CN108170516A - Create method, apparatus, equipment and the computer readable storage medium of vTPM - Google Patents
Create method, apparatus, equipment and the computer readable storage medium of vTPM Download PDFInfo
- Publication number
- CN108170516A CN108170516A CN201810005218.4A CN201810005218A CN108170516A CN 108170516 A CN108170516 A CN 108170516A CN 201810005218 A CN201810005218 A CN 201810005218A CN 108170516 A CN108170516 A CN 108170516A
- Authority
- CN
- China
- Prior art keywords
- vtpm
- memory space
- parameter
- virtual machine
- rear end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45562—Creating, deleting, cloning virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45591—Monitoring or debugging support
Abstract
This application discloses a kind of method for creating vTPM, by when receiving the instruction for creating vTPM, obtaining the configuration parameter of vTPM;Parameter is configured and includes access interface parameter, rear end driving parameter and memory space parameter;Then memory is set and according to access interface parameter setting virtual machine and the access interface of vTPM for vTPM in virtual machine;The rear end for driving parameter setting vTPM according to rear end drives;Memory space according still further to memory space parameter setting vTPM and the memory mechanism that memory space is set.By creating vTPM in virtual machine, and set the function of vTPM according to configuration parameter, trusted root is provided for virtual machine, avoids and the establishment of the vTPM of virtual machine and application is monitored and operated by host, improve the safety of virtual machine.Disclosed herein as well is a kind of device, equipment and computer readable storage mediums for creating vTPM, are respectively provided with above-mentioned advantageous effect.
Description
Technical field
The present invention relates to information security field, more particularly to a kind of method, apparatus, equipment and computer for creating vTPM can
Read storage medium.
Background technology
Higher and higher with the popularity of informationization technology, the concept and virtualization technology of cloud have been rooted in the hearts of the people.More
Business platform is moved into virtual platform by traditional physical hardware platform come more governments, army and enterprises and institutions.
But since conventional computer system and computer network, there are the defects of secure context, are being believed in the design of architecture
Breath safety problem also moves to virtual platform from physical hardware platform.
Physical hardware platform improve system safety mode be computer-internal be embedded as computer offer can
Believe the chip TPM (credible platform module, Trusted Platform Module) of root, by building root of trust, opened from root of trust
Begin to carry out integrity verification to computer system BIOS, then booting operating system program be verified, then to operating system
Kernel is verified, finally the file or program that are run in system are verified, pass through first level verification level-one, it is established that a kind of
Trust transitivity system, to ensure the credible of entire computer system.Correspondingly, by virtual platform establish trusted system come
Improve the safety of virtual machine system.The prior art is transported by physics TPM by way of equipment transparent transmission or on host
Capable TPM simulators pass through virtual machine in the form of user's space character device, and vTPM (virtual credibles are created in virtual machine
Console module, Virtual Trusted Platform Module), so as to construct the trusted root in virtual machine.It is but this
Mode is that the establishment of the vTPM of virtual machine and application are monitored and operated by host, and in host, there are security risks
When, there is no guarantee that the safety of virtual machine system.
Therefore, how to improve the safety of virtual machine system is that those skilled in the art need the technology solved to ask at present
Topic.
Invention content
In view of this, it the purpose of the present invention is to provide a kind of method for creating vTPM, can be provided for virtual machine credible
Root, the safety for virtual machine provide safeguard;It is a further object of the present invention to provide a kind of device, equipment and calculating for creating vTPM
Machine readable storage medium storing program for executing is respectively provided with above-mentioned advantageous effect.
In order to solve the above technical problems, the present invention provides a kind of method for creating vTPM, including:
When receiving the instruction for creating vTPM, the configuration parameter of the vTPM is obtained;The configuration parameter, which includes accessing, to be connect
Mouth parameter, rear end driving parameter and memory space parameter;
It is that the vTPM sets memory and according to virtual machine and institute described in the access interface parameter setting in virtual machine
State the access interface of vTPM;
The rear end driving of vTPM according to the rear end drives parameter setting;
According to the memory space of vTPM described in the memory space parameter setting and the storage machine of the memory space is set
System.
Preferably, the access interface according to virtual machine and the vTPM described in the access interface parameter setting is specific
Including:
Establish the access interface of the virtual machine and the vTPM;
It obtains the access interface type and the virtual machine is set to the vTPM's according to the access interface type
Read-write operation rule;
The rule of communication of the access interface is set.
Preferably, the rear end driving of the vTPM according to the rear end drives parameter setting specifically includes:
The rear end for driving parameter acquiring corresponding types according to the rear end drives;
Parameter and the type registered callbacks function of rear end driving are driven according to the rear end;
Rear end driving is registered in upper layer application.
Preferably, the basis is specifically included according to the memory space of vTPM described in the memory space parameter setting:
It obtains the drive parameters in the memory space parameter and chooses qcow2 files using the drive parameters;
The qcow2 files are set as to the memory space of the vTPM.
Preferably, the memory mechanism of the setting memory space specifically includes:
The memory base address of the memory space is set;
The read-write mode of the memory space is set;
It obtains the store path of the memory space and the ID of the memory space and utilizes the store path and described
ID holds driving to register the memory space in the rear.
