CN105786588A - Remote authentication method for cleanroom trusted virtual machine monitor - Google Patents

Remote authentication method for cleanroom trusted virtual machine monitor Download PDF

Info

Publication number
CN105786588A
CN105786588A CN201610096110.1A CN201610096110A CN105786588A CN 105786588 A CN105786588 A CN 105786588A CN 201610096110 A CN201610096110 A CN 201610096110A CN 105786588 A CN105786588 A CN 105786588A
Authority
CN
China
Prior art keywords
module
remote authentication
credible
tpm
measurement
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610096110.1A
Other languages
Chinese (zh)
Inventor
王国军
朱小玉
舒扬
郑瑾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Central South University
Original Assignee
Central South University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Central South University filed Critical Central South University
Priority to CN201610096110.1A priority Critical patent/CN105786588A/en
Publication of CN105786588A publication Critical patent/CN105786588A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a remote authentication method for a cleanroom trusted virtual machine monitor.According to the method, a fallback technique is adopted, a CPU core is forced to be transferred to a VMM from a virtual machine of a user by injecting an instruction which can cause the virtual machine to quit unconditionally, therefore, it is guaranteed that a measurement agent can measure the integrity of the VMM, and the VMM can be prevented from forging and tampering the authentication process; in the initialized setting step, type identification called by a system management interruption processor (SMI) is stored in a CR3 control register, and a system terminal processor can firstly match a generated interruption type with interruption types stored in the CR3 control register once interruption occurs; if matching is unsuccessful, the interruption is not allowed to run to prevent malicious interruption from running.Accordingly, secrete measurement on the VMM, the atomicity of the verification process, the integrity of measurement environment information and the authenticity of a measurement result are fully guaranteed.

