CN105786588A - Remote authentication method for cleanroom trusted virtual machine monitor - Google Patents
Remote authentication method for cleanroom trusted virtual machine monitor Download PDFInfo
- Publication number
- CN105786588A CN105786588A CN201610096110.1A CN201610096110A CN105786588A CN 105786588 A CN105786588 A CN 105786588A CN 201610096110 A CN201610096110 A CN 201610096110A CN 105786588 A CN105786588 A CN 105786588A
- Authority
- CN
- China
- Prior art keywords
- module
- remote authentication
- credible
- tpm
- measurement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2113—Multi-level security, e.g. mandatory access control
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a remote authentication method for a cleanroom trusted virtual machine monitor.According to the method, a fallback technique is adopted, a CPU core is forced to be transferred to a VMM from a virtual machine of a user by injecting an instruction which can cause the virtual machine to quit unconditionally, therefore, it is guaranteed that a measurement agent can measure the integrity of the VMM, and the VMM can be prevented from forging and tampering the authentication process; in the initialized setting step, type identification called by a system management interruption processor (SMI) is stored in a CR3 control register, and a system terminal processor can firstly match a generated interruption type with interruption types stored in the CR3 control register once interruption occurs; if matching is unsuccessful, the interruption is not allowed to run to prevent malicious interruption from running.Accordingly, secrete measurement on the VMM, the atomicity of the verification process, the integrity of measurement environment information and the authenticity of a measurement result are fully guaranteed.
Description
Technical field
The invention belongs to Computer Science and Technology field, particularly to the remote authentication method of a kind of clean room credible virtual monitor unit.
Background technology
While increasingly enriching along with network technology, network attack means are also day by day changeful, then, in order to can more effective " immunity " various network attack means, trust computing is a kind of effective scheme.Calculating safety is a kind of strategy based on trust computing to use clean room to ensure.The key technology point realizing clean room computing environment is in that: realize credible virtual monitor unit (TVMM) in conjunction with reliable computing technology and Intel Virtualization Technology.And the structure of the key technology of this security framework-credible virtual monitor unit (TVMM) is simultaneously need to ensure: monitor of virtual machine (VirtualMachineMonitor, VMM) disposes the safety of the safety of process, the safety of VMM start-up course and VMM running.The difficult point that clean room state security framework builds is in that how to ensure safety when VMM runs.Owing to VMM is the software that priority level is the highest, therefore, the VMM of malice may intercept remote authentication, thus before checking performs, removing and attack vestige, or distort real the result.It is possible to cause rogue program " doing at will ", there is great potential safety hazard in this.We need the remote authentication technology of a kind of clean room credible virtual monitor unit to ensure safety when VMM runs.Integrity and credibility when VMM is run by this technology by the mode of remote authentication are measured.
Existing remote authentication method is all based only on credible platform module (TrustPlatformModule, TPM) platform configuration register (PlatformConfigurationRegister of SHA-1 function operator and a series of storage SHA-1 value in chip, PCR) and the functional unit such as RSA encryption and decryption cipher function, SHA-1 value simply coupling is utilized to verify integrity and communications security.This type of method is it cannot be guaranteed that remote authentication is intercepted or distorts, because VMM has the highest priority level, the VMM of malice can arbitrarily manipulate remote certification process.So just can say without safe, credible also not know where to begin.
Summary of the invention
The invention provides the remote authentication method of credible virtual monitor unit under a kind of clean, integrity and the credibility of virtual monitor device running are carried out " secret " and " atom " detection by the method, thus obtaining true, credible, complete remote authentication result.