Preferably, further comprise setting Encryption Algorithm in the read-write mode for the memory space.
Preferably, according to the memory space of vTPM described in the memory space parameter setting and the storage is set described
Further comprise after the memory mechanism in space:
Detection information is sent to the vTPM, and judges whether the virtual machine receives the inspection of the vTPM feedbacks
Measurement information is to judge that can the vTPM communicate with the virtual machine.
In order to solve the above technical problems, the present invention also provides a kind of device for creating vTPM, including:
Acquisition module, for when receiving the instruction for creating vTPM, obtaining the configuration parameter of the vTPM;The configuration ginseng
Number includes access interface parameter, rear end driving parameter and memory space parameter;
First setup module, for being the vTPM setting memories in virtual machine and being set according to the access interface parameter
Put the access interface of the virtual machine and the vTPM;
Second setup module, for the rear end driving of the vTPM according to rear end driving parameter setting;
Third setup module, for according to described in the memory space of vTPM described in the memory space parameter setting and setting
The memory mechanism of memory space.
In order to solve the above technical problems, the present invention also provides a kind of equipment for creating vTPM, including:
Memory, for storing computer program;
The step of processor, for performing computer program when realizes the method for any of the above-described kind of establishment vTPM.
In order to solve the above technical problems, the present invention also provides a kind of computer readable storage medium, it is described computer-readable
Computer program is stored on storage medium, the computer program realizes any of the above-described kind of establishment vTPM when being executed by processor
Method the step of.
The method provided by the invention for creating vTPM, by when receiving the instruction for creating vTPM, obtaining the configuration of vTPM
Parameter;Parameter is configured and includes access interface parameter, rear end driving parameter and memory space parameter;Then it is vTPM in virtual machine
Memory is set and according to access interface parameter setting virtual machine and the access interface of vTPM;Parameter setting vTPM is driven according to rear end
Rear end driving;Memory space according still further to memory space parameter setting vTPM and the memory mechanism that memory space is set.Pass through
VTPM is created, and set the function of vTPM in virtual machine according to configuration parameter, trusted root is provided for virtual machine, avoids and pass through
Host is monitored and operates to the establishment and application of the vTPM of virtual machine, makes the safety of virtual machine not by the shadow of host
It rings, improves the safety of virtual machine.
In order to solve the above technical problems, create the device of vTPM, equipment and computer-readable the present invention also provides a kind of
Storage medium is respectively provided with above-mentioned advantageous effect.
Description of the drawings
It in order to illustrate the embodiments of the present invention more clearly or the technical solution of the prior art, below will be to embodiment or existing
Attached drawing is briefly described needed in technology description, it should be apparent that, the accompanying drawings in the following description is only this hair
Some bright embodiments, for those of ordinary skill in the art, without creative efforts, can be with root
Other attached drawings are obtained according to the attached drawing of offer.
Fig. 1 is a kind of flow chart of method for creating vTPM provided in an embodiment of the present invention;
Fig. 2 is according to access interface parameter setting virtual machine and vTPM in the method and step S20 shown in FIG. 1 for creating vTPM
Access interface flow chart;
Fig. 3 is that the rear end for driving parameter setting vTPM according to rear end in the method and step S30 shown in FIG. 1 for creating vTPM is driven
Dynamic flow chart;
Fig. 4 is the flow chart of the memory mechanism of setting memory space in the method and step S40 shown in FIG. 1 for creating vTPM;
Fig. 5 is a kind of schematic diagram of device for creating vTPM provided in an embodiment of the present invention;
Fig. 6 is a kind of schematic diagram of equipment for creating vTPM provided in an embodiment of the present invention.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete
Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art are obtained every other without making creative work
Embodiment shall fall within the protection scope of the present invention.
The core of the embodiment of the present invention is to provide a kind of method for creating vTPM, can provide trusted root for virtual machine, be
The safety of virtual machine provides safeguard;Another core of the present invention is to provide a kind of device, equipment and computer for creating vTPM can
Storage medium is read, is respectively provided with above-mentioned advantageous effect.
It is right with reference to the accompanying drawings and detailed description in order to which those skilled in the art is made to more fully understand the present invention program
The present invention is described in further detail.
Fig. 1 is a kind of flow chart of method for creating vTPM provided in an embodiment of the present invention.As shown in the figure, create vTPM's
Method specifically includes:
S10:When receiving the instruction for creating vTPM, the configuration parameter of vTPM is obtained.
It should be noted that vTPM (virtual credible platform module, Virtual Trusted Platform Module) is
A kind of chip being set in virtual machine, similar chip TPM (credible platform module, the Trusted for being embedded in computer-internal
Platform Module), vTPM is used to provide trusted root for virtual machine, to be verified by trusted root to virtual machine.At this
In embodiment, created by the QOM (model for the Object-Oriented Programming that QEMU is provided, QEMU Object Module) in QEMU
vTPM.Usually vTPM is created when starting by QEMU or creating virtual machine.When receiving the instruction for creating vTPM, obtain
Take the configuration parameter of vTPM.Specifically, configuration parameter includes access interface parameter, rear end driving parameter and memory space parameter.