Description

A kind of remote authentication method of clean room credible virtual monitor unit
Technical field
The invention belongs to Computer Science and Technology field, particularly to the remote authentication method of a kind of clean room credible virtual monitor unit.
Background technology
While increasingly enriching along with network technology, network attack means are also day by day changeful, then, in order to can more effective " immunity " various network attack means, trust computing is a kind of effective scheme.Calculating safety is a kind of strategy based on trust computing to use clean room to ensure.The key technology point realizing clean room computing environment is in that: realize credible virtual monitor unit (TVMM) in conjunction with reliable computing technology and Intel Virtualization Technology.And the structure of the key technology of this security framework-credible virtual monitor unit (TVMM) is simultaneously need to ensure: monitor of virtual machine (VirtualMachineMonitor, VMM) disposes the safety of the safety of process, the safety of VMM start-up course and VMM running.The difficult point that clean room state security framework builds is in that how to ensure safety when VMM runs.Owing to VMM is the software that priority level is the highest, therefore, the VMM of malice may intercept remote authentication, thus before checking performs, removing and attack vestige, or distort real the result.It is possible to cause rogue program " doing at will ", there is great potential safety hazard in this.We need the remote authentication technology of a kind of clean room credible virtual monitor unit to ensure safety when VMM runs.Integrity and credibility when VMM is run by this technology by the mode of remote authentication are measured.
Existing remote authentication method is all based only on credible platform module (TrustPlatformModule, TPM) platform configuration register (PlatformConfigurationRegister of SHA-1 function operator and a series of storage SHA-1 value in chip, PCR) and the functional unit such as RSA encryption and decryption cipher function, SHA-1 value simply coupling is utilized to verify integrity and communications security.This type of method is it cannot be guaranteed that remote authentication is intercepted or distorts, because VMM has the highest priority level, the VMM of malice can arbitrarily manipulate remote certification process.So just can say without safe, credible also not know where to begin.
Summary of the invention
The invention provides the remote authentication method of credible virtual monitor unit under a kind of clean, integrity and the credibility of virtual monitor device running are carried out " secret " and " atom " detection by the method, thus obtaining true, credible, complete remote authentication result.
The remote authentication method of a kind of clean room credible virtual monitor unit, comprises the following steps:
Step 1: Initialize installation;
Step 1.1: installing on destination node to be monitored can the band channel software of Remote triggering system management interrupt processor SMI, the system management interrupt processor SMI type identification memory space called is configured simultaneously, and the SHA1 value of system management interrupt processor code and data is stored in the middle of the non-volatile tamper-resistant storage in credible platform module TPM;
The type identification that described system management interrupt processor SMI calls is stored in CR3 and controls in depositor;
Step 1.2: based on installing monitor of virtual machine on the credible calculating platform of traditional B IOS;
Step 1.3: increase measurement agent module in the middle of monitor of virtual machine, and the data of measurement agent module and the cryptographic Hash of code of increase are saved in the middle of the non-volatile tamper-resistant storage in credible platform module TPM, and described measurement agent module adopts fallback mechanism and aborted mechanism;
The measurement agent module of described increase is to utilize dynamic measurement method PRIMA that operating system and application are carried out kinetic measurement;Measurement agent in monitor of virtual machine adopts back off technique to ensure to measure the integrity of monitor of virtual machine;
Step 1.4: utilize the measurement agent module of the increase in virtual machine watch-dog to calculate the hash function value of data and code in described monitor of virtual machine, and this hash function value is stored in the middle of the non-volatile tamper-resistant storage in credible platform module TPM;
Step 1.5: install a remote authentication proxy module in the system of destination node, the data of remote authentication proxy module and the cryptographic Hash of code are saved in the middle of the non-volatile tamper-resistant storage in credible platform module TPM simultaneously;
Step 2: credible startup destination node system;
Step 2.1: utilize meet TCG specification can not brushing BIOS code snippet as starting point, start the system bios of destination node;
Step 2.2: utilize transitive trust mechanism, based on the credible startup destination node system of credible platform TPM module;
The SHA-1 function value of BIOS and credible measurement root of trust is contrasted with the SHA-1 function reference value in the true complete situation being previously stored:
If metric is identical with reference value, then allowing destination node system to run, and metric leaves in the platform configuration register (PCR) in the middle of credible platform module and storage metrics logs, otherwise, TPM recovers to restart or interrupt platform and runs;
After measuring BIOS and credible measurement root, similar with above-mentioned steps, tolerance hardware, optionROM and OSloader also stores measurement results to TPM, then measured OSkernel by OSloader and report to TPM.Afterwards, by TPM these measurement results comprehensive the integrity condition reporting BIOS, hareware, optionROM, OSLoader, OSkernel to OS, extend always, once certain component integrity is destroyed, system cannot normally start, by such a process, establish a trust chain relation, trust chain relation guarantee the trustworthiness of computer platform.