The remote authentication method of a kind of clean room credible virtual monitor unit, comprises the following steps:
Step 1: Initialize installation;
Step 1.1: installing on destination node to be monitored can the band channel software of Remote triggering system management interrupt processor SMI, the system management interrupt processor SMI type identification memory space called is configured simultaneously, and the SHA1 value of system management interrupt processor code and data is stored in the middle of the non-volatile tamper-resistant storage in credible platform module TPM;
The type identification that described system management interrupt processor SMI calls is stored in CR3 and controls in depositor;
Step 1.2: based on installing monitor of virtual machine on the credible calculating platform of traditional B IOS;
Step 1.3: increase measurement agent module in the middle of monitor of virtual machine, and the data of measurement agent module and the cryptographic Hash of code of increase are saved in the middle of the non-volatile tamper-resistant storage in credible platform module TPM, and described measurement agent module adopts fallback mechanism and aborted mechanism;
The measurement agent module of described increase is to utilize dynamic measurement method PRIMA that operating system and application are carried out kinetic measurement;Measurement agent in monitor of virtual machine adopts back off technique to ensure to measure the integrity of monitor of virtual machine;
Step 1.4: utilize the measurement agent module of the increase in virtual machine watch-dog to calculate the hash function value of data and code in described monitor of virtual machine, and this hash function value is stored in the middle of the non-volatile tamper-resistant storage in credible platform module TPM;
Step 1.5: install a remote authentication proxy module in the system of destination node, the data of remote authentication proxy module and the cryptographic Hash of code are saved in the middle of the non-volatile tamper-resistant storage in credible platform module TPM simultaneously;
Step 2: credible startup destination node system;
Step 2.1: utilize meet TCG specification can not brushing BIOS code snippet as starting point, start the system bios of destination node;
Step 2.2: utilize transitive trust mechanism, based on the credible startup destination node system of credible platform TPM module;
The SHA-1 function value of BIOS and credible measurement root of trust is contrasted with the SHA-1 function reference value in the true complete situation being previously stored:
If metric is identical with reference value, then allowing destination node system to run, and metric leaves in the platform configuration register (PCR) in the middle of credible platform module and storage metrics logs, otherwise, TPM recovers to restart or interrupt platform and runs;
After measuring BIOS and credible measurement root, similar with above-mentioned steps, tolerance hardware, optionROM and OSloader also stores measurement results to TPM, then measured OSkernel by OSloader and report to TPM.Afterwards, by TPM these measurement results comprehensive the integrity condition reporting BIOS, hareware, optionROM, OSLoader, OSkernel to OS, extend always, once certain component integrity is destroyed, system cannot normally start, by such a process, establish a trust chain relation, trust chain relation guarantee the trustworthiness of computer platform.
Step 2.3: utilize the RSA public key algorithm in credible platform TPM module to generate a pair PKI and private key, before destination node system pins system administration random access memory SMRAM, private key is left in system administration random access memory SMRAM, and PKI is left in the stationary platforms configuration register PCR of credible platform module TPM;
Ensure the secure and trusted of remote authentication.
Step 2.4: the integrity of checking remote authentication agency;
The SHA1 function generator in credible platform module TPM is utilized to calculate the data of remote authentication agency and the SHA1 value of code, and it is mated with the data of remote authentication agency being stored in Initialize installation step 1.5 in the middle of the nonvolatile memory in TPM and the SHA1 value of code, if the match is successful, then remote authentication agency is complete, enters step 2.5;Otherwise, send certification environmental integrity failure reporting to remote authentication end, then reset remote authentication agency, and be again verified step 2.4;
Step 2.5: measurement agent in the middle of verifying virtual machines watch-dog and the integrity of SMI handler;
If by integrity verification, then enter step 2.6;
If not passing through integrity verification, then enter step 5;
Step 2.6: waiting that remote authentication interrupts, the system dynamics integrity of destination node is measured by the measurement agent module utilized in Initialize installation step 1.3 in virtual monitor device after producing when interrupt signal, and sends measurement result to remote authentication end;
Step 3: remote authentication user sends certification request to the authentication proxy's module in destination node, sends a random number simultaneously;
Step 4: generate TPM private key signature and SMI private key signature;
The random number received is sent credible platform module TPM and system management interrupt processor SMI by authentication proxy's module in described destination node respectively, described credible platform module TPM and system management interrupt processor SMI is utilized respectively, for the random number received, the private key leaving in SMRAM and signs, after generating TPM private key signature and SMI private key signature, signature is sent to authentication proxy's module;
Step 5: the TPM private key signature received and SMI private key signature are utilized the PKI carried to be verified by authentication proxy's module, and send the result to remote authentication end;
Simultaneously by the step 2.4 in the system starting process of destination node, step 2.5, the result in step 2.6 carries out signature be back to remote authentication user by being stored in the private key in SMRAM in step 3, after completing verification process, it is thus achieved that authentication result.