Certainly, configuration parameter can also include creating the other parameter that vTPM needs, and the present embodiment is to being configured the particular content of parameter not
It limits.
S20:Memory is set and according to the access of access interface parameter setting virtual machine and vTPM for vTPM in virtual machine
Interface.
It is understood that since vTPM is disposed in virtual machine, creating vTPM needs to occupy virtual machine
Memory, therefore after the instruction for creating vTPM is received, need to be vTPM storage allocations in virtual machine.Specifically, virtual
Capacity in machine for the memory of vTPM distribution can be the capacity of advance unified setting or the vTPM created as needed
Capacity setting, the present embodiment does not limit this, but is the need to ensure that the capacity of the memory divided in virtual machine is not small
In the capacity needed for vTPM.More specifically, after the instruction for creating vTPM is received, applied in virtual machine according to TCG standards
Memory headroom, virtual machine audit application accordingly, and after the approval, memory is set for vTPM.
After memory is set for vTPM in virtual machine, connect according to the access of access interface parameter setting virtual machine and vTPM
Mouthful, so that virtual machine can communicate with vTPM.The present embodiment to setting virtual machine and vTPM access interface mode not
It limits.
S30:The rear end for driving parameter setting vTPM according to rear end drives.
It is understood that rear end driving is the driving for responding to the operational order of vTPM.Specifically, according to rear end
Drive the rear end driving of parameter setting vTPM, that is to say, that the processing of parameter setting vTPM is driven according to pre-set rear end
The mode of operational order.Specifically, rear end driving can include the function of analysis instruction and execute instruction.
S40:According to memory space parameter setting vTPM memory space and the memory mechanism of memory space is set.
Specifically, according to the memory space of memory space parameter setting vTPM, setting storage is included when memory space is set
The contents such as position, the capacity in space, in addition, also needing the memory mechanism of setting memory space, such as the division of each storage region
And mode of storage etc..
It is understood that after being created that vTPM in virtual machine, vTPM can also be deleted by instructing.It needs to illustrate
, since vTPM is set in virtual machine, when closing virtual machine, the vTPM in virtual machine can also be deleted
It removes.
The method provided in this embodiment for creating vTPM, by when receiving the instruction for creating vTPM, obtaining matching for vTPM
Put parameter;Parameter is configured and includes access interface parameter, rear end driving parameter and memory space parameter;Then it is in virtual machine
VTPM sets memory and according to access interface parameter setting virtual machine and the access interface of vTPM;Parameter setting is driven according to rear end
The rear end driving of vTPM;Memory space according still further to memory space parameter setting vTPM and the memory mechanism that memory space is set.
By creating vTPM in virtual machine, and set the function of vTPM according to configuration parameter, trusted root is provided for virtual machine, is avoided
The establishment of the vTPM of virtual machine and application are monitored and operated by host, makes the safety of virtual machine not by host
Influence, improve the safety of virtual machine.
Fig. 2 is according to access interface parameter setting virtual machine and vTPM in the method and step S20 shown in FIG. 1 for creating vTPM
Access interface flow chart.As shown in the figure, it is specifically wrapped according to the access interface of access interface parameter setting virtual machine and vTPM
It includes:
S21:Establish virtual machine and the access interface of vTPM.
Specifically, in order to which virtual machine is made to communicate with vTPM, that is, virtual machine can operate vTPM, need
Virtual machine and the access interface of vTPM are set.That is, access interface receives the instruction of virtual machine and returns to execution for vTPM
As a result channel is provided, virtual machine and the communication of vTPM are realized on the basis of TCG specifications are met.Specifically, establish virtual machine
Can mutually register the interface of the interface of virtual machine and vTPM with the access interface of vTPM, it can also be in virtual machine
Interface and vTPM interface between transmission channel is set, the present embodiment does not limit the mode for establishing access interface.
S22:It obtains access interface type and read-write operation rule of the virtual machine to vTPM is set according to access interface type.
S23:The rule of communication of access interface is set.
Generally, the type due to vTPM is different, the type of access interface would also vary from.Therefore, according to vTPM's
Type obtains the type of access interface, and sets read-write operation rule of the virtual machine to vTPM according to the type of access interface.It reads
Write operation rule includes how execution read-write operation, which instruction performs read-write operation, and read-write operation is read to be deposited with write-in data
Which position of memory space etc. be stored in.
Generally, by registering TIS type equipments, to complete management of the access interface to memory on virtual machine.
As it can be seen that by the access interface according to access interface parameter setting virtual machine and vTPM, enable virtual machine and vTPM
Enough communicate.
It should be noted that generally, multiple virtual machines can be provided in host, can be corresponded in each virtual machine
VTPM is set, that is to say, that the vTPM in virtual machine in each host is to work independently mutually, non-interfering.Relatively
One piece is generally, therefore corresponding can only pass through in the quantity of TPM embeddable in the mode of equipment transparent transmission, every host
One virtual machine.As it can be seen that the method provided in this embodiment for creating vTPM, makes vTPM not limited by host quantity.Also,
Since vTPM is the TPM that is totally independent of in host, when in virtual machine opening vTPM and realizing trusted function, host
Machine can open TPM simultaneously, and vTPM and virtual machine directly carry out the operation of data interaction, are not in that data content passes through
Socket interactions or the process of physics TPM interactions, that is to say, that TPM and vTPM is also to work independently, non-interfering, is carried significantly
The high efficiency of trust authentication.