Step 2.3: utilize the RSA public key algorithm in credible platform TPM module to generate a pair PKI and private key, before destination node system pins system administration random access memory SMRAM, private key is left in system administration random access memory SMRAM, and PKI is left in the stationary platforms configuration register PCR of credible platform module TPM;
Ensure the secure and trusted of remote authentication.
Step 2.4: the integrity of checking remote authentication agency;
The SHA1 function generator in credible platform module TPM is utilized to calculate the data of remote authentication agency and the SHA1 value of code, and it is mated with the data of remote authentication agency being stored in Initialize installation step 1.5 in the middle of the nonvolatile memory in TPM and the SHA1 value of code, if the match is successful, then remote authentication agency is complete, enters step 2.5;Otherwise, send certification environmental integrity failure reporting to remote authentication end, then reset remote authentication agency, and be again verified step 2.4;
Step 2.5: measurement agent in the middle of verifying virtual machines watch-dog and the integrity of SMI handler;
If by integrity verification, then enter step 2.6;
If not passing through integrity verification, then enter step 5;
Step 2.6: waiting that remote authentication interrupts, the system dynamics integrity of destination node is measured by the measurement agent module utilized in Initialize installation step 1.3 in virtual monitor device after producing when interrupt signal, and sends measurement result to remote authentication end;
Step 3: remote authentication user sends certification request to the authentication proxy's module in destination node, sends a random number simultaneously;
Step 4: generate TPM private key signature and SMI private key signature;
The random number received is sent credible platform module TPM and system management interrupt processor SMI by authentication proxy's module in described destination node respectively, described credible platform module TPM and system management interrupt processor SMI is utilized respectively, for the random number received, the private key leaving in SMRAM and signs, after generating TPM private key signature and SMI private key signature, signature is sent to authentication proxy's module;
Step 5: the TPM private key signature received and SMI private key signature are utilized the PKI carried to be verified by authentication proxy's module, and send the result to remote authentication end;
Simultaneously by the step 2.4 in the system starting process of destination node, step 2.5, the result in step 2.6 carries out signature be back to remote authentication user by being stored in the private key in SMRAM in step 3, after completing verification process, it is thus achieved that authentication result.
Remote authentication end obtains the result of confirmatory measurement environmental integrity and the result of the kinetic measurement of destination node running.
What install in described Initialize installation step 1.1 can the band channel software of Remote triggering system management interrupt processor SMI be remote authentication side's mode of producing to interrupt.
When described measurement agent module occurs to interrupt or be abnormal in measuring execution process, measurement controls stream and passes directly to SMI handler.
The detailed process of described trust chain is: contrasted with the SHA-1 function reference value in the true complete situation being previously stored by the SHA-1 function value of BIOS and credible measurement root of trust:
If metric is identical with reference value, then allowing platform to run, and metric leaves in platform configuration register (PCR) and storage metrics logs, otherwise, TPM recovers to restart or interrupt platform and runs;
After measuring BIOS and credible measurement root, setup code is carried out same operation, finally measures Synchronous Dynamic Random Access Memory.
In order to ensure the crypticity of proof procedure, namely can not be found by VMM.Obtaining VMM context environmental complete, real, including data and the code of VMM, and the difficult point of CPU integrity state is in that the uncertainty of CPU tupe.When by SMI interrupt, CPU is likely to be at VMM/ root operator scheme, it is also possible to be in user virtual machine/non-root operation pattern.Only when CPU operates under root operator scheme, measurement agent can pass through to interrupt CPU and obtain complete metrical information;And when CPU operates in non-root operation pattern, measurement agent cannot obtain any metrical information.Therefore, project adopts back off technique, by injecting an instruction causing virtual machine unconditionally to exit, forces CPU core to transfer to VMM from user virtual machine.Whole process VMM can not discover, also uncontrollable.So just can ensure that measurement agent can measure the integrity of VMM, and be prevented from VMM and verification process is forged, distorts.
In order to ensure the atomicity of proof procedure, authentication authorization and accounting process is once cannot being interrupted or distort.In Initialize installation step one, the type identification that system management interrupt processor SMI calls is stored in CR3 and has controlled in depositor, once there be interruption to occur, first the interrupt type of generation can be mated by system break processor with being stored in the CR3 interrupt type controlled in depositor.All measurement in execution process are interrupted all forwarding SMI handler to and are carried out interrupt type coupling by this aborted mechanism.If the match is successful, represent that this interrupt type is for " legal ", it is allowed to interrupt run.If the match is successful, do not allow this interrupt run.So prevent " maliciously " interrupt run, and then be normally carried out verification process not being maliciously tampered.