Remote authentication end obtains the result of confirmatory measurement environmental integrity and the result of the kinetic measurement of destination node running.
What install in described Initialize installation step 1.1 can the band channel software of Remote triggering system management interrupt processor SMI be remote authentication side's mode of producing to interrupt.
When described measurement agent module occurs to interrupt or be abnormal in measuring execution process, measurement controls stream and passes directly to SMI handler.
The detailed process of described trust chain is: contrasted with the SHA-1 function reference value in the true complete situation being previously stored by the SHA-1 function value of BIOS and credible measurement root of trust:
If metric is identical with reference value, then allowing platform to run, and metric leaves in platform configuration register (PCR) and storage metrics logs, otherwise, TPM recovers to restart or interrupt platform and runs;
After measuring BIOS and credible measurement root, setup code is carried out same operation, finally measures Synchronous Dynamic Random Access Memory.
In order to ensure the crypticity of proof procedure, namely can not be found by VMM.Obtaining VMM context environmental complete, real, including data and the code of VMM, and the difficult point of CPU integrity state is in that the uncertainty of CPU tupe.When by SMI interrupt, CPU is likely to be at VMM/ root operator scheme, it is also possible to be in user virtual machine/non-root operation pattern.Only when CPU operates under root operator scheme, measurement agent can pass through to interrupt CPU and obtain complete metrical information;And when CPU operates in non-root operation pattern, measurement agent cannot obtain any metrical information.Therefore, project adopts back off technique, by injecting an instruction causing virtual machine unconditionally to exit, forces CPU core to transfer to VMM from user virtual machine.Whole process VMM can not discover, also uncontrollable.So just can ensure that measurement agent can measure the integrity of VMM, and be prevented from VMM and verification process is forged, distorts.
In order to ensure the atomicity of proof procedure, authentication authorization and accounting process is once cannot being interrupted or distort.In Initialize installation step one, the type identification that system management interrupt processor SMI calls is stored in CR3 and has controlled in depositor, once there be interruption to occur, first the interrupt type of generation can be mated by system break processor with being stored in the CR3 interrupt type controlled in depositor.All measurement in execution process are interrupted all forwarding SMI handler to and are carried out interrupt type coupling by this aborted mechanism.If the match is successful, represent that this interrupt type is for " legal ", it is allowed to interrupt run.If the match is successful, do not allow this interrupt run.So prevent " maliciously " interrupt run, and then be normally carried out verification process not being maliciously tampered.
Adopt back off technique, by injecting an instruction causing virtual machine unconditionally to exit, force CPU core to transfer to VMM from user virtual machine.VMM can not discover, also uncontrollable whole process;
Described back off procedure is as follows: keep the value in all depositors, and next instruction and address;Inject a privileged instruction and replace next instruction;Once an event is counted, Performance register is set for overflowing;Amendment Advanced Programmable Interrupt Controllers APICs (LocalAdvanceProgrammableInterruptController, LAPIC) to such an extent as to Performance register overflow cause a SMI interrupt.This process can ensure that the integrity measuring bad environment information;
The remote authentication system of a kind of clean room credible virtual monitor unit, including credible platform module, remote authentication end, IPMI, Baseboard Management Controller, system management interrupt processor, monitor of virtual machine, user virtual machine and authentication proxy's module;
Being provided with measurement agent module in described monitor of virtual machine, described remote authentication end is connected with authentication proxy module by IPMI;
Described system management interrupt processor and Baseboard Management Controller are all connected with described authentication proxy module;
Described measurement agent module and Baseboard Management Controller are all connected with described system management interrupt processor;
Described credible platform module is connected with monitor of virtual machine.
