CN105022954A - Dynamic running method for security kernel service of tristate operating system in Feiteng CPU - Google Patents

Abstract

The invention discloses a dynamic running method for a security kernel service of a tristate operating system in a Feiteng CPU. The method comprises the steps of: dividing a kernel into a system state and a kernel state of different privilege levels; establishing a service framework in the kernel state to serve as a container for the security kernel service, and establishing a call interface for the security kernel service; establishing a virtual driving interface in the system state to support a user state to call the security kernel service; loading the service framework and the built-in security kernel service after enabling the CPU to be powered on; and loading a loading part of a system service module and starting a system service, wherein the service framework provides the security kernel service and makes a response to a dynamic loading/unloading request of the security kernel service. The dynamic running method can realize security protection on specific hardware resources of the system, realize security access to a core service of the operating system, efficiently support credibility conformation of the system, effectively improve the system security, lower the security risk of traditional kernel bugs and provide an efficient and flexible credible calculating ecological environment for users.

Description

To soar tri-state operation security of system kernel services dynamic operation method on CPU

Technical field

The present invention relates to the security kernel service technology of computer operating system, be specifically related to one and soar tri-state operation security of system kernel services dynamic operation method on CPU.

Background technology

1, operating system and current the run into subject matter of core design.

Operating system is generally as the basic software directly run on hardware, and its function is direct control and management system resource (comprising software, hardware), gives full play to the performance of hardware resource; Its memory-resident, and be supplied to application program and user's two kinds of interfaces: operation-interface and DLL (dynamic link library).User is by operation-interface, many with hardware with the details of system software without the need to understanding, and just can use computing machine easily.Various program can use DLL (dynamic link library) to allow operating system be its service, and uses hardware and software resource by operating system.The kind of operating system is quite a lot of, the operating system that various equipment is installed from simple to complexity, can be divided into smart card operating system, real time operating system, sensor node operation system, embedded OS, PC operating system, multiprocessor operations system, network operating system and large scale computer operating system.Comparatively common operating system has UNIX, Linux, Mac OS, Windows, iOS, Android etc. at present.

The modern operating system be born under the impact of Software engineering thought and Structural Program Designing method, be nearly all the structure of hierarchy type, the various functions of operating system is arranged on different levels respectively.In the two condition operating system of prior art as shown in Figure 1, module under kernel state is the service module of operating system, under kernel state, some and hardware context service module more closely, such as Clock management, interrupt processing, device drives etc. are in the bottom of kernel state, next is the service module that running frequency is higher, such as management of process, memory management and equipment control etc., this two parts Composition of contents kernel of operating system, its command operating is operated in kernel state, kernel state need the service module of the hardware resource of access hardware layer then by equipment interface access hardware resource, and comprise firmware and system loads module for realizing the startup of operating system, the respective services that application program provides based on kernel state is run, and be generally operational in User space, the application program of User space realizes carrying out alternately with the service module of kernel state by system call interfaces.

As shown in Figure 1, operating system generally uses system call interfaces as the interactive interface between the user program of User space and the service module of kernel state.Various shared resources in operating system are all by operating system monopolize, therefore in user program, every operation relevant with resource (as storage allocation, carrying out I/0 transmission and management document etc.), all to operating system, services request must be proposed by system call interfaces mode, and by operating system on behalf of completing.Use systemic-function by the mode of system call interfaces, stability and the security of system can be ensured, prevent user from arbitrarily changing or the data of access system or order.Usually, the system call interfaces order that operating system provides has tens and even up to a hundred more than.These system calls constitute the main services interface of kernel, are broadly divided into following a few class by function:

● equipment control, the request of finishing equipment or release, and the function such as device start.

● file management, completes the functions such as the reading and writing of file, establishment and deletion.

● Process flowchart, functions such as completing the establishment of process, cancel, block and wake up.

● process communication, completes the function such as Message Transmission or signal transmission between process.

● memory management, completes the distribution of internal memory, recovery and obtains the function such as operation committed memory district's size and beginning location.

The architecture of operating system is the problem of an opening, and except system divides becomes this overall hierarchy structure of User space, kernel state, kernel state structure is also segmented and defined two kinds of architectures: large kernel and micro-kernel.

● large core system using the main functional modules of operating system all as an overall operation be closely connected at kernel mode, thus provide high performance system service for application.Because share information between each administration module, available characteristic each other effectively can be utilized, so have unrivaled performance advantage.But along with the development of operating system, the service that kernel provides gets more and more, and form becomes increasingly complex, and design scale is sharp increase also, predicament that operating system is also faced with " software crisis ".Except the reduction of reliability, any one kernel leak all can allow malicious attacker control whole system easily.The safety problem brought for the kernel code solving operating system is too huge and complexity problem, so propose the architecture of micro-kernel.

● function (as management of process etc.) the most basic in kernel is retained in kernel by the architecture of micro-kernel, and those is not needed the function performed at kernel mode to move on to User space execution, thus reduces the design complexity of kernel.And those operating system codes shifting out kernel are divided into some service routines according to the principle of layering, their execution is separate, then all communicates by means of micro-kernel alternately.Microkernel designs has effectively been separated kernel and service, has served and serve, and make the interface between them more clear, the cost of maintenance reduces greatly, and each several part can be optimized and evolution independently, thus ensure that the safety and reliability of operating system.The greatest problem of microkernel designs is performance issue, because need to switch between kernel mode and User space continually, the executive overhead of operating system is bigger than normal.Those system services frequently used are retracted kernel again by the operating system therefore had, thus ensure system performance.

2, the security threat of current operation system.

The factor affecting operating system security is a lot.First, operating system is a shared resource system, supports that multi-user shares the resource of a set of computer system simultaneously, has resource sharing just to need conservation of resources, relate to various safety issue; Secondly, along with developing rapidly of computer network, except the Storage and Processing of information, there is mass data transfer operation, so just need the protection of network security and data message, prevent invader's malicious sabotage.In order to understand existing security threat (attack) and type thereof, the safety requirements of computer systems and networks communication is divided into four aspects:

● confidentiality.Require that the information in computer system can only be carried out the access in specialized range by grantee.

● integrality.Require that the information in computer system can only be authorized to user's amendment, retouching operation comprise write, rewrite, change state, deletion and establishment etc.

● availability.Prevent illegal exclusive resource, when validated user needs, suitable resource for computer system can be had access to, for it provides required service.

● authenticity.Require that computer system can confirm the identity of user, prevent disabled user's invasive system, and confirm the authenticity of Data Source.