Fig. 3 is that the rear end for driving parameter setting vTPM according to rear end in the method and step S30 shown in FIG. 1 for creating vTPM is driven
Dynamic flow chart.As shown in the figure, the rear end driving for driving parameter setting vTPM according to rear end specifically includes:
S31:The rear end for driving parameter acquiring corresponding types according to rear end drives.
According to the type of vTPM, corresponding logic function library is obtained.Generally, the corresponding logic function libraries of vTPM obtained
For libtpms.Specifically, in order to be compatible with the version of different vTPM, it is therefore desirable to select the version model of libtpms.This reality
It applies example not limit the concrete operations mode that the rear end of parameter acquiring corresponding types is driven to drive according to rear end, rear end is driven
Type also do not limit.
S32:Parameter and the type registered callbacks function of rear end driving are driven according to rear end.
It is understood that call back function or referred to as readjustment, refer to pass by function parameter in computer program design
It is delivered to other codes, the reference of a certain piece of executable code.This design allows for bottom code and is invoked at high-rise definition
Subprogram.That is, by defining a call back function, rear end driving is when initialization, by the function of call back function
Pointer is registered to rear end driving;When specific event or it is conditional when, when such as receiving the instruction of call function, rear end
Driving calls call back function to handle event using function pointer.
S33:Rear end driving is registered in upper layer application.
In order to make rear end driving that can receive the instruction of upper layer application, and corresponding behaviour is performed to the instruction of upper layer application
Make, therefore, it is necessary to rear end driving is registered in upper layer application in advance.That is, upper layer application can send instruction
To vTPM, so that the rear end driving of vTPM can carry out operation, calling according to instruction or the memory space of vTPM is read
The operations such as write.
As it can be seen that by according to rear end drive parameter acquiring corresponding types rear end drive, and according to rear end drive parameter and
The type registered callbacks function of rear end driving, then rear end driving is registered in upper layer application, so that vTPM can be received
The instruction of layer application, and corresponding operation can be carried out to the instruction of upper layer application.
On the basis of above-described embodiment, the present embodiment has made further instruction and optimization to technical solution, specifically,
It is specifically included according to the memory space according to memory space parameter setting vTPM:
It obtains the drive parameters in memory space parameter and chooses qcow2 files using drive parameters;By qcow2 files
It is set as the memory space of vTPM.
It should be noted that qcow2 files are the equipment that one piece of fixed size can be represented with the form of a file
Disk.Using this characteristic, qcow2 files are set as using the drive parameters in the memory space parameter being configured in parameter
The memory space of vTPM.Specifically, obtaining the drive parameters in memory space parameter, qcow2 texts are chosen using drive parameters
Part and the memory space that qcow2 files are set as to vTPM.In the present embodiment, qcow2 files are set as to the storage of vTPM
Space NVRAM.NVRAM (Non-Volatile Random Access Memory) is nonvolatile random access memory, is referred to
Remain to keep a kind of RAM of data after power-off.It is of course also possible to memory space is set as other kinds of memory space, this
Embodiment does not limit the type of the memory space of setting.
As it can be seen that by obtaining the drive parameters in memory space parameter and choosing qcow2 files using drive parameters, and
Qcow2 files are set as to the memory space of vTPM can fast and effeciently set memory space.
Fig. 4 is the flow chart of the memory mechanism of setting memory space in the method and step S40 shown in FIG. 1 for creating vTPM.
As shown in the figure, the memory mechanism of setting memory space specifically includes:
S41:The memory base address of memory space is set.
Specifically, as preferred embodiment, according to TCG specifications, the memory base address of memory space is set as
The corresponding address of each register increases on the basis of the memory base address in the memory headroom of 0xFED40000, vTPM.This
Process is referred to as the initialization procedure of vTPM.It is of course also possible to the base address of memory space is set as other addresses,
The present embodiment does not limit this.
S42:The read-write mode of memory space is set.
Specifically, since different memory spaces may have different read-write modes or different treatment mechanisms may
There are different read-write modes.Therefore, according to the read-write mode of different requirement setting memory spaces.
S43:It obtains the store path of memory space and the ID of memory space and is driven using store path and ID in rear end
Memory space is registered.
Specifically, store path provides path to search this memory space.Memory space ID deposits for representing corresponding
Store up space.The store path of memory space and the ID of memory space are obtained, to utilize store path and ID in rear end driving pair
Memory space is registered so that rear end driving can operate memory space.
It should be noted that the form of BlockBackend structures can also be set, and BlockBackend is set to tie
Structure body is directed toward memory space.It is corresponding, when follow-up vTPM operates memory space, all pass through BlockBackend structures
Body is completed.By being set to point to the BlockBackend structures of memory space, carried out by BlockBackend structures
Operation can make mode of operation simpler.