Beneficial effect
The invention provides the remote authentication method of a kind of clean room credible virtual monitor unit, the method adopts back off technique, by injecting an instruction causing virtual machine unconditionally to exit, forces CPU core to transfer to VMM from user virtual machine.Whole process VMM can not discover, also uncontrollable.Ensure that measurement agent can measure the integrity of VMM, and be prevented from VMM and verification process forged, distorts;In Initialize installation step, the type identification that system management interrupt processor SMI calls is stored in CR3 and controls in depositor, once there be interruption to occur, first the interrupt type of generation can be mated by system terminal processor with being stored in the CR3 interrupt type controlled in depositor;All measurement in execution process are interrupted all forwarding SMI handler to and are carried out interrupt type coupling by this aborted mechanism.If the match is successful, represent that this interrupt type is for " legal ", it is allowed to interrupt run.If the match is successful, not allowing this interrupt run, thus preventing " maliciously " interrupt run, and then being normally carried out verification process not being maliciously tampered.The remote certification process of the present invention very effective can solve Creditability Problems during VMM operation, has fully ensured that hidden thickly to VMM measurement, the atomicity of proof procedure, the integrity of measurement ring environment information and the verity of measurement result.
Accompanying drawing explanation
Fig. 1 is the process of Dynamic Execution environment remote certification;
Fig. 2 is the process of the credible startup of SMI;
Fig. 3 is remote authentication result return course.
Detailed description of the invention
Below in conjunction with drawings and Examples, the present invention is described further.
A kind of remote authentication method of clean room credible virtual monitor unit, as it is shown in figure 1, comprise the following steps:
Step one: installing at destination node can Remote triggering system management interrupt (SystemManagementInterrupt, SMI) band channel software, user utilizes described band channel, IPMI (IntelligentPlatformManagementInterface, and Baseboard Management Controller (BaseboardManagementController IPMI), BMC), communicate with virtual monitor device;
Described (software) of band channel of Remote triggering system management interrupt can have IBMBladerCenter.By this software, certification convenient can Remote triggering system management interrupt, run authentication processes thus being authenticated step.
A kind of CPU that described system management interrupt is x86 architecture performs pattern;
Described IPMI is the hardware management interface specification of a kind of open standard, and IPMI information is exchanged by Baseboard Management Controller;
In order to prevent malice remote authentication side from utilizing this triggering system management interrupt mode to implement to destroy, the system terminal type triggered will be monitored filtering by step 2 by this method.
Step 2: the type called by system management interrupt SMI is stored in the CR3 that can not be distorted by software and controls in depositor, and adopt universal input port routing table to record the interrupt type that each universal input port produces;So can ensure that the universal input port being only connected with Baseboard Management Controller BMC could trigger SMI.
Because VMM has the ability triggering SMI, conceal original SMI call therefore, it is possible to called by puppet measurements, even removing " attack vestige ".But, carry out system management memory interrupt type by the described control depositor that can not distort, the system management interrupt preventing from " illegal " is performed and destroys system integrity and verity.
Step 3: based on installing monitor of virtual machine on the credible calculating platform of traditional B IOS, calculated the data complete, real of integrity measurement agency in the middle of the monitor of virtual machine in target platform and the hash function value of code by the SHA-1 function engine in the credible platform module TPM of bottom, and be saved in TPM by this hash function value persistence in nonvolatile storage.
Utilize described monitor of virtual machine, long-distance user just can utilize its integrity measurement agency and the Dynamics Manager (DynamicManagement of system management interrupt processor composition, DM), and based on IPMI and BMC band channel software realize in the way of far call DM, realize the dynamic integrity measurement to VMM running;
Integrity measurement in the middle of described calculated virtual machine monitor is acted on behalf of the hash function value of complete and real data and code and be can ensure that the integrity of integrity measurement agency when carrying out integrity measurement, and so just enabling to integrity measurement agency becomes the credible base of step 4 and step 6.
Step 4: credible platform module calculates the hash function value of data complete, real and code in monitor of virtual machine, and it is stored in TPM by this hash function value persistence in nonvolatile storage.