The security threat that operating system faces substantially represent the threat that computer system faces.Computer virus and assault are two kinds of forms being familiar with of people the most in the security threat suffered by operating system.Virus is one section of executable code with the feature such as the of self-replication capacity and disguise, infectiousness and latency in essence; Assault then shows as the personnel that possess some computer expertise and technology by analysis mining system vulnerability with utilize network to steal secret information to particular system, destroy or capture.Current operating system needs the main target of protection to be that sensitive data is not illegally stolen or destroys, and these sensitive datas both can be key, document or database, also can be code or algorithm.

3, to soar the brief introduction of CPU platform.

Series Universal processor of soaring is by the high performance universal microprocessor of National University of Defense technology's independent research, and towards issued transaction and data center server demand, application comprises Party, government and army's network system security, large data processing, cloud computing application etc.The 1500+ series CPU that soars wherein is based on ARM64 architecture design, and compatible armv8 instruction set, comprises universal, embedded or multiple model such as desktop type and high-performance calculation type.Chip uses ripe SOC technology and 28nm production technology, core clock frequencies 1.5GHz, and adopt Multi-core architecture, every CPU is by 4-16 SMP(symmetric multiprocessor) core, there is powerful calculating and transaction capabilities.In addition on chip, also integrated multiple depositing controls unit and DDR3 memory channel, and PCIe 3.0 I/O interface, efficiently solves IO bottleneck problem.

1500+ series of soaring CPU to be a kind of word length the be ARM instruction set compatible universal processor of 64, has 4 kinds of runlevel EL0-EL3.Similar with the effect of X86 series processors ring0-ring3, these runlevels determine instruction execution and the address access rights of processor.The user program execution pattern that wherein the corresponding authority of EL0 is minimum; The kernel state execution pattern of the corresponding legacy operating system of EL1; EL2 corresponding monitor of virtual machine hypervisor execution pattern; EL3 is most highly privileged state, security of operation MONITOR MODE.The architecture Design of CPU and the IO design of SoC are all that EL3 privilege state provides special support, and some self-defining computational resources, memory source and I/O device controller can only be accessed from EL3 state, to other franchise state isolation.In other words, EL3 privilege state can all resources of access system, can open limited resources for lower level of privilege access by configuration.Utilize the exception handling that architecture Design provides, the exception that can be caused by instruction or external interrupt from lower franchise state is trapped in EL3, thus being switched to the process code of most highly privileged state, the code of EL3 pattern also can perform link order and be switched to certain lower franchise state.

1500+ series of soaring CPU possesses the support to TrustZone technology.Safeguard procedures are incorporated in process core, memory access mechanism, bus and system peripherals IP device by this technology, and realize safety by the collaborative work of software and hardware, and energy minimization equipment cost.Protected assets are placed in specific hardware module by TrustZone; and any part in system can be set to by Secure isolation by the mechanism that is to provide, it provide a basic platform and from an assembly scope, choose the assembly meeting oneself specific function for SoC deviser and realize shielded security context.Its basic thought is that system resource is divided into Liang Ge district by all SoC hardware and softwares are carried out subregion: Secure world corresponds to security partitioning, and Normal world corresponds to common subregion.Secure world resource can not be accessed by Normal world software and hardware.Processor has two kinds of virtual states, one as Non-secure, another is Secure, and can be provided in the monitor mode mechanism of handoff-security between two virtual core, the mark of the NS place value determination virtual core sent by main system bus, and the access rights of steering order and data.Non-secure virtual processor can only access Non-secure system resource, but Secure virtual processor can access all resources.MMU(Memory Management Unit) by the conversion table managing internal memory Mapping and Converting of software control.Corresponding to two virtual processors, TrustZone hardware mechanisms provides two virtual MMU.Each like this secure context has oneself conversion table, can independently controlled map location.Containing a NS territory in L1 translation table entry form, determine which kind of region of memory it will access for the empty processor of Secure state.The empty processor of Non-secure state can ignore this territory, and internal storage access always makes NS=1.This design makes Secure state processor can access the internal memory of two states.All add extra control signal position for read and write channel in bus protocol specification, namely Non-Secure position, referred to as NS position, the access permission of the device of different world can be controlled.On Feiteng processor platform, by the control of EL3 state software, the resource that can will need, comprises the isolation such as internal memory, device controller to a believable security domain, realizes independently secure operating environment, provide service to the remainder of system.

In sum, for CPU platform and even all CPU computing platforms of soaring, how to realize operating system security kernel services safe, reliable, efficient, run neatly, become the technical matters of a key urgently to be resolved hurrily.

Summary of the invention

The technical problem to be solved in the present invention is: for the above-mentioned technical matters of prior art; there is provided a kind of and can realize safeguard protection to system specific hardware resource, realize the secure access to operating system kernel service, the credibility of efficient back-up system confirms; can the security of effective elevator system; reduce the security risk that traditional kernel leak is introduced, and tri-state operation security of system kernel services dynamic operation method on the CPU that soars that the trust computing ecologic environment of high efficient and flexible is provided to user.

In order to solve the problems of the technologies described above, the technical solution used in the present invention is:

One is soared tri-state operation security of system kernel services dynamic operation method on CPU, and step comprises:

1) under maintenance User space, the Least Privilege grade of application program is constant, the kernel of operating system is divided into the systematic thinking way of time low prerogative grade and the kernel state of most highly privileged grade, in kernel state, set up the container that dynamic security kernel services framework is served as security kernel, and provide service by security kernel service call interface SKSC to the system service of systematic thinking way; The function services of the operating system nucleus in operating system except security kernel service is provided by systematic thinking way, there is provided service by system call interfaces to the application program of User space, and in systematic thinking way, set up virtual drive interface to support the application call security kernel service of User space;

2) after CPU powers up, dynamic security kernel services framework and built-in security kernel service is loaded by the secure firmware under kernel state;

3) load activation member OSLM by described secure firmware loading system service, load activation member OSLM start up system service under systematic thinking way by system service;

4) dynamic security kernel services framework based on the security kernel service loaded provide serve and respond security kernel service Dynamic Load Request and dynamic offloading request.

Preferably, when providing service by security kernel service call interface SKSC to the system service of systematic thinking way in described step 1), described security kernel service call interface SKSC does not allow the memory pointer transmitting User space.

Preferably, described step 2) detailed step comprise:

2.1) before CPU powers up, trust authentication is carried out to the secure firmware stored, if trust authentication does not pass through, then report an error and stop starting; If trust authentication passes through, then to power up at CPU, after secure firmware under kernel state completes basic initialization, be there is by described secure firmware setting the secure storage module of most highly privileged grade;

2.2) driver of described secure storage module is loaded by described secure firmware;

2.3) load dynamic security kernel services framework by described secure firmware, then detect and load security kernel service built-in in secure firmware;

2.4) by serving the security kernel service monitoring module of the management of overall entrance and distribution in described secure firmware initialization dynamic security kernel services framework for realizing security kernel, the built-in security kernel service loaded by described security kernel service monitoring module record.