Adopt back off technique, by injecting an instruction causing virtual machine unconditionally to exit, force CPU core to transfer to VMM from user virtual machine.VMM can not discover, also uncontrollable whole process;
Described back off procedure is as follows: keep the value in all depositors, and next instruction and address;Inject a privileged instruction and replace next instruction;Once an event is counted, Performance register is set for overflowing;Amendment Advanced Programmable Interrupt Controllers APICs (LocalAdvanceProgrammableInterruptController, LAPIC) to such an extent as to Performance register overflow cause a SMI interrupt.This process can ensure that the integrity measuring bad environment information;
The remote authentication system of a kind of clean room credible virtual monitor unit, including credible platform module, remote authentication end, IPMI, Baseboard Management Controller, system management interrupt processor, monitor of virtual machine, user virtual machine and authentication proxy's module;
Being provided with measurement agent module in described monitor of virtual machine, described remote authentication end is connected with authentication proxy module by IPMI;
Described system management interrupt processor and Baseboard Management Controller are all connected with described authentication proxy module;
Described measurement agent module and Baseboard Management Controller are all connected with described system management interrupt processor;
Described credible platform module is connected with monitor of virtual machine.
Beneficial effect
The invention provides the remote authentication method of a kind of clean room credible virtual monitor unit, the method adopts back off technique, by injecting an instruction causing virtual machine unconditionally to exit, forces CPU core to transfer to VMM from user virtual machine.Whole process VMM can not discover, also uncontrollable.Ensure that measurement agent can measure the integrity of VMM, and be prevented from VMM and verification process forged, distorts;In Initialize installation step, the type identification that system management interrupt processor SMI calls is stored in CR3 and controls in depositor, once there be interruption to occur, first the interrupt type of generation can be mated by system terminal processor with being stored in the CR3 interrupt type controlled in depositor;All measurement in execution process are interrupted all forwarding SMI handler to and are carried out interrupt type coupling by this aborted mechanism.If the match is successful, represent that this interrupt type is for " legal ", it is allowed to interrupt run.If the match is successful, not allowing this interrupt run, thus preventing " maliciously " interrupt run, and then being normally carried out verification process not being maliciously tampered.The remote certification process of the present invention very effective can solve Creditability Problems during VMM operation, has fully ensured that hidden thickly to VMM measurement, the atomicity of proof procedure, the integrity of measurement ring environment information and the verity of measurement result.
Accompanying drawing explanation
Fig. 1 is the process of Dynamic Execution environment remote certification;
Fig. 2 is the process of the credible startup of SMI;
Fig. 3 is remote authentication result return course.
Detailed description of the invention
Below in conjunction with drawings and Examples, the present invention is described further.
A kind of remote authentication method of clean room credible virtual monitor unit, as it is shown in figure 1, comprise the following steps:
Step one: installing at destination node can Remote triggering system management interrupt (SystemManagementInterrupt, SMI) band channel software, user utilizes described band channel, IPMI (IntelligentPlatformManagementInterface, and Baseboard Management Controller (BaseboardManagementController IPMI), BMC), communicate with virtual monitor device;
Described (software) of band channel of Remote triggering system management interrupt can have IBMBladerCenter.By this software, certification convenient can Remote triggering system management interrupt, run authentication processes thus being authenticated step.
A kind of CPU that described system management interrupt is x86 architecture performs pattern;
Described IPMI is the hardware management interface specification of a kind of open standard, and IPMI information is exchanged by Baseboard Management Controller;
In order to prevent malice remote authentication side from utilizing this triggering system management interrupt mode to implement to destroy, the system terminal type triggered will be monitored filtering by step 2 by this method.
Step 2: the type called by system management interrupt SMI is stored in the CR3 that can not be distorted by software and controls in depositor, and adopt universal input port routing table to record the interrupt type that each universal input port produces;So can ensure that the universal input port being only connected with Baseboard Management Controller BMC could trigger SMI.
Because VMM has the ability triggering SMI, conceal original SMI call therefore, it is possible to called by puppet measurements, even removing " attack vestige ".But, carry out system management memory interrupt type by the described control depositor that can not distort, the system management interrupt preventing from " illegal " is performed and destroys system integrity and verity.
Step 3: based on installing monitor of virtual machine on the credible calculating platform of traditional B IOS, calculated the data complete, real of integrity measurement agency in the middle of the monitor of virtual machine in target platform and the hash function value of code by the SHA-1 function engine in the credible platform module TPM of bottom, and be saved in TPM by this hash function value persistence in nonvolatile storage.
Utilize described monitor of virtual machine, long-distance user just can utilize its integrity measurement agency and the Dynamics Manager (DynamicManagement of system management interrupt processor composition, DM), and based on IPMI and BMC band channel software realize in the way of far call DM, realize the dynamic integrity measurement to VMM running;