On the basis of above-described embodiment, the present embodiment has made further instruction and optimization to technical solution, specifically,
Further comprise that the read-write mode for memory space sets Encryption Algorithm.
Generally, can be specifically, Encryption Algorithm can be set in the read-write mode for setting memory space, encryption is calculated
Method can be used for the operations such as data encrypting and deciphering, integrity verification.Specifically, the algorithm of Encryption Algorithm generally foundation national secret algorithm,
The domestic cryptographic algorithm that i.e. State Commercial Cryptography Administration is assert, that is, commercial cipher.More specifically, national secret algorithm include SM2, SM3 with
And SM4 etc., the present embodiment do not limit the type of national secret algorithm.By setting Encryption Algorithm, virtual machine is further improved
Safety.
On the basis of above-described embodiment, the present embodiment has made further instruction and optimization to technical solution, specifically,
According to the memory space of memory space parameter setting vTPM and setting and further comprising after the memory mechanism of memory space:
Detection information is sent to vTPM, and judges whether virtual machine receives the detection information of vTPM feedbacks to judge vTPM
It can communicate with virtual machine.
Specifically, send detection information to vTPM, which can be that pre-set that vTPM is needed to carry out is related
Processing information.After detection information is sent to vTPM, whether detection virtual machine receives the detection information of vTPM feedbacks, i.e.,
Relevant processing is carried out to detection information later by vTPM and feedack.If virtual machine receives the information, then it represents that vTPM
It can normally communicate with virtual machine.
It should be noted that if vTPM can communicate with virtual machine, i.e. vTPM is able to carry out the operational order of virtual machine, then
Represent that vTPM is created successfully.The method provided by the invention for creating vTPM, can create fully virtualized vTPM in virtual machine
Equipment.The vTPM is when reading and writing data, additionally it is possible to perform incompatible lock mechanism.Specifically, in the instruction for detecting read-write data,
Detect whether there is lock file;If so, it is locked using file is locked for memory space;It is empty to storage according to the instruction of read-write data
Between operated, to complete, to the concurrent access mechanism of memory space, to prevent concurrent operations from causing the disorderly of the content of memory space
Disorderly.
It should be noted that according to the vTPM that the present embodiment creates, while also there is virtual machine snapshot.It can manage
Solution, virtual machine snapshot are that magnetic disk of virtual machine file (VMDK) puts timely duplicate at some.In the present embodiment, Ke Yishi
When storage virtual machine and vTPM state, i.e., the data of virtual machine and vTPM are carried out with the operation of snapshot.In system crash or it is
When system is abnormal, virtual machine or vTPM can be made to be restored to the corresponding state of snapshot by using snapshot is restored to.
It should also be noted that, since the vTPM equipment that the present embodiment creates is fully virtualized equipment, can incite somebody to action
VTPM carries out dynamic migration operation.Specifically, after migration instruction is received, the credible shape of source host and destination host is obtained
State;When source host and destination host are trusted status, the data transmission channel of source host and destination host is established.It is establishing
After data transmission channel, source host preserves the data of vTPM, and the data of vTPM are transmitted to mesh by data transmission channel
Host;Destination host receives the data of vTPM and is loaded.When source host is synchronous with the data of the vTPM of destination host complete
Cheng Hou suspends the virtual machine on source host, and starts the virtual machine on destination host, makes the vTPM of the virtual machine on destination host
It can be operated according to the data of the vTPM of acquisition.It, i.e., cannot be according to the vTPM of acquisition if destination host cannot successfully start up
Data operated, then it represents that dynamic migration fail, then reopen the virtual machine on source host.
It is described in detail above for a kind of embodiment for the method for creating vTPM provided by the invention, the present invention
A kind of device, equipment and computer readable storage medium for creating vTPM corresponding with this method is additionally provided, due to device, is set
Standby and computer readable storage medium part embodiment and the embodiment of method part mutually correlate, thus device, equipment and
The embodiment of computer readable storage medium part refers to the description of the embodiment of method part, wouldn't repeat here.
Fig. 5 is a kind of schematic diagram of device for creating vTPM provided in an embodiment of the present invention, as shown in the figure, creating vTPM's
Device includes:
Acquisition module 51, for when receiving the instruction for creating vTPM, obtaining the configuration parameter of vTPM;Configuration parameter includes
Access interface parameter, rear end driving parameter and memory space parameter;
First setup module 52, in virtual machine be vTPM set memory and according to access interface parameter setting it is virtual
The access interface of machine and vTPM;
Second setup module 53, for the rear end of parameter setting vTPM to be driven to drive according to rear end;
Third setup module 54, for according to the memory space of memory space parameter setting vTPM and setting memory space
Memory mechanism.
The device provided by the invention for creating vTPM, the advantageous effect of the method with above-mentioned establishment vTPM.
Fig. 6 is a kind of schematic diagram of equipment for creating vTPM provided in an embodiment of the present invention, as shown in the figure, creating vTPM's
Equipment includes:
Memory 61, for storing computer program;
Processor 62, for performing computer program when, realize following steps:
When receiving the instruction for creating vTPM, the configuration parameter of vTPM is obtained;Be configured parameter include access interface parameter, after
End driving parameter and memory space parameter;
Memory is set and according to access interface parameter setting virtual machine and the access interface of vTPM for vTPM in virtual machine;
The rear end for driving parameter setting vTPM according to rear end drives;
According to memory space parameter setting vTPM memory space and the memory mechanism of memory space is set.