Preferably, described step 2.4) in security kernel service monitoring module based on service log shaping array KSN2SKS [] and service descriptor counts group SKSDISCRIPTOR [] realize security kernel serve overall entrance management and distribute; Described service log shaping array KSN2SKS [] is for recording from the corresponding relation between the service call number of SKSC and concrete security kernel service, its subscript corresponding kernel services call number KSN, the value of its each element is the call number of service descriptor array SKSDISCRIPTOR []; Described service descriptor array SKSDISCRIPTOR [] is for recording all security kernel services loaded, and each element is the description scheme of a security kernel service.

Preferably, the field of described service descriptor array SKSDISCRIPTOR [] comprises address field stem Header, the relocatable address Relocation of security kernel service corresponding with service reflection, code segment and data segment data, and described code segment comprises initialization function pointer Init, service processing function pointer Handler.

Preferably, described step 2.4) in the step of built-in security kernel service that loaded of record comprise:

2.4.1) for the built-in security kernel service that each has loaded, distribute number section of kernel services call number KSN, corresponding description scheme is set up, the mapping relations between the description scheme in number section and service descriptor counts group SKSDISCRIPTOR [] of service log shaping array KSN2SKS [] middle generation kernel services call number KSN in service descriptor array SKSDISCRIPTOR [];

2.4.2) for each built-in security kernel service, read the data structure of carrying in corresponding service reflection, perform memory headroom for this service distributes and the service of security kernel service reflection is copied in this memory headroom, by the address field stem Header structure record of the first address of this execution memory headroom by service descriptor array in the secure memory with most highly privileged grade, carry out address reorientation rewriting to service to be run in this execution memory headroom reflection, the address of reorientation being rewritten is by the relocatable address Relocation record of service descriptor array, the initialization function address for the treatment of in this execution memory headroom in operation service reflection and service processing function address are write respectively initialization function pointer Init and the service processing function pointer Handler of service descriptor array, and call the initialization function Init () after reorientation and carry out initialization, if initialization success, then using number section of kernel services call number KSN as feedback parameter along with security kernel service loads the called side that successful message returns to security kernel service call interface SKSC, initialization function Handler () after reorientation starts to wait for calling from security kernel service call interface SKSC, the failed then return service of initialization loads unsuccessfully else if, then release loads the resource of failed security kernel service in service log shaping array KSN2SKS [] and service descriptor counts group SKSDISCRIPTOR [].

Preferably, the detailed step of described step 3) comprises:

3.1) activation member OSLM is loaded in the internal memory of secondary low prerogative grade by described secure firmware loading system service;

3.2) cpu instruction pointer register is revised as the entry instruction address that system service loads activation member OSLM, and the secondary low rights that franchise state system service being loaded activation member OSLM switches to User space corresponding;

3.3) the activation member OSLM kernel that loading system service module is corresponding under systematic thinking way is loaded by described system service, and the virtual drive interface of security kernel service under setting up the application call kernel state for realizing User space.

Preferably, the concrete steps of service are provided to comprise based on the security kernel service loaded in described step 4): when the application requests security kernel service of User space, the application program of User space is absorbed in systematic thinking way by the virtual drive interface under system call interfaces calling system state, calling of virtual drive interface is converted to calling of security kernel service call interface SKSC and is absorbed in kernel state by the system service under systematic thinking way, dynamic security kernel services framework under kernel state is according to the kernel services call number KSN of the call request of security kernel service call interface SKSC, specify corresponding security kernel service processing and pass through security kernel service call interface SKSC successively, virtual drive interface, the application program that system call interfaces asks security kernel to be served under service result successively being returned to User space.

Preferably, the detailed step of the Dynamic Load Request and dynamic offloading request that respond security kernel service in described step 4) comprises:

4.1) monitoring of described dynamic security kernel services framework receives application program under User space and sends Dynamic Load Request by system call interfaces, virtual drive interface, security kernel service call interface SKSC successively or the Dynamic Load Request of security kernel service that caused by secure storage module and dynamic offloading request, when receiving Dynamic Load Request, redirect performs step 4.2); When system closing or when receiving dynamic offloading request, redirect performs step 4.6);

4.2) described dynamic security kernel services framework is based on the driver scanning file system of user of the secure storage module loaded or secure storage module, search meets the service image file of the encryption of given filename, if search for unsuccessfully, then return security kernel service and load unsuccessfully and redirect execution step 4); If search for successfully, then the service image file encrypted in the file system of user or secure storage module is downloaded to the buffer zone in the secure memory with most highly privileged grade, and deciphering is plaintext in buffer zone, if decipher unsuccessfully, then return security kernel service and load unsuccessfully and redirect execution step 4); If successful decryption, then redirect performs next step;

4.3) described dynamic security kernel services framework to the service reflection deciphered expressly in serve publisher and signature carries out legitimate verification, if be verified as illegal, then return security kernel service and load unsuccessfully also redirect execution step 4); If it is legal to be verified as, then redirect performs next step;

4.4) legal security kernel service is verified as this, distribute number section of kernel services call number KSN, corresponding description scheme is set up, the mapping relations between the description scheme in number section and service descriptor counts group SKSDISCRIPTOR [] of service log shaping array KSN2SKS [] middle generation kernel services call number KSN in service descriptor array SKSDISCRIPTOR [];

4.5) legal security kernel service is verified as this, read the data structure of carrying in corresponding service reflection, perform memory headroom for this service distributes and the service of security kernel service reflection is copied in this memory headroom, by the address field stem Header structure record of the first address of this execution memory headroom by service descriptor array in the secure memory with most highly privileged grade, carry out address reorientation rewriting to service to be run in this execution memory headroom reflection, the address of reorientation being rewritten is by the relocatable address Relocation record of service descriptor array, the initialization function address for the treatment of in this execution memory headroom in operation service reflection and service processing function address are write respectively initialization function pointer Init and the service processing function pointer Handler of service descriptor array, and call the initialization function Init () after reorientation and carry out initialization, if initialization success, then using number section of kernel services call number KSN as feedback parameter along with security kernel service loads the called side that successful message returns to security kernel service call interface SKSC, initialization function Handler () after reorientation starts to wait for calling from security kernel service call interface SKSC, redirect performs step 4), the failed then return service of initialization loads unsuccessfully else if, then release loads the resource of failed security kernel service in service log shaping array KSN2SKS [] and service descriptor counts group SKSDISCRIPTOR [], and redirect performs step 4),

4.6) unload the security kernel service of specifying, discharge the resource of unloaded security kernel service in service log shaping array KSN2SKS [] and service descriptor counts group SKSDISCRIPTOR []; If unload the security kernel service operations of specifying to trigger by receiving dynamic offloading request, redirect performs step 4).