In order to ensure the isolation of measurement agent, namely prevent measurement agent from being distorted by monitor of virtual machine or destroying, all integrity and verities that must first ensure measurement agent.Therefore select first to carry out step 2 and carry out step 3 again;
Complete and real data and code the SHA-1 functional value of described calculated monitor of virtual machine will as the critical data ensureing measurement ring environment information integrity.
Step 5: in system starting process, using RSA public key algorithm is that platform produces PKI, a private key pair, before system pins SMRAM, private key is left in SMRAM, and PKI is left in the stationary platforms configuration register (PCR) of credible platform module (TPM);
Described step will ensure the verity of remote authentication mode result by Digital Signature Algorithm.This step is the preparation of step 9 (concrete remote authentication).
Step 6: initial guide module is carried out the storage of integrity measurement and measurement results by the credible tolerance root in TPM, it is achieved the credible startup of SMI handler.
First the inspection of the complete self-examination of the credible measurement root (CoreRootofTrustMeasurement, CRTM) of the core from BIOS and executable code starts, until all component is all measured complete in start-up course.Constitute one and measure trust chain.
The detailed process of described trust chain is: contrasted with the SHA-1 function reference value in the true complete situation being previously stored by the SHA-1 function value of BIOS and credible measurement root of trust.If metric is identical with reference value, then allowing platform to run, and metric leaves in platform configuration register (PCR) and storage metrics logs, otherwise, TPM recovers to restart or interrupt platform and runs.After measuring BIOS and credible measurement root, setup code is carried out same operation, finally measures Synchronous Dynamic Random Access Memory.
Step 7: the aborted mechanism guarantee of employing is measured in execution process once there occurs interruption or abnormal, measures control stream and will directly go to SMI handler;
Described operation ensures that proof procedure is once cannot being interrupted or distort, thus ensureing the atomicity of measurement process.
Step 8: adopt back off technique, by injecting an instruction causing virtual machine unconditionally to exit, forces CPU core to transfer to VMM from user virtual machine.VMM can not discover, also uncontrollable whole process;
Described back off procedure is as follows: keep the value in all depositors, and next instruction and address;Inject a privileged instruction and replace next instruction;Once an event is counted, Performance register is set for overflowing;Amendment Advanced Programmable Interrupt Controllers APICs (LocalAdvanceProgrammableInterruptController, LAPIC) to such an extent as to Performance register overflow cause a SMI interrupt.This process can ensure that the integrity measuring bad environment information;
Step 9: remote authentication client sends a request and a random number to authentication proxy, and the random number received is sent credible platform module (TPM) and system management interrupt processor (SMI) by this authentication proxy respectively.Credible platform module in checking agency produces two different signature values with system manager terminal processor by being based respectively on this random number: first is measure environmental output, by TPM private key signature;Second is the result measured, by the private key signature of SMI handler.The verity of result is then may determine that by comparing signature.
Described credible platform module and system management interrupt processor will utilize the private key left in respectively in SMRAM that " message " is signed, and send back to authentication proxy.Authentication proxy by receive with signature two " message " person is authenticated to return to remote authentication;
Described credible platform module is sent to " message " of authentication proxy: KAIK -1{ static measurement | system management interrupt processor | KSMI| random number };
Described system management interrupt processor is sent to " message " of authentication proxy: KSMI -1{ virtual machine monitor measures | measurement agent | random number };
The signature that authentication proxy sends over from credible platform module and system break processor by the public key verifications of oneself, so just can confirm the verity of authentication result.Authentication result just can be returned to remote authentication side by authentication proxy subsequently.
The remote authentication system of a kind of clean room credible virtual monitor unit, including credible platform module, remote authentication end, IPMI, Baseboard Management Controller, system management interrupt processor, monitor of virtual machine, user virtual machine and authentication proxy's module;
Being provided with measurement agent module in described monitor of virtual machine, described remote authentication end is connected with authentication proxy module by IPMI;
Described system management interrupt processor and Baseboard Management Controller are all connected with described authentication proxy module;
Described measurement agent module and Baseboard Management Controller are all connected with described system management interrupt processor;
Described credible platform module is connected with monitor of virtual machine.