Integrity measurement in the middle of described calculated virtual machine monitor is acted on behalf of the hash function value of complete and real data and code and be can ensure that the integrity of integrity measurement agency when carrying out integrity measurement, and so just enabling to integrity measurement agency becomes the credible base of step 4 and step 6.
Step 4: credible platform module calculates the hash function value of data complete, real and code in monitor of virtual machine, and it is stored in TPM by this hash function value persistence in nonvolatile storage.
In order to ensure the isolation of measurement agent, namely prevent measurement agent from being distorted by monitor of virtual machine or destroying, all integrity and verities that must first ensure measurement agent.Therefore select first to carry out step 2 and carry out step 3 again;
Complete and real data and code the SHA-1 functional value of described calculated monitor of virtual machine will as the critical data ensureing measurement ring environment information integrity.
Step 5: in system starting process, using RSA public key algorithm is that platform produces PKI, a private key pair, before system pins SMRAM, private key is left in SMRAM, and PKI is left in the stationary platforms configuration register (PCR) of credible platform module (TPM);
Described step will ensure the verity of remote authentication mode result by Digital Signature Algorithm.This step is the preparation of step 9 (concrete remote authentication).
Step 6: initial guide module is carried out the storage of integrity measurement and measurement results by the credible tolerance root in TPM, it is achieved the credible startup of SMI handler.
First the inspection of the complete self-examination of the credible measurement root (CoreRootofTrustMeasurement, CRTM) of the core from BIOS and executable code starts, until all component is all measured complete in start-up course.Constitute one and measure trust chain.
The detailed process of described trust chain is: contrasted with the SHA-1 function reference value in the true complete situation being previously stored by the SHA-1 function value of BIOS and credible measurement root of trust.If metric is identical with reference value, then allowing platform to run, and metric leaves in platform configuration register (PCR) and storage metrics logs, otherwise, TPM recovers to restart or interrupt platform and runs.After measuring BIOS and credible measurement root, setup code is carried out same operation, finally measures Synchronous Dynamic Random Access Memory.
Step 7: the aborted mechanism guarantee of employing is measured in execution process once there occurs interruption or abnormal, measures control stream and will directly go to SMI handler;
Described operation ensures that proof procedure is once cannot being interrupted or distort, thus ensureing the atomicity of measurement process.
Step 8: adopt back off technique, by injecting an instruction causing virtual machine unconditionally to exit, forces CPU core to transfer to VMM from user virtual machine.VMM can not discover, also uncontrollable whole process;
Described back off procedure is as follows: keep the value in all depositors, and next instruction and address;Inject a privileged instruction and replace next instruction;Once an event is counted, Performance register is set for overflowing;Amendment Advanced Programmable Interrupt Controllers APICs (LocalAdvanceProgrammableInterruptController, LAPIC) to such an extent as to Performance register overflow cause a SMI interrupt.This process can ensure that the integrity measuring bad environment information;
Step 9: remote authentication client sends a request and a random number to authentication proxy, and the random number received is sent credible platform module (TPM) and system management interrupt processor (SMI) by this authentication proxy respectively.Credible platform module in checking agency produces two different signature values with system manager terminal processor by being based respectively on this random number: first is measure environmental output, by TPM private key signature;Second is the result measured, by the private key signature of SMI handler.The verity of result is then may determine that by comparing signature.
Described credible platform module and system management interrupt processor will utilize the private key left in respectively in SMRAM that " message " is signed, and send back to authentication proxy.Authentication proxy by receive with signature two " message " person is authenticated to return to remote authentication;
Described credible platform module is sent to " message " of authentication proxy: KAIK -1{ static measurement | system management interrupt processor | KSMI| random number };
Described system management interrupt processor is sent to " message " of authentication proxy: KSMI -1{ virtual machine monitor measures | measurement agent | random number };
The signature that authentication proxy sends over from credible platform module and system break processor by the public key verifications of oneself, so just can confirm the verity of authentication result.Authentication result just can be returned to remote authentication side by authentication proxy subsequently.
The remote authentication system of a kind of clean room credible virtual monitor unit, including credible platform module, remote authentication end, IPMI, Baseboard Management Controller, system management interrupt processor, monitor of virtual machine, user virtual machine and authentication proxy's module;
Being provided with measurement agent module in described monitor of virtual machine, described remote authentication end is connected with authentication proxy module by IPMI;
Described system management interrupt processor and Baseboard Management Controller are all connected with described authentication proxy module;
Described measurement agent module and Baseboard Management Controller are all connected with described system management interrupt processor;
Described credible platform module is connected with monitor of virtual machine.