The present invention's tri-state operation security of system kernel services dynamic operation method on CPU of soaring has following advantage:

1, safe reliability is high.The present invention keeps the Least Privilege grade of application program under User space constant, the kernel of operating system is divided into the systematic thinking way of time low prerogative grade and the kernel state of most highly privileged grade, thus achieve a new kernel state by tri-state operation system architecture, be subject to strict privilege protection, system call interfaces is passed through between tri-state, security kernel service call interface SKSC two kinds of Interface realizations call, User space program only homologous ray state code has interactive interface, with kernel state without any direct interaction, thus the risk that can effectively reduce by the service of system vulnerability unauthorized access kernel state, there is the advantage that safe reliability is high, the safeguard protection to system specific hardware resource can be realized, realize the secure access to operating system kernel service, the credibility of efficient back-up system confirms, can the security of effective elevator system, reduce the security risk that traditional kernel leak is introduced, and the trust computing ecologic environment of high efficient and flexible is provided to user.

2, run efficiently.The security kernel service that small part is only related to safe operation by the present invention is isolated in separately kernel state operation, the traditional kernel services of major part still coexists in systematic thinking way code, therefore the state handover overhead of safe operation just between meeting guidance system state and kernel state is only had, there is not the state handover overhead between systematic thinking way and kernel state in non-secure operations, therefore state handover overhead a large amount of between micro-kernel system service is avoided, obviously can not reduce running efficiency of system while raising security, have and run efficient advantage.

3, operating cost is low.The dynamic load that the present invention supports security kernel to serve and unloading, therefore the trusted module realized for prior art dedicated devices can perform on system CPU in security kernel service in a software form, the high-performance that can make full use of system CPU improves the execution efficiency of algorithm, dispose simple, operational efficiency is high, but also effectively can reduce hardware purchase, the maintenance cost of safe operation.

4, dirigibility and extensibility good.The dynamic load that the present invention supports security kernel to serve and unloading, can will need the security service dynamic load/be unloaded to kernel state of protection, dirigibility and extensibility good, but also effectively overcome the defect that traditional trusted component is difficult to upgrade.

5, compatible strong.Most system services under the environment of User space in legacy operating system and systematic thinking way remain unchanged by tri-state operation system of the present invention, only that security kernel service is carried out layering and isolation based on dynamic security kernel services framework, therefore, it is possible to very little to the change of operating system, other existing security mechanism can be integrated easily.For trusted technology, the present invention can be realized at kernel state by most of function of tri-state structure by traditional trusted component, not only can elevator system degree of integration, also reduces the cost of system.

Accompanying drawing explanation

Fig. 1 is the operating system configuration diagram of prior art.

Fig. 2 is the hardware platform structural representation of application embodiment of the present invention method.

Fig. 3 is the basic procedure schematic diagram of the embodiment of the present invention.

Fig. 4 is the configuration diagram of the tri-state operation system of the embodiment of the present invention.

Fig. 5 is the mapping relations schematic diagram in the embodiment of the present invention between service log shaping array and service descriptor counts group.

Fig. 6 is the schematic flow sheet of dynamic load security kernel service in the embodiment of the present invention.

Embodiment

As shown in Figure 2, the present embodiment is specifically 1500A processor platform to be embodied as example to be described soaring.Based on SoC(System on Chip) 1500A processor platform of soaring include many (4 ~ 16) individual process core, memory access controller MCU, DDR3 internal memory, based on USB controller, SATA controller, the FLASH memory of AMBA bus, and the slot of multiple support PCIE3.0 agreement.In addition, this platform also comprises a simple CRTM module and is connected with flash storage by means of only spi bus, for carrying out Trusting eBusiness to the content of flash storage before host CPU powers up.

As shown in Figure 3, the present embodiment step of tri-state operation security of system kernel services dynamic operation method on CPU of soaring comprises:

1) under maintenance User space, the Least Privilege grade of application program is constant, the kernel of operating system is divided into the systematic thinking way of time low prerogative grade and the kernel state of most highly privileged grade, in kernel state, set up the container that dynamic security kernel services framework is served as security kernel, and provide service by security kernel service call interface SKSC to the system service of systematic thinking way; The function services of the operating system nucleus in operating system except security kernel service is provided by systematic thinking way, there is provided service by system call interfaces to the application program of User space, and in systematic thinking way, set up virtual drive interface to support the application call security kernel service of User space;

2) after CPU powers up, dynamic security kernel services framework and built-in security kernel service is loaded by the secure firmware under kernel state;

3) load activation member OSLM by the service of secure firmware loading system, load activation member OSLM start up system service under systematic thinking way by system service;

4) dynamic security kernel services framework based on the security kernel service loaded provide serve and respond security kernel service Dynamic Load Request and dynamic offloading request.

As shown in Figure 4, the application of legacy operating system state-kernel state double-layer structure is extended to User space-systematic thinking way-kernel state three-decker by the present embodiment, focusing under the aim to the compatibility of legacy operating system and application program, only legacy operating system kernel source code is revised on a small quantity, remain the core functions of most legacy operating system, by increasing portion firmware function code, the kernel of legacy operating system realizes the two parts being then cut into different prerogative grade in the present embodiment, namely the security kernel part (EL3) under kernel state and the system service functions part (EL1) under systematic thinking way, the container that dynamic security kernel services framework is served as security kernel is set up in kernel state, the security kernel service call interface SKSC(Secure Kernel Service Call achieved towards systematic thinking way under kernel state is called) for the security kernel service under operating system nucleus state, achieve the dynamic load to kernel state service module and scheduling, thus provide the safe operation ability of kernel state service, and support is provided to the credible startup of operating system.The core of the kernel state that the present embodiment expands as security protection and the barrier of resource security isolation, consider for many-side, CPU is designed to first perform level of privilege instruction corresponding to kernel state after power, and therefore kernel state code is by secure firmware first load and execution.In addition, conveniently develop and manage, kernel state function is needed to include multiple security kernel service, and can load respectively and scheduled for executing, so the present embodiment sets up the container that dynamic security kernel services framework is served as security kernel in kernel state, first perform after CPU powers up, dynamic security kernel services framework with the service of online mode dynamic load security kernel, and can be served by dynamic offloading security kernel.The application of legacy operating system state-kernel state double-layer structure is extended to User space-systematic thinking way-kernel state three-decker by the present embodiment, the safe operation related to for security kernel service is made to need to be triggered to the switching of kernel state, but for the non-secure operations of the overwhelming majority, it performs flow process and is still consistent with traditional (SuSE) Linux OS, do not introduce the expenses such as state switching, therefore the overhead introduced is very little, maintains the high efficiency of system.