The equipment provided by the invention for creating vTPM, the advantageous effect of the method with above-mentioned establishment vTPM.
In order to solve the above technical problems, the present invention also provides a kind of computer readable storage medium, computer-readable storage
Computer program is stored on medium, lower step is realized when computer program is executed by processor:
When receiving the instruction for creating vTPM, the configuration parameter of vTPM is obtained;Be configured parameter include access interface parameter, after
End driving parameter and memory space parameter;
Memory is set and according to access interface parameter setting virtual machine and the access interface of vTPM for vTPM in virtual machine;
The rear end for driving parameter setting vTPM according to rear end drives;
According to memory space parameter setting vTPM memory space and the memory mechanism of memory space is set.
Computer readable storage medium provided in this embodiment, the advantageous effect of the method with above-mentioned establishment vTPM.
The method, apparatus, equipment and computer readable storage medium provided by the present invention for creating vTPM is carried out above
It is discussed in detail.Specific embodiment used herein is expounded the principle of the present invention and embodiment, implements above
The explanation of example is merely used to help understand the method and its core concept of the present invention.It should be pointed out that for the general of the art
For logical technical staff, without departing from the principle of the present invention, can also to the present invention, some improvement and modification can also be carried out, this
A little improvement and modification are also fallen within the protection scope of the claims of the present invention.
Each embodiment is described by the way of progressive in specification, the highlights of each of the examples are with other realities
Apply the difference of example, just to refer each other for identical similar portion between each embodiment.For device disclosed in embodiment
Speech, since it is corresponded to the methods disclosed in the examples, so description is fairly simple, related part is referring to method part illustration
.
Professional further appreciates that, with reference to each exemplary unit of the embodiments described herein description
And algorithm steps, can be realized with the combination of electronic hardware, computer software or the two, in order to clearly demonstrate hardware and
The interchangeability of software generally describes each exemplary composition and step according to function in the above description.These
Function is performed actually with hardware or software mode, specific application and design constraint depending on technical solution.Profession
Technical staff can realize described function to each specific application using distinct methods, but this realization should not
Think beyond the scope of this invention.
It can directly be held with reference to the step of method or algorithm that the embodiments described herein describes with hardware, processor
The combination of capable software module or the two is implemented.Software module can be placed in random access memory (RAM), memory, read-only deposit
Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology
In any other form of storage medium well known in field.
Claims (10)
- A kind of 1. method for creating vTPM, which is characterized in that including:When receiving the instruction for creating vTPM, the configuration parameter of the vTPM is obtained;The configuration parameter is joined including access interface Number, rear end driving parameter and memory space parameter;In virtual machine be the vTPM setting memories and according to virtual machine described in the access interface parameter setting with it is described The access interface of vTPM;The rear end driving of vTPM according to the rear end drives parameter setting;According to the memory space of vTPM described in the memory space parameter setting and the memory mechanism of the memory space is set.
- It is 2. according to the method described in claim 1, it is characterized in that, described according to virtual described in the access interface parameter setting The access interface of machine and the vTPM specifically includes:Establish the access interface of the virtual machine and the vTPM;It obtains the access interface type and read-write of the virtual machine to the vTPM is set according to the access interface type Operation rules;The rule of communication of the access interface is set.
- 3. the according to the method described in claim 1, it is characterized in that, vTPM according to the rear end drives parameter setting Rear end driving specifically include:The rear end for driving parameter acquiring corresponding types according to the rear end drives;Parameter and the type registered callbacks function of rear end driving are driven according to the rear end;Rear end driving is registered in upper layer application.
- 4. according to the method described in claim 1, it is characterized in that, the basis is according to described in the memory space parameter setting The memory space of vTPM specifically includes:It obtains the drive parameters in the memory space parameter and chooses qcow2 files using the drive parameters;The qcow2 files are set as to the memory space of the vTPM.
- 5. according to the method described in claim 1, it is characterized in that, the memory mechanism of the setting memory space specifically wraps It includes:The memory base address of the memory space is set;The read-write mode of the memory space is set;It obtains the store path of the memory space and the ID of the memory space and is existed using the store path and the ID The memory space is registered in the rear end driving.
- 6. according to the method described in claim 5, it is characterized in that, further comprise in the read-write mode for the memory space Encryption Algorithm is set.
- 7. method according to any one of claims 1 to 6, which is characterized in that described according to the memory space parameter The memory space of the vTPM is set and the memory mechanism of the memory space is set to further comprise later:Detection information is sent to the vTPM, and judges whether the virtual machine receives the detection letter of the vTPM feedbacks It ceases to judge that can the vTPM communicate with the virtual machine.