Claims (5)

1. the remote authentication method of a clean room credible virtual monitor unit, it is characterised in that comprise the following steps:
Step 1: Initialize installation;
Step 1.1: installing on destination node to be monitored can the band channel software of Remote triggering system management interrupt processor SMI, the system management interrupt processor SMI type identification memory space called is configured simultaneously, and the SHA1 value of system management interrupt processor code and data is stored in the middle of the non-volatile tamper-resistant storage in credible platform module TPM;
The type identification that described system management interrupt processor SMI calls is stored in CR3 and controls in depositor;
Step 1.2: based on installing monitor of virtual machine on the credible calculating platform of traditional B IOS;
Step 1.3: increase measurement agent module in the middle of monitor of virtual machine, and the data of measurement agent module and the cryptographic Hash of code of increase are saved in the middle of the non-volatile tamper-resistant storage in credible platform module TPM, and described measurement agent module adopts fallback mechanism and aborted mechanism;
Step 1.4: utilize the measurement agent module of the increase in virtual machine watch-dog to calculate the hash function value of data and code in described monitor of virtual machine, and this hash function value is stored in the middle of the non-volatile tamper-resistant storage in credible platform module TPM;
Step 1.5: install a remote authentication proxy module in the system of destination node, the data of remote authentication proxy module and the cryptographic Hash of code are saved in the middle of the non-volatile tamper-resistant storage in credible platform module TPM simultaneously;
Step 2: credible startup destination node system;
Step 2.1: utilize meet TCG specification can not brushing BIOS code snippet as starting point, start the system bios of destination node;
Step 2.2: utilize transitive trust mechanism, based on the credible startup destination node system of credible platform TPM module;
Step 2.3: utilize the RSA public key algorithm in credible platform TPM module to generate a pair PKI and private key, before destination node system pins system administration random access memory SMRAM, private key is left in system administration random access memory SMRAM, and PKI is left in the stationary platforms configuration register PCR of credible platform module TPM;
Step 2.4: the integrity of checking remote authentication agency;
The SHA1 function generator in credible platform module TPM is utilized to calculate the data of remote authentication agency and the SHA1 value of code, and it is mated with the data of remote authentication agency being stored in Initialize installation step 1.5 in the middle of the nonvolatile memory in TPM and the SHA1 value of code, if the match is successful, then remote authentication agency is complete, enters step 2.5;Otherwise, send certification environmental integrity failure reporting to remote authentication end, then reset remote authentication agency, and be again verified step 2.4;
Step 2.5: measurement agent in the middle of verifying virtual machines watch-dog and the integrity of SMI handler;
If by integrity verification, then enter step 2.6;
If not passing through integrity verification, then enter step 5;
Step 2.6: waiting that remote authentication interrupts, the system dynamics integrity of destination node is measured by the measurement agent module utilized in Initialize installation step 1.3 in virtual monitor device after producing when interrupt signal, and sends measurement result to remote authentication end;
Step 3: remote authentication user sends certification request to the authentication proxy's module in destination node, sends a random number simultaneously;
Step 4: generate TPM private key signature and SMI private key signature;
The random number received is sent credible platform module TPM and system management interrupt processor SMI by authentication proxy's module in described destination node respectively, described credible platform module TPM and system management interrupt processor SMI is utilized respectively, for the random number received, the private key leaving in SMRAM and signs, after generating TPM private key signature and SMI private key signature, signature is sent to authentication proxy's module;
Step 5: the TPM private key signature received and SMI private key signature are utilized the PKI carried to be verified by authentication proxy's module, and send the result to remote authentication end;
Meanwhile, by the step 2.4 in the system starting process of destination node, step 2.5, the result in step 2.6 carries out signature be back to remote authentication user by being stored in the private key in SMRAM in step 3, card process after completing to recognize, it is thus achieved that authentication result.
Remote authentication end obtains the result of confirmatory measurement environmental integrity and the result of the kinetic measurement of destination node running.
2. method according to claim 1, it is characterised in that what install in described Initialize installation step 1.1 can the band channel software of Remote triggering system management interrupt processor SMI be remote authentication side's mode of producing to interrupt.
3. method according to claim 1 and 2, it is characterised in that when described measurement agent module occurs to interrupt or be abnormal in measuring execution process, measurement controls stream and passes directly to SMI handler.
4. method according to claim 3, it is characterised in that the detailed process of described trust chain is: the SHA-1 function value of BIOS and credible measurement root of trust is contrasted with the SHA-1 function reference value in the true complete situation being previously stored:
If metric is identical with reference value, then allowing platform to run, and metric leaves in platform configuration register (PCR) and storage metrics logs, otherwise, TPM recovers to restart or interrupt platform and runs;
After measuring BIOS and credible measurement root, setup code is carried out same operation, finally measures Synchronous Dynamic Random Access Memory.
5. the remote authentication system of a clean room credible virtual monitor unit, it is characterized in that, including credible platform module, remote authentication end, IPMI, Baseboard Management Controller, system management interrupt processor, monitor of virtual machine, user virtual machine and authentication proxy's module;
Being provided with measurement agent module in described monitor of virtual machine, described remote authentication end is connected with authentication proxy module by IPMI;
Described system management interrupt processor and Baseboard Management Controller are all connected with described authentication proxy module;
Described measurement agent module and Baseboard Management Controller are all connected with described system management interrupt processor;
Described credible platform module is connected with monitor of virtual machine.
CN201610096110.1A 2016-02-22 2016-02-22 Remote authentication method for cleanroom trusted virtual machine monitor Pending CN105786588A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610096110.1A CN105786588A (en) 2016-02-22 2016-02-22 Remote authentication method for cleanroom trusted virtual machine monitor