Claims (5)
1. the remote authentication method of a clean room credible virtual monitor unit, it is characterised in that comprise the following steps:
Step 1: Initialize installation;
Step 1.1: installing on destination node to be monitored can the band channel software of Remote triggering system management interrupt processor SMI, the system management interrupt processor SMI type identification memory space called is configured simultaneously, and the SHA1 value of system management interrupt processor code and data is stored in the middle of the non-volatile tamper-resistant storage in credible platform module TPM;
The type identification that described system management interrupt processor SMI calls is stored in CR3 and controls in depositor;
Step 1.2: based on installing monitor of virtual machine on the credible calculating platform of traditional B IOS;
Step 1.3: increase measurement agent module in the middle of monitor of virtual machine, and the data of measurement agent module and the cryptographic Hash of code of increase are saved in the middle of the non-volatile tamper-resistant storage in credible platform module TPM, and described measurement agent module adopts fallback mechanism and aborted mechanism;
Step 1.4: utilize the measurement agent module of the increase in virtual machine watch-dog to calculate the hash function value of data and code in described monitor of virtual machine, and this hash function value is stored in the middle of the non-volatile tamper-resistant storage in credible platform module TPM;
Step 1.5: install a remote authentication proxy module in the system of destination node, the data of remote authentication proxy module and the cryptographic Hash of code are saved in the middle of the non-volatile tamper-resistant storage in credible platform module TPM simultaneously;
Step 2: credible startup destination node system;
Step 2.1: utilize meet TCG specification can not brushing BIOS code snippet as starting point, start the system bios of destination node;
Step 2.2: utilize transitive trust mechanism, based on the credible startup destination node system of credible platform TPM module;
Step 2.3: utilize the RSA public key algorithm in credible platform TPM module to generate a pair PKI and private key, before destination node system pins system administration random access memory SMRAM, private key is left in system administration random access memory SMRAM, and PKI is left in the stationary platforms configuration register PCR of credible platform module TPM;
Step 2.4: the integrity of checking remote authentication agency;
The SHA1 function generator in credible platform module TPM is utilized to calculate the data of remote authentication agency and the SHA1 value of code, and it is mated with the data of remote authentication agency being stored in Initialize installation step 1.5 in the middle of the nonvolatile memory in TPM and the SHA1 value of code, if the match is successful, then remote authentication agency is complete, enters step 2.5;Otherwise, send certification environmental integrity failure reporting to remote authentication end, then reset remote authentication agency, and be again verified step 2.4;
Step 2.5: measurement agent in the middle of verifying virtual machines watch-dog and the integrity of SMI handler;
If by integrity verification, then enter step 2.6;
If not passing through integrity verification, then enter step 5;
Step 2.6: waiting that remote authentication interrupts, the system dynamics integrity of destination node is measured by the measurement agent module utilized in Initialize installation step 1.3 in virtual monitor device after producing when interrupt signal, and sends measurement result to remote authentication end;
Step 3: remote authentication user sends certification request to the authentication proxy's module in destination node, sends a random number simultaneously;
Step 4: generate TPM private key signature and SMI private key signature;
The random number received is sent credible platform module TPM and system management interrupt processor SMI by authentication proxy's module in described destination node respectively, described credible platform module TPM and system management interrupt processor SMI is utilized respectively, for the random number received, the private key leaving in SMRAM and signs, after generating TPM private key signature and SMI private key signature, signature is sent to authentication proxy's module;
Step 5: the TPM private key signature received and SMI private key signature are utilized the PKI carried to be verified by authentication proxy's module, and send the result to remote authentication end;
Meanwhile, by the step 2.4 in the system starting process of destination node, step 2.5, the result in step 2.6 carries out signature be back to remote authentication user by being stored in the private key in SMRAM in step 3, card process after completing to recognize, it is thus achieved that authentication result.
Remote authentication end obtains the result of confirmatory measurement environmental integrity and the result of the kinetic measurement of destination node running.
2. method according to claim 1, it is characterised in that what install in described Initialize installation step 1.1 can the band channel software of Remote triggering system management interrupt processor SMI be remote authentication side's mode of producing to interrupt.