In the present embodiment, the User space-systematic thinking way-kernel state three-decker forming tri-state operation system is as follows:

(1) User space: under User space, the Least Privilege grade of application program remains unchanged in the present embodiment and traditional operating system, and namely kernel external environment and system call interfaces are completely constant, application state operates in EL0 prerogative grade.Therefore, under User space, application binaries code can application binaries code under complete multiplexing legacy operating system, can the application program of compatible legacy operating system.

(2) kernel state: the security kernel part under kernel state provides the security kernel be closely related with safety problem service, such as cryptographic service, rights management service, security log service etc., operate in EL3 prerogative grade, the container that the dynamic security kernel services framework of security kernel part is served as security kernel, provides service by security kernel service call interface SKSC to the system service of systematic thinking way; Security kernel service both can be the hardware dependant security kernel services be based upon in secure hardware resource, also can be the common security kernel service be not based upon in secure hardware resource.

(3) systematic thinking way: the system service functions part under systematic thinking way provides the major part of legacy operating system kernel functional system service, and export traditional kernel services by system call interfaces to the application program of User space, be operated in EL1 prerogative grade, setting up in systematic thinking way has virtual drive interface to support the application call security kernel service of User space.

In the present embodiment, when providing service by security kernel service call interface SKSC to the system service of systematic thinking way in step 1), security kernel service call interface SKSC does not allow the memory pointer transmitting User space.Because security kernel service call interface SKSC does not allow the memory pointer transmitting User space, this just avoids malicious application changes kernel state code normal execution route by modes such as leak spillings to a great extent, therefore improves isolation and the attack tolerant of kernel state resource.

In the present embodiment, step 2) detailed step comprise:

2.1) before CPU powers up, trust authentication is carried out to the secure firmware stored, if trust authentication does not pass through, then report an error and stop starting; If trust authentication passes through, then to power up at CPU, after secure firmware under kernel state completes basic initialization, be there is by secure firmware setting the secure storage module of most highly privileged grade; In the present embodiment, trust authentication is carried out specifically based on the CRTM module (core of credible tolerance root to the secure firmware stored, core root of trust for measurement) realize, for guaranteeing the confidence level of secure firmware, prevent secure firmware to be tampered;

2.2) driver of secure storage module is loaded by secure firmware;

2.3) load dynamic security kernel services framework by secure firmware, then detect and load security kernel service built-in in secure firmware;

2.4) by serving the security kernel service monitoring module of the management of overall entrance and distribution in secure firmware initialization dynamic security kernel services framework for realizing security kernel, the built-in security kernel service loaded by security kernel service monitoring module record.

Secure storage module is the basis ensureing security kernel service dynamic operation.See Fig. 2, DDR3 internal memory, USB controller and flash storage that wherein shade is filled are the secure storage module with most highly privileged grade that the present embodiment is arranged, it is only that the code (security kernel service) with EL3 authority can conduct interviews and operate, and is hereinafter called secure DDR, secure USB and secure Flash.Secure DDR is used for the service image file of decompress(ion) security kernel service; Secure Flash is for placing secure firmware (built-in dynamic security kernel service framework and the built-in security kernel service of part); Secure USB is used for the extra Kernel security service of dynamic load.The security kernel service related in the present embodiment specifically comprises core trusted module service KTPM and core system authentication service KAS, in core trusted module service KTPM integrated security firmware, directly loaded by secure Flash in secure firmware initialization dynamic security kernel services framework, core system authentication service KAS is follow-up by secure USB dynamic load.What needs were said is, the security setting of secure DDR, secure USB and secure Flash specifically refers to and to arrange based on TrustZone that setting related register and data structure realize, what TrustZone was set to soar 1500A processor platform carries function, therefore is not described in detail in this.Certainly, other CPU platforms except 1500A processor platform of soaring, as long as this CPU platform has the function support of safety storage apparatus, it equally also can arrange secure storage module.

In the present embodiment, step 2.4) in security kernel service monitoring module realize security kernel based on service log shaping array KSN2SKS [] and service descriptor counts group SKSDISCRIPTOR [] and serve the management of overall entrance and distribute; Service log shaping array KSN2SKS [] is for recording from the corresponding relation between the service call number of SKSC and concrete security kernel service, its subscript corresponding kernel services call number KSN(Kernel Service Number), the value of its each element is the call number of service descriptor array SKSDISCRIPTOR []; Service descriptor array SKSDISCRIPTOR [] is for recording all security kernel services loaded, and each element is the description scheme of a security kernel service.Be many-to-one mapping relations between service log shaping array KSN2SKS [] and service descriptor counts group SKSDISCRIPTOR [], this is because each security kernel service only has a service descriptor, but but may be assigned with multiple kernel services call number KSN.

As shown in Figure 5, in service log shaping array KSN2SKS [], element index1 and index2 maps to the element index0 in service descriptor array SKSDISCRIPTOR [], and in service log shaping array KSN2SKS [], element index3 ~ index5 maps to the element index1 in service descriptor array SKSDISCRIPTOR [].First dynamic security kernel services framework can be registered a KSN and be mapped to and self provide the function of the service loading processing in security kernel service monitoring module, thus to realize the security kernel service call interface SKSC of dynamic load security kernel service.After this, when upper layer request loads new security kernel service, be that new security kernel service distributes KSN section by this service loading processing function, element in the service descriptor array SKSDISCRIPTOR [] that initialization is corresponding, and mapping relations are set up in service log shaping array KSN2SKS [] array.The present embodiment realizes the dynamic management to security kernel service based on service log shaping array KSN2SKS [] and service descriptor counts group SKSDISCRIPTOR [], make dynamic security kernel services framework have the ability of on-line loaded and the service of unloading security kernel, guarantee the quickness and high efficiency of on-line loaded and the service of unloading security kernel.If there is any mistake in framework in service loading procedure, service loading processing function all directly will return mistake, and the resource be released in service log shaping array KSN2SKS [] and service descriptor counts group SKSDISCRIPTOR [], although introduce " fragment " may to like this service log shaping array KSN2SKS [], if but service log shaping array KSN2SKS [] resource is abundant or the frequency of service loading and unloading is not high, then the impact that fragment effect is brought can not considered.The KSN section of distributing for new security kernel service in the present embodiment is continuous print section, also can distribute discontinuous section in addition.

In the present embodiment, the field of service descriptor array SKSDISCRIPTOR [] comprises address field stem Header, the relocatable address Relocation of security kernel service corresponding with service reflection, code segment and data segment data, and code segment comprises initialization function pointer Init, service processing function pointer Handler.

In the present embodiment, maximum 256 kernel services of the present embodiment support number and maximum 32 kernel services.Therefore, the length of service log shaping array KSN2SKS [] is 256, and the length of service descriptor array SKSDISCRIPTOR [] is 32.