- 8. a kind of device for creating vTPM, which is characterized in that including:Acquisition module, for when receiving the instruction for creating vTPM, obtaining the configuration parameter of the vTPM;The configuration parameter packet Include access interface parameter, rear end driving parameter and memory space parameter;First setup module, for being that the vTPM sets memory and according to the access interface parameter setting institute in virtual machine State the access interface of virtual machine and the vTPM;Second setup module, for the rear end driving of the vTPM according to rear end driving parameter setting;Third setup module, for according to the memory space of vTPM described in the memory space parameter setting and setting the storage The memory mechanism in space.
- 9. a kind of equipment for creating vTPM, which is characterized in that including:Memory, for storing computer program;Processor, the method that the establishment vTPM as described in any one of claim 1 to 7 is realized during for performing the computer program The step of.
- 10. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium Program, the method that vTPM is created as described in any one of claim 1 to 7 is realized when the computer program is executed by processor Step.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810005218.4A CN108170516A (en) | 2018-01-03 | 2018-01-03 | Create method, apparatus, equipment and the computer readable storage medium of vTPM |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810005218.4A CN108170516A (en) | 2018-01-03 | 2018-01-03 | Create method, apparatus, equipment and the computer readable storage medium of vTPM |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108170516A true CN108170516A (en) | 2018-06-15 |
Family
ID=62517322
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810005218.4A Pending CN108170516A (en) | 2018-01-03 | 2018-01-03 | Create method, apparatus, equipment and the computer readable storage medium of vTPM |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108170516A (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109062662A (en) * | 2018-07-12 | 2018-12-21 | 浪潮(北京)电子信息产业有限公司 | A kind of virtual credible root moving method, system and electronic equipment and storage medium |
CN109086118A (en) * | 2018-07-25 | 2018-12-25 | 浪潮(北京)电子信息产业有限公司 | VTPM virtual machine migration method, device and equipment based on KVM |
CN109542588A (en) * | 2018-11-27 | 2019-03-29 | 郑州云海信息技术有限公司 | A kind of method and apparatus for managing virtual unit under cloud environment |
CN109684029A (en) * | 2018-11-02 | 2019-04-26 | 新华三云计算技术有限公司 | Storage content access method, device, electronic equipment and computer storage medium |
CN110659509A (en) * | 2019-08-29 | 2020-01-07 | 北京浪潮数据技术有限公司 | Memory snapshot file generation method and device, electronic equipment and medium |
CN113468563A (en) * | 2021-06-24 | 2021-10-01 | 曙光信息产业股份有限公司 | Virtual machine data encryption method and device, computer equipment and storage medium |
CN113987599A (en) * | 2021-12-28 | 2022-01-28 | 苏州浪潮智能科技有限公司 | Method, device, equipment and readable storage medium for realizing firmware trusted root |
CN114385248A (en) * | 2020-10-22 | 2022-04-22 | 四零四科技股份有限公司 | Computing system and device for processing trust chain |
CN114679253A (en) * | 2022-04-22 | 2022-06-28 | 四川大学 | Chinese commercial cipher algorithm expansion method of vTPM2.0 |
CN114385248B (en) * | 2020-10-22 | 2024-04-23 | 四零四科技股份有限公司 | Computing system and device for processing trust chain |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060256107A1 (en) * | 2005-05-13 | 2006-11-16 | Scarlata Vincent R | Methods and apparatus for generating endorsement credentials for software-based security coprocessors |
US20090086979A1 (en) * | 2007-09-28 | 2009-04-02 | Tasneem Brutch | Virtual tpm keys rooted in a hardware tpm |
CN101488174A (en) * | 2009-01-15 | 2009-07-22 | 北京交通大学 | Implementing method for dynamically transparent virtual credible platform module |
CN102289620A (en) * | 2011-08-12 | 2011-12-21 | 华南理工大学 | Credible equipment virtualization system and method based on Xen safety computer |
CN105574415A (en) * | 2015-12-08 | 2016-05-11 | 中电科华云信息技术有限公司 | Security management method of virtual machine based on trust root |
US20160196449A1 (en) * | 2014-07-15 | 2016-07-07 | Neil Sikka | Apparatus for and Method of Preventing Unsecured Data Access |
CN105956465A (en) * | 2016-05-04 | 2016-09-21 | 浪潮电子信息产业股份有限公司 | VTPM-based method for constructing virtual trusted platform |
-
2018
- 2018-01-03 CN CN201810005218.4A patent/CN108170516A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060256107A1 (en) * | 2005-05-13 | 2006-11-16 | Scarlata Vincent R | Methods and apparatus for generating endorsement credentials for software-based security coprocessors |
US20090086979A1 (en) * | 2007-09-28 | 2009-04-02 | Tasneem Brutch | Virtual tpm keys rooted in a hardware tpm |
CN101488174A (en) * | 2009-01-15 | 2009-07-22 | 北京交通大学 | Implementing method for dynamically transparent virtual credible platform module |
