Xen hypervisor isolate by access control mechanisms, Xen hypervisor and on virtual machine service externally is provided, TPM chip simulator then is responsible for the credible problem of total system.
Those skilled in the art can also carry out various modifications to above content under the condition that does not break away from the definite the spirit and scope of the present invention of claims.Therefore scope of the present invention is not limited in above explanation, but determine by the scope of claims.