The false code of the C language statement of service log shaping array KSN2SKS [] is: Int KSN2SKS [256];

The false code that the C language of service descriptor array SKSDISCRIPTOR [] describes is:

Struct SKSD{

Struct header h;

Struct relocation r;

Int (*handler)();

Int (*init)();

Strcut data d;

}SKSDISCRIPTOR[32];

In above-mentioned false code, Struct header h represents the address field stem Header of service reflection, Struct relocation r represents relocatable address Relocation, Int (* handler) () represents service processing function pointer Handler, Int (* init) () represents initialization function pointer Init, and Strcut data d represents data segment data.

In the present embodiment, step 2.4) in the step of built-in security kernel service that loaded of record comprise:

2.4.1) for the built-in security kernel service that each has loaded, distribute number section of kernel services call number KSN, corresponding description scheme is set up, the mapping relations between the description scheme in number section and service descriptor counts group SKSDISCRIPTOR [] of service log shaping array KSN2SKS [] middle generation kernel services call number KSN in service descriptor array SKSDISCRIPTOR [];

2.4.2) for each built-in security kernel service, read the data structure of carrying in corresponding service reflection, perform memory headroom for this service distributes and the service of security kernel service reflection is copied in this memory headroom, by the address field stem Header structure record of the first address of this execution memory headroom by service descriptor array in the secure memory with most highly privileged grade, carry out address reorientation rewriting to service to be run in this execution memory headroom reflection, the address of reorientation being rewritten is by the relocatable address Relocation record of service descriptor array, the initialization function address for the treatment of in this execution memory headroom in operation service reflection and service processing function address are write respectively initialization function pointer Init and the service processing function pointer Handler of service descriptor array, and call the initialization function Init () after reorientation and carry out initialization, if initialization success, then using number section of kernel services call number KSN as feedback parameter along with security kernel service loads the called side that successful message returns to security kernel service call interface SKSC, initialization function Handler () after reorientation starts to wait for calling from security kernel service call interface SKSC, the failed then return service of initialization loads unsuccessfully else if, then release loads the resource of failed security kernel service in service log shaping array KSN2SKS [] and service descriptor counts group SKSDISCRIPTOR [].

Only built-in core trusted module service KTPM security kernel service in the present embodiment, aforesaid step 2.4.1 before therefore only needing to carry out for core trusted module service KTPM) ~ 2.4.2); Certainly, also can built-in more security kernel service as required, its principle is identical with the present embodiment, therefore does not repeat them here.

In the present embodiment, the container that dynamic security kernel services framework is served as security kernel, its major function comprises: a), the compression and decompression of unified monitoring and Administrative Security kernel services.Security kernel services is in most highly privileged state, and system service code is trapped in kernel state by security kernel service interface calling interface SKSC and calls security kernel service, the service needed for being called out by kernel services call number KSN; B) the service reflection of the security kernel service of dynamic load, is obtained.When loading security kernel service, security kernel Service Instance passes to dynamic security kernel services framework online in crypto image mode, the service reflection of security kernel service both can be loaded into from User space, can load again from the equipment (as safe storage, safe serial ports etc.) that security kernel isolation is exclusive; C), the signature of Digital signature service publisher.Dynamic security kernel services framework possesses the ability of serving publisher's signature verification, and the signature of expressly videoing according to security kernel service can judge that whether the source of this service is legal; D), the information of deciphering and the service of reading security kernel.Security kernel service reflection after deciphering possesses address field stem, a reorientation module and code segment and data segment, and wherein code segment generally comprises an initialization function Init () and an initialization function Handler ().Dynamic security kernel services framework distributes secure memory according to the service of giving of address field stem and reorientation module, load pending service code to secure memory, treat run time version and carry out address reorientation, call the initialization function Init () of service code, then wait for that initialization function Handler () is called by security kernel service interface calling interface SKSC.

In the present embodiment, the detailed step of step 3) comprises:

3.1) activation member OSLM is loaded in the internal memory of secondary low prerogative grade by the service of secure firmware loading system;

3.2) cpu instruction pointer register is revised as the entry instruction address that system service loads activation member OSLM, and the secondary low rights that franchise state system service being loaded activation member OSLM switches to User space corresponding;

3.3) the activation member OSLM kernel that loading system service module is corresponding under systematic thinking way is loaded by system service, and the virtual drive interface of security kernel service under setting up the application call kernel state for realizing User space.Kernel corresponding to system service module is the linux kernel revised, it is the interface function adding security kernel service call interface SKSC with the remarkable difference of standard Linux kernel, thus based on security kernel service call interface SKSC, kernel is divided into systematic thinking way and kernel state, and creates virtual drive interface and call security kernel service for application layer.The mode of the application requests security kernel service of User space utilizes system call interfaces to access above-mentioned virtual drive interface, this calls initiation and is trapped in systematic thinking way, and by being converted to security kernel service call interface SKSC after system service process, be trapped in kernel state, successively return by after kernel services process, give user program eventually through returning of system call by service result.

In the present embodiment, the concrete steps of service are provided to comprise based on the security kernel service loaded in step 4): when the application requests security kernel service of User space, the application program of User space is absorbed in systematic thinking way by the virtual drive interface under system call interfaces calling system state, calling of virtual drive interface is converted to calling of security kernel service call interface SKSC and is absorbed in kernel state by the system service under systematic thinking way, dynamic security kernel services framework under kernel state is according to the kernel services call number KSN of the call request of security kernel service call interface SKSC, specify corresponding security kernel service processing and pass through security kernel service call interface SKSC successively, virtual drive interface, the application program that system call interfaces asks security kernel to be served under service result successively being returned to User space.

In the present embodiment, the detailed step of the Dynamic Load Request and dynamic offloading request that respond security kernel service in step 4) comprises:

4.1) monitoring of dynamic security kernel services framework receives application program under User space and sends Dynamic Load Request by system call interfaces, virtual drive interface, security kernel service call interface SKSC successively or the Dynamic Load Request of security kernel service that caused by secure storage module and dynamic offloading request, when receiving Dynamic Load Request, redirect performs step 4.2); When system closing or when receiving dynamic offloading request, redirect performs step 4.6);

4.2) dynamic security kernel services framework scans based on the driver of the secure storage module loaded the secure storage module that secure USB(also can adopt other types, the such as safety storage apparatus of secure DDR and secure Flash and other types provides the service image file of encryption, the service image file of encryption can be provided in addition) by the file system of user, search meets the service image file of the encryption of given filename, if search for unsuccessfully, then return security kernel service and load unsuccessfully and redirect execution step 4); If search for successfully, then the service image file encrypted in the file system of user or secure storage module is downloaded to the buffer zone in the secure memory secure DDR with most highly privileged grade, and deciphering is plaintext in buffer zone, if decipher unsuccessfully, then return security kernel service and load unsuccessfully and redirect execution step 4); If successful decryption, then redirect performs next step;