3. method according to claim 1 and 2, it is characterised in that when described measurement agent module occurs to interrupt or be abnormal in measuring execution process, measurement controls stream and passes directly to SMI handler.
4. method according to claim 3, it is characterised in that the detailed process of described trust chain is: the SHA-1 function value of BIOS and credible measurement root of trust is contrasted with the SHA-1 function reference value in the true complete situation being previously stored:
If metric is identical with reference value, then allowing platform to run, and metric leaves in platform configuration register (PCR) and storage metrics logs, otherwise, TPM recovers to restart or interrupt platform and runs;
After measuring BIOS and credible measurement root, setup code is carried out same operation, finally measures Synchronous Dynamic Random Access Memory.
5. the remote authentication system of a clean room credible virtual monitor unit, it is characterized in that, including credible platform module, remote authentication end, IPMI, Baseboard Management Controller, system management interrupt processor, monitor of virtual machine, user virtual machine and authentication proxy's module;
Being provided with measurement agent module in described monitor of virtual machine, described remote authentication end is connected with authentication proxy module by IPMI;
Described system management interrupt processor and Baseboard Management Controller are all connected with described authentication proxy module;
Described measurement agent module and Baseboard Management Controller are all connected with described system management interrupt processor;
Described credible platform module is connected with monitor of virtual machine.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610096110.1A CN105786588A (en) | 2016-02-22 | 2016-02-22 | Remote authentication method for cleanroom trusted virtual machine monitor |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610096110.1A CN105786588A (en) | 2016-02-22 | 2016-02-22 | Remote authentication method for cleanroom trusted virtual machine monitor |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105786588A true CN105786588A (en) | 2016-07-20 |
Family
ID=56403458
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610096110.1A Pending CN105786588A (en) | 2016-02-22 | 2016-02-22 | Remote authentication method for cleanroom trusted virtual machine monitor |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105786588A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110278127A (en) * | 2019-07-02 | 2019-09-24 | 成都安恒信息技术有限公司 | A kind of Agent dispositions method and system based on secure transfer protocol |
CN110383277A (en) * | 2017-03-07 | 2019-10-25 | 华为技术有限公司 | Virtual machine monitor measurement agent |
CN112422478A (en) * | 2019-08-21 | 2021-02-26 | 烽火通信科技股份有限公司 | Virtual machine security authentication method and system |
CN113141612A (en) * | 2021-04-16 | 2021-07-20 | 中国科学院信息工程研究所 | High-reliability management and control method and system for mobile terminal |
CN113407299A (en) * | 2021-05-14 | 2021-09-17 | 海光信息技术股份有限公司 | Method and device for preventing malicious rollback of virtual machine and electronic equipment |
CN116089967A (en) * | 2022-05-12 | 2023-05-09 | 荣耀终端有限公司 | Data rollback prevention method and electronic equipment |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101025770A (en) * | 2006-02-20 | 2007-08-29 | 联想(北京)有限公司 | Method for starting protected partition |
CN101165696A (en) * | 2006-10-16 | 2008-04-23 | 中国长城计算机深圳股份有限公司 | Safety identification method based on safe computer |
CN101488175A (en) * | 2009-02-10 | 2009-07-22 | 北京交通大学 | Method for preventing credible client virtual domain starting crash based on polling mechanism |
-
2016
- 2016-02-22 CN CN201610096110.1A patent/CN105786588A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101025770A (en) * | 2006-02-20 | 2007-08-29 | 联想(北京)有限公司 | Method for starting protected partition |
CN101165696A (en) * | 2006-10-16 | 2008-04-23 | 中国长城计算机深圳股份有限公司 | Safety identification method based on safe computer |
CN101488175A (en) * | 2009-02-10 | 2009-07-22 | 北京交通大学 | Method for preventing credible client virtual domain starting crash based on polling mechanism |