CN102289620A (en) * | 2011-08-12 | 2011-12-21 | 华南理工大学 | Credible equipment virtualization system and method based on Xen safety computer |
US20160196449A1 (en) * | 2014-07-15 | 2016-07-07 | Neil Sikka | Apparatus for and Method of Preventing Unsecured Data Access |
CN105574415A (en) * | 2015-12-08 | 2016-05-11 | 中电科华云信息技术有限公司 | Security management method of virtual machine based on trust root |
CN105956465A (en) * | 2016-05-04 | 2016-09-21 | 浪潮电子信息产业股份有限公司 | VTPM-based method for constructing virtual trusted platform |
Non-Patent Citations (6)
Title |
---|
LILI ZHANG: "Embedded Trusted Computing Environment Build Based on QEMU Virtual Machine Architecture", 《2014 SEVENTH INTERNATIONAL SYMPOSIUM ON COMPUTATIONAL INTELLIGENCE AND DESIGN》 * |
再忆风中飘: "QEMU中挂载vTPM步骤", 《HTTPS://WENKU.BAIDU.COM/VIEW/B4EE56AC360CBA1AA911DA1D.HTML》 * |
刘绍方: "基于 QEMU 的虚拟可信平台模块的设计与实现", 《计算机工程与设计》 * |
熊盛武: "《CLOUDSTACK云平台部署与应用实践》", 31 July 2017 * |
王成林: "《物流实验实训教程》", 30 November 2013, 中国财富出版社 * |
蔡永泉: "《计算机网络安全》", 31 October 2006, 北京航空航天大学出版社 * |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109062662A (en) * | 2018-07-12 | 2018-12-21 | 浪潮(北京)电子信息产业有限公司 | A kind of virtual credible root moving method, system and electronic equipment and storage medium |
CN109086118A (en) * | 2018-07-25 | 2018-12-25 | 浪潮(北京)电子信息产业有限公司 | VTPM virtual machine migration method, device and equipment based on KVM |
CN109684029A (en) * | 2018-11-02 | 2019-04-26 | 新华三云计算技术有限公司 | Storage content access method, device, electronic equipment and computer storage medium |
CN109542588A (en) * | 2018-11-27 | 2019-03-29 | 郑州云海信息技术有限公司 | A kind of method and apparatus for managing virtual unit under cloud environment |
CN110659509A (en) * | 2019-08-29 | 2020-01-07 | 北京浪潮数据技术有限公司 | Memory snapshot file generation method and device, electronic equipment and medium |
CN114385248A (en) * | 2020-10-22 | 2022-04-22 | 四零四科技股份有限公司 | Computing system and device for processing trust chain |
CN114385248B (en) * | 2020-10-22 | 2024-04-23 | 四零四科技股份有限公司 | Computing system and device for processing trust chain |
CN113468563A (en) * | 2021-06-24 | 2021-10-01 | 曙光信息产业股份有限公司 | Virtual machine data encryption method and device, computer equipment and storage medium |
CN113987599A (en) * | 2021-12-28 | 2022-01-28 | 苏州浪潮智能科技有限公司 | Method, device, equipment and readable storage medium for realizing firmware trusted root |
CN113987599B (en) * | 2021-12-28 | 2022-03-22 | 苏州浪潮智能科技有限公司 | Method, device, equipment and readable storage medium for realizing firmware trusted root |
CN114679253A (en) * | 2022-04-22 | 2022-06-28 | 四川大学 | Chinese commercial cipher algorithm expansion method of vTPM2.0 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108170516A (en) | Create method, apparatus, equipment and the computer readable storage medium of vTPM | |
Priebe et al. | SGX-LKL: Securing the host OS interface for trusted execution | |
US10496824B2 (en) | Trusted language runtime on a mobile platform | |
US9626512B1 (en) | Validating using an offload device security component | |
England et al. | Para-virtualized TPM sharing | |
JP5510550B2 (en) | Hardware trust anchor | |
CN109101319B (en) | Working method of platform for realizing TPCM full virtualization on QEMU | |
CN108885665A (en) | System and method for decrypting the network flow in virtualized environment | |
US20110202765A1 (en) | Securely move virtual machines between host servers | |
US10211985B1 (en) | Validating using an offload device security component | |
CN106295385B (en) | A kind of data guard method and device | |
CN102214277B (en) | Method and device for establishing trusted environments for virtual machine system of multicore processor | |
CN109918919A (en) | Authenticate the management of variable | |
AU2018201934B2 (en) | Network based management of protected data sets | |
TWI744797B (en) | Computer implement method, system and computer program product for binding secure keys of secure guests to a hardware security module | |
CN109325355A (en) | Mobile terminal data method for secure storing based on virtual disk | |
CN107533615A (en) | For the technology encrypted using Secure Enclave come augmentation data | |
TWI737172B (en) | Computer system, computer program product and computer implement method for incremental decryption and integrity verification of a secure operating system image | |
CN108595982A (en) | A kind of secure computing architecture method and device based on more container separating treatments | |
CN108155988A (en) | A kind of moving method, device, equipment and readable storage medium storing program for executing for protecting key | |
WO2019186546A1 (en) | Secured computer system | |
Suciu et al. | Horizontal privilege escalation in trusted applications | |
CN109376119B (en) | Method for creating disk image file encrypted snapshot, method for using disk image file encrypted snapshot and storage medium | |
CN108985096A (en) | A kind of enhancing of Android SQLite database security, method for safely carrying out and device | |
CN112099900A (en) | Sidecar mode-based container security method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180615 |
|
RJ01 | Rejection of invention patent application after publication |