4.3) dynamic security kernel services framework to the service reflection deciphered expressly in serve publisher and signature carries out legitimate verification, if be verified as illegal, then return security kernel service and load unsuccessfully also redirect execution step 4); If it is legal to be verified as, then redirect performs next step;

4.4) legal security kernel service is verified as this, distribute number section of kernel services call number KSN, corresponding description scheme is set up, the mapping relations between the description scheme in number section and service descriptor counts group SKSDISCRIPTOR [] of service log shaping array KSN2SKS [] middle generation kernel services call number KSN in service descriptor array SKSDISCRIPTOR [];

4.5) legal security kernel service is verified as this, read the data structure of carrying in corresponding service reflection, perform memory headroom for this service distributes and the service of security kernel service reflection is copied in this memory headroom, by the address field stem Header structure record of the first address of this execution memory headroom by service descriptor array in the secure memory with most highly privileged grade, carry out address reorientation rewriting to service to be run in this execution memory headroom reflection, the address of reorientation being rewritten is by the relocatable address Relocation record of service descriptor array, the initialization function address for the treatment of in this execution memory headroom in operation service reflection and service processing function address are write respectively initialization function pointer Init and the service processing function pointer Handler of service descriptor array, and call the initialization function Init () after reorientation and carry out initialization, if initialization success, then using number section of kernel services call number KSN as feedback parameter along with security kernel service loads the called side that successful message returns to security kernel service call interface SKSC, initialization function Handler () after reorientation starts to wait for calling from security kernel service call interface SKSC, redirect performs step 4), the failed then return service of initialization loads unsuccessfully else if, then release loads the resource of failed security kernel service in service log shaping array KSN2SKS [] and service descriptor counts group SKSDISCRIPTOR [], and redirect performs step 4),

4.6) unload the security kernel service of specifying, discharge the resource of unloaded security kernel service in service log shaping array KSN2SKS [] and service descriptor counts group SKSDISCRIPTOR []; If unload the security kernel service operations of specifying to trigger by receiving dynamic offloading request, redirect performs step 4).

Core system authentication service KAS in the present embodiment is by secure USB dynamic load, to load core system authentication service KAS, virtual drive interface transmits Dynamic Load Request to the dynamic security kernel services framework of kernel state, tell that dynamic security kernel services framework loads core system authentication service KAS, and the filename of service reflection corresponding to core system authentication service KAS.Dynamic security kernel services framework utilizes USB driver scanning calorimeter plug memory device, and search meets the image file of given filename.If search for unsuccessfully, then directly return mistake.If have found specified file, then crypto image is downloaded to a buffer zone of secure memory secure DDR, and be decrypted in buffer zone; If decipher unsuccessfully, then return security kernel and load unsuccessfully, otherwise service for checking credentials distributor information; If serve the non-rule return service of publisher to load unsuccessfully, otherwise carry out Resourse Distribute and KSN mapping, wherein Resourse Distribute not only comprises distribution and initialization data structure, also comprises for service reflection distributes execution internal memory and reflection is copied to this internal memory; Then dynamic security kernel services framework carries out address reorientation rewriting to the reflection in internal memory; Last dynamic security kernel services framework calls the initialization function Init () of core system authentication service KAS after reorientation, if initialization success, then core system authentication service KAS serves ready, otherwise returns core system authentication service KAS and load unsuccessfully.

Need to say, the present embodiment is only the serial CPU of 1500+ that soars is example, to soar on CPU tri-state operation security of system kernel services dynamic operation method to carry out exemplary explanation to the present invention.Certainly, under the prerequisite supporting different level privileges, hardware supported secure storage module, operating system security kernel services dynamic operation on the CPU that soars that the technical scheme of the present embodiment equally also goes for other series, but also can operating system security kernel services dynamic operation on further genralrlization to other universal cpu.

The above is only the preferred embodiment of the present invention, protection scope of the present invention be not only confined to above-described embodiment, and all technical schemes belonged under thinking of the present invention all belong to protection scope of the present invention.It should be pointed out that for those skilled in the art, some improvements and modifications without departing from the principles of the present invention, these improvements and modifications also should be considered as protection scope of the present invention.

Claims (9)

1. to soar a tri-state operation security of system kernel services dynamic operation method on CPU, it is characterized in that step comprises:

1) under maintenance User space, the Least Privilege grade of application program is constant, the kernel of operating system is divided into the systematic thinking way of time low prerogative grade and the kernel state of most highly privileged grade, in kernel state, set up the container that dynamic security kernel services framework is served as security kernel, and provide service by security kernel service call interface SKSC to the system service of systematic thinking way; The function services of the operating system nucleus in operating system except security kernel service is provided by systematic thinking way, there is provided service by system call interfaces to the application program of User space, and in systematic thinking way, set up virtual drive interface to support the application call security kernel service of User space;

2) after CPU powers up, dynamic security kernel services framework and built-in security kernel service is loaded by the secure firmware under kernel state;

3) load activation member OSLM by described secure firmware loading system service, load activation member OSLM start up system service under systematic thinking way by system service;

4) dynamic security kernel services framework based on the security kernel service loaded provide serve and respond security kernel service Dynamic Load Request and dynamic offloading request.

2. tri-state operation security of system kernel services dynamic operation method on the CPU that soars according to claim 1, it is characterized in that: when providing service by security kernel service call interface SKSC to the system service of systematic thinking way in described step 1), described security kernel service call interface SKSC does not allow the memory pointer transmitting User space.

3. tri-state operation security of system kernel services dynamic operation method on the CPU that soars according to claim 2, is characterized in that, described step 2) detailed step comprise:

2.1) before CPU powers up, trust authentication is carried out to the secure firmware stored, if trust authentication does not pass through, then report an error and stop starting; If trust authentication passes through, then to power up at CPU, after secure firmware under kernel state completes basic initialization, be there is by described secure firmware setting the secure storage module of most highly privileged grade;

2.2) driver of described secure storage module is loaded by described secure firmware;

2.3) load dynamic security kernel services framework by described secure firmware, then detect and load security kernel service built-in in secure firmware;

2.4) by serving the security kernel service monitoring module of the management of overall entrance and distribution in described secure firmware initialization dynamic security kernel services framework for realizing security kernel, the built-in security kernel service loaded by described security kernel service monitoring module record.

4. tri-state operation security of system kernel services dynamic operation method on the CPU that soars according to claim 3, is characterized in that: described step 2.4) in security kernel service monitoring module based on service log shaping array KSN2SKS [] and service descriptor counts group SKSDISCRIPTOR [] realize security kernel serve overall entrance management and distribute; Described service log shaping array KSN2SKS [] is for recording from the corresponding relation between the service call number of SKSC and concrete security kernel service, its subscript corresponding kernel services call number KSN, the value of its each element is the call number of service descriptor array SKSDISCRIPTOR []; Described service descriptor array SKSDISCRIPTOR [] is for recording all security kernel services loaded, and each element is the description scheme of a security kernel service.