Non-Patent Citations (1)
Title |
---|
AHMED M. AZAB 等: "HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity", 《17TH ACM CONFERENCE ON COMPUTER AND COMMUNICATION SECURITY(CCS)》 * |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110383277B (en) * | 2017-03-07 | 2021-09-14 | 华为技术有限公司 | Virtual machine monitor measurement proxy |
CN110383277A (en) * | 2017-03-07 | 2019-10-25 | 华为技术有限公司 | Virtual machine monitor measurement agent |
US11126706B2 (en) | 2017-03-07 | 2021-09-21 | Huawei Technologies Co., Ltd. | Hypervisor measurement agent |
CN110278127B (en) * | 2019-07-02 | 2020-12-01 | 成都安恒信息技术有限公司 | Agent deployment method and system based on secure transmission protocol |
CN110278127A (en) * | 2019-07-02 | 2019-09-24 | 成都安恒信息技术有限公司 | A kind of Agent dispositions method and system based on secure transfer protocol |
CN112422478B (en) * | 2019-08-21 | 2022-10-21 | 烽火通信科技股份有限公司 | Virtual machine security authentication method and system |
CN112422478A (en) * | 2019-08-21 | 2021-02-26 | 烽火通信科技股份有限公司 | Virtual machine security authentication method and system |
CN113141612A (en) * | 2021-04-16 | 2021-07-20 | 中国科学院信息工程研究所 | High-reliability management and control method and system for mobile terminal |
CN113141612B (en) * | 2021-04-16 | 2022-09-16 | 中国科学院信息工程研究所 | High-reliability management and control method and system for mobile terminal |
CN113407299A (en) * | 2021-05-14 | 2021-09-17 | 海光信息技术股份有限公司 | Method and device for preventing malicious rollback of virtual machine and electronic equipment |
CN113407299B (en) * | 2021-05-14 | 2023-08-29 | 海光信息技术股份有限公司 | Method and device for preventing virtual machine from maliciously rolling back and electronic equipment |
CN116089967A (en) * | 2022-05-12 | 2023-05-09 | 荣耀终端有限公司 | Data rollback prevention method and electronic equipment |
CN116089967B (en) * | 2022-05-12 | 2024-03-26 | 荣耀终端有限公司 | Data rollback prevention method and electronic equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10530753B2 (en) | System and method for secure cloud computing | |
Schellekens et al. | Remote attestation on legacy operating systems with trusted platform modules | |
CN105786588A (en) | Remote authentication method for cleanroom trusted virtual machine monitor | |
US10885197B2 (en) | Merging multiple compute nodes with trusted platform modules utilizing authentication protocol with active trusted platform module provisioning | |
US8966642B2 (en) | Trust verification of a computing platform using a peripheral device | |
CN110325995A (en) | The industrial control platform of safety | |
CN110737897B (en) | Method and system for starting measurement based on trusted card | |
CN104158791A (en) | Safe communication authentication method and system in distributed environment | |
CN101523401A (en) | Secure use of user secrets on a computing platform | |
Böck et al. | Towards more trustable log files for digital forensics by means of “trusted computing” | |
CN105099705B (en) | A kind of safety communicating method and its system based on usb protocol | |
US20220150260A1 (en) | Hardware Detection Method and Apparatus, Device, and Storage Medium | |
CN101621377A (en) | Trusted access method under virtual computing environment | |
US20230046161A1 (en) | Network device authentication | |
Huber et al. | The lazarus effect: Healing compromised devices in the internet of small things | |
JP2017011491A (en) | Authentication system | |
JP2018117185A (en) | Information processing apparatus, information processing method | |
EP3221996B1 (en) | Symmetric keying and chain of trust | |
Jäger et al. | A resilient network node for the industrial Internet of Things | |
CN110324315B (en) | Off-line authentication system and method thereof | |
Qin et al. | RIPTE: runtime integrity protection based on trusted execution for IoT device | |
Dhar et al. | Proximitee: Hardened sgx attestation and trusted path through proximity verification | |
Zhao et al. | SOMR: Towards a security-oriented MapReduce infrastructure | |
CN113132330B (en) | Method, device, attestation server and readable storage medium for attestation of trusted status | |
Jain et al. | Security analysis of remote attestation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160720 |
|
WD01 | Invention patent application deemed withdrawn after publication |