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610096110.1A CN105786588A (en) 2016-02-22 2016-02-22 Remote authentication method for cleanroom trusted virtual machine monitor

Publications (1)

Publication Number Publication Date
CN105786588A true CN105786588A (en) 2016-07-20

Family

ID=56403458

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610096110.1A Pending CN105786588A (en) 2016-02-22 2016-02-22 Remote authentication method for cleanroom trusted virtual machine monitor

Country Status (1)

Country Link
CN (1) CN105786588A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110278127A (en) * 2019-07-02 2019-09-24 成都安恒信息技术有限公司 A kind of Agent dispositions method and system based on secure transfer protocol
CN110383277A (en) * 2017-03-07 2019-10-25 华为技术有限公司 Virtual machine monitor measurement agent
CN112422478A (en) * 2019-08-21 2021-02-26 烽火通信科技股份有限公司 Virtual machine security authentication method and system
CN113141612A (en) * 2021-04-16 2021-07-20 中国科学院信息工程研究所 High-reliability management and control method and system for mobile terminal
CN113407299A (en) * 2021-05-14 2021-09-17 海光信息技术股份有限公司 Method and device for preventing malicious rollback of virtual machine and electronic equipment
CN116089967A (en) * 2022-05-12 2023-05-09 荣耀终端有限公司 Data rollback prevention method and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101025770A (en) * 2006-02-20 2007-08-29 联想(北京)有限公司 Method for starting protected partition
CN101165696A (en) * 2006-10-16 2008-04-23 中国长城计算机深圳股份有限公司 Safety identification method based on safe computer
CN101488175A (en) * 2009-02-10 2009-07-22 北京交通大学 Method for preventing credible client virtual domain starting crash based on polling mechanism

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101025770A (en) * 2006-02-20 2007-08-29 联想(北京)有限公司 Method for starting protected partition
CN101165696A (en) * 2006-10-16 2008-04-23 中国长城计算机深圳股份有限公司 Safety identification method based on safe computer
CN101488175A (en) * 2009-02-10 2009-07-22 北京交通大学 Method for preventing credible client virtual domain starting crash based on polling mechanism