5. tri-state operation security of system kernel services dynamic operation method on the CPU that soars according to claim 4, it is characterized in that: the field of described service descriptor array SKSDISCRIPTOR [] comprises address field stem Header, the relocatable address Relocation of security kernel service corresponding with service reflection, code segment and data segment data, and described code segment comprises initialization function pointer Init, service processing function pointer Handler.

6. tri-state operation security of system kernel services dynamic operation method on the CPU that soars according to claim 5, is characterized in that, described step 2.4) in the step of built-in security kernel service that loaded of record comprise:

2.4.1) for the built-in security kernel service that each has loaded, distribute number section of kernel services call number KSN, corresponding description scheme is set up, the mapping relations between the description scheme in number section and service descriptor counts group SKSDISCRIPTOR [] of service log shaping array KSN2SKS [] middle generation kernel services call number KSN in service descriptor array SKSDISCRIPTOR [];

2.4.2) for each built-in security kernel service, read the data structure of carrying in corresponding service reflection, perform memory headroom for this service distributes and the service of security kernel service reflection is copied in this memory headroom, by the address field stem Header structure record of the first address of this execution memory headroom by service descriptor array in the secure memory with most highly privileged grade, carry out address reorientation rewriting to service to be run in this execution memory headroom reflection, the address of reorientation being rewritten is by the relocatable address Relocation record of service descriptor array, the initialization function address for the treatment of in this execution memory headroom in operation service reflection and service processing function address are write respectively initialization function pointer Init and the service processing function pointer Handler of service descriptor array, and call the initialization function Init () after reorientation and carry out initialization, if initialization success, then using number section of kernel services call number KSN as feedback parameter along with security kernel service loads the called side that successful message returns to security kernel service call interface SKSC, initialization function Handler () after reorientation starts to wait for calling from security kernel service call interface SKSC, the failed then return service of initialization loads unsuccessfully else if, then release loads the resource of failed security kernel service in service log shaping array KSN2SKS [] and service descriptor counts group SKSDISCRIPTOR [].

7. tri-state operation security of system kernel services dynamic operation method on the CPU that soars according to claim 6, it is characterized in that, the detailed step of described step 3) comprises:

3.1) activation member OSLM is loaded in the internal memory of secondary low prerogative grade by described secure firmware loading system service;

3.2) cpu instruction pointer register is revised as the entry instruction address that system service loads activation member OSLM, and the secondary low rights that franchise state system service being loaded activation member OSLM switches to User space corresponding;

3.3) the activation member OSLM kernel that loading system service module is corresponding under systematic thinking way is loaded by described system service, and the virtual drive interface of security kernel service under setting up the application call kernel state for realizing User space.

8. tri-state operation security of system kernel services dynamic operation method on the CPU that soars according to claim 7, it is characterized in that, the concrete steps of service are provided to comprise based on the security kernel service loaded in described step 4): when the application requests security kernel service of User space, the application program of User space is absorbed in systematic thinking way by the virtual drive interface under system call interfaces calling system state, calling of virtual drive interface is converted to calling of security kernel service call interface SKSC and is absorbed in kernel state by the system service under systematic thinking way, dynamic security kernel services framework under kernel state is according to the kernel services call number KSN of the call request of security kernel service call interface SKSC, specify corresponding security kernel service processing and pass through security kernel service call interface SKSC successively, virtual drive interface, the application program that system call interfaces asks security kernel to be served under service result successively being returned to User space.

9. tri-state operation security of system kernel services dynamic operation method on the CPU that soars according to claim 8, it is characterized in that, the detailed step of the Dynamic Load Request and dynamic offloading request that respond security kernel service in described step 4) comprises:

4.1) monitoring of described dynamic security kernel services framework receives application program under User space and sends Dynamic Load Request by system call interfaces, virtual drive interface, security kernel service call interface SKSC successively or the Dynamic Load Request of security kernel service that caused by secure storage module and dynamic offloading request, when receiving Dynamic Load Request, redirect performs step 4.2); When system closing or when receiving dynamic offloading request, redirect performs step 4.6);

4.2) described dynamic security kernel services framework is based on the driver scanning file system of user of the secure storage module loaded or secure storage module, search meets the service image file of the encryption of given filename, if search for unsuccessfully, then return security kernel service and load unsuccessfully and redirect execution step 4); If search for successfully, then the service image file encrypted in the file system of user or secure storage module is downloaded to the buffer zone in the secure memory with most highly privileged grade, and deciphering is plaintext in buffer zone, if decipher unsuccessfully, then return security kernel service and load unsuccessfully and redirect execution step 4); If successful decryption, then redirect performs next step;

4.3) described dynamic security kernel services framework to the service reflection deciphered expressly in serve publisher and signature carries out legitimate verification, if be verified as illegal, then return security kernel service and load unsuccessfully also redirect execution step 4); If it is legal to be verified as, then redirect performs next step;

4.4) legal security kernel service is verified as this, distribute number section of kernel services call number KSN, corresponding description scheme is set up, the mapping relations between the description scheme in number section and service descriptor counts group SKSDISCRIPTOR [] of service log shaping array KSN2SKS [] middle generation kernel services call number KSN in service descriptor array SKSDISCRIPTOR [];

4.5) legal security kernel service is verified as this, read the data structure of carrying in corresponding service reflection, perform memory headroom for this service distributes and the service of security kernel service reflection is copied in this memory headroom, by the address field stem Header structure record of the first address of this execution memory headroom by service descriptor array in the secure memory with most highly privileged grade, carry out address reorientation rewriting to service to be run in this execution memory headroom reflection, the address of reorientation being rewritten is by the relocatable address Relocation record of service descriptor array, the initialization function address for the treatment of in this execution memory headroom in operation service reflection and service processing function address are write respectively initialization function pointer Init and the service processing function pointer Handler of service descriptor array, and call the initialization function Init () after reorientation and carry out initialization, if initialization success, then using number section of kernel services call number KSN as feedback parameter along with security kernel service loads the called side that successful message returns to security kernel service call interface SKSC, initialization function Handler () after reorientation starts to wait for calling from security kernel service call interface SKSC, redirect performs step 4), the failed then return service of initialization loads unsuccessfully else if, then release loads the resource of failed security kernel service in service log shaping array KSN2SKS [] and service descriptor counts group SKSDISCRIPTOR [], and redirect performs step 4),

4.6) unload the security kernel service of specifying, discharge the resource of unloaded security kernel service in service log shaping array KSN2SKS [] and service descriptor counts group SKSDISCRIPTOR []; If unload the security kernel service operations of specifying to trigger by receiving dynamic offloading request, redirect performs step 4).