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
AHMED M. AZAB 等: "HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity", 《17TH ACM CONFERENCE ON COMPUTER AND COMMUNICATION SECURITY(CCS)》 *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110383277B (en) * 2017-03-07 2021-09-14 华为技术有限公司 Virtual machine monitor measurement proxy
CN110383277A (en) * 2017-03-07 2019-10-25 华为技术有限公司 Virtual machine monitor measurement agent
US11126706B2 (en) 2017-03-07 2021-09-21 Huawei Technologies Co., Ltd. Hypervisor measurement agent
CN110278127B (en) * 2019-07-02 2020-12-01 成都安恒信息技术有限公司 Agent deployment method and system based on secure transmission protocol
CN110278127A (en) * 2019-07-02 2019-09-24 成都安恒信息技术有限公司 A kind of Agent dispositions method and system based on secure transfer protocol
CN112422478B (en) * 2019-08-21 2022-10-21 烽火通信科技股份有限公司 Virtual machine security authentication method and system
CN112422478A (en) * 2019-08-21 2021-02-26 烽火通信科技股份有限公司 Virtual machine security authentication method and system
CN113141612A (en) * 2021-04-16 2021-07-20 中国科学院信息工程研究所 High-reliability management and control method and system for mobile terminal
CN113141612B (en) * 2021-04-16 2022-09-16 中国科学院信息工程研究所 High-reliability management and control method and system for mobile terminal
CN113407299A (en) * 2021-05-14 2021-09-17 海光信息技术股份有限公司 Method and device for preventing malicious rollback of virtual machine and electronic equipment
CN113407299B (en) * 2021-05-14 2023-08-29 海光信息技术股份有限公司 Method and device for preventing virtual machine from maliciously rolling back and electronic equipment
CN116089967A (en) * 2022-05-12 2023-05-09 荣耀终端有限公司 Data rollback prevention method and electronic equipment
CN116089967B (en) * 2022-05-12 2024-03-26 荣耀终端有限公司 Data rollback prevention method and electronic equipment

Similar Documents

Publication Publication Date Title
US10530753B2 (en) System and method for secure cloud computing
Schellekens et al. Remote attestation on legacy operating systems with trusted platform modules
CN105786588A (en) Remote authentication method for cleanroom trusted virtual machine monitor
US10885197B2 (en) Merging multiple compute nodes with trusted platform modules utilizing authentication protocol with active trusted platform module provisioning
US8966642B2 (en) Trust verification of a computing platform using a peripheral device
CN110325995A (en) The industrial control platform of safety
CN110737897B (en) Method and system for starting measurement based on trusted card
CN104158791A (en) Safe communication authentication method and system in distributed environment
CN101523401A (en) Secure use of user secrets on a computing platform
Böck et al. Towards more trustable log files for digital forensics by means of “trusted computing”
CN105099705B (en) A kind of safety communicating method and its system based on usb protocol
US20220150260A1 (en) Hardware Detection Method and Apparatus, Device, and Storage Medium
CN101621377A (en) Trusted access method under virtual computing environment
US20230046161A1 (en) Network device authentication
Huber et al. The lazarus effect: Healing compromised devices in the internet of small things
JP2017011491A (en) Authentication system
JP2018117185A (en) Information processing apparatus, information processing method
EP3221996B1 (en) Symmetric keying and chain of trust
Jäger et al. A resilient network node for the industrial Internet of Things
CN110324315B (en) Off-line authentication system and method thereof
Qin et al. RIPTE: runtime integrity protection based on trusted execution for IoT device
Dhar et al. Proximitee: Hardened sgx attestation and trusted path through proximity verification
Zhao et al. SOMR: Towards a security-oriented MapReduce infrastructure
CN113132330B (en) Method, device, attestation server and readable storage medium for attestation of trusted status
Jain et al. Security analysis of remote attestation

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20160720

WD01 Invention patent application deemed withdrawn after publication