CN109634619B - Trusted execution environment implementation method and device, terminal device and readable storage medium - Google Patents

Trusted execution environment implementation method and device, terminal device and readable storage medium Download PDF

Info

Publication number
CN109634619B
CN109634619B CN201811406497.1A CN201811406497A CN109634619B CN 109634619 B CN109634619 B CN 109634619B CN 201811406497 A CN201811406497 A CN 201811406497A CN 109634619 B CN109634619 B CN 109634619B
Authority
CN
China
Prior art keywords
remote access
digital signature
mirror image
data
execution environment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811406497.1A
Other languages
Chinese (zh)
Other versions
CN109634619A (en
Inventor
刘钦根
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Information Technology Co Ltd
Original Assignee
Shijinshi Credit Service Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shijinshi Credit Service Co ltd filed Critical Shijinshi Credit Service Co ltd
Priority to CN201811406497.1A priority Critical patent/CN109634619B/en
Publication of CN109634619A publication Critical patent/CN109634619A/en
Application granted granted Critical
Publication of CN109634619B publication Critical patent/CN109634619B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/61Installation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/451Execution arrangements for user interfaces
    • G06F9/452Remote windowing, e.g. X-Window System, desktop virtualisation

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Human Computer Interaction (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a trusted execution environment implementation method, which comprises the following steps: closing all remote access services of a pre-selected basic operating system of a data providing end, and installing a preset type of remote access application program; making a mirror image of a basic operating system; adding a digital signature to the mirror image, and writing the digital signature into a block chain; when a trusted execution environment starting instruction is received, acquiring a digital signature corresponding to a target mirror image from a block chain as a verification digital signature; if the verification digital signature is judged to be valid, calling a target mirror image; and operating the installed remote access application program, generating a remote access address of the data providing end, and sending the remote access address to the data using end. The invention also provides a trusted execution environment implementation device, terminal equipment and a readable storage medium. The invention solves the technical problems that the existing data providing mode is easy to cause data leakage and algorithm leakage.

Description

Trusted execution environment implementation method and device, terminal device and readable storage medium
Technical Field
The invention relates to the technical field of data processing, in particular to a trusted execution environment implementation method and device, terminal equipment and a readable storage medium.
Background
At present, data among different mechanisms is provided by copying data to the environment of the other party, and the data owner cannot effectively monitor whether the data is illegally copied or lost; or the data using party uses the data in the environment of the data owner, and the data using mode is peeped by the data owner. In other words, when data sharing is performed among different mechanisms, the data sharing needs to be completed by sacrificing the source data security or algorithm security of one party; data or algorithms are used and generated in an unsafe environment, and the problems of data leakage and algorithm leakage are easy to occur.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide a method and a device for realizing a trusted execution environment, a terminal device and a readable storage medium, and aims to solve the technical problems that the existing data providing mode is difficult to effectively guarantee the security of source data or the security of an algorithm, and data leakage and algorithm leakage are easy to occur.
In order to achieve the above object, the present invention provides a trusted execution environment implementation method, including the following steps:
closing all remote access services of a pre-selected basic operating system of a data providing end, and installing a preset type of remote access application program;
making a mirror image of the basic operating system;
adding a digital signature to the mirror image, and writing the digital signature into a block chain;
when a starting instruction of the trusted execution environment is received, searching out a mirror image of a basic operating system corresponding to the trusted execution environment from all manufactured mirror images as a target mirror image;
acquiring a digital signature corresponding to the target mirror image from the block chain as a verification digital signature;
judging whether the check digital signature is valid; if the image is valid, calling a target mirror image;
and operating the installed remote access application program, generating a remote access address of a data providing end, and sending the remote access address to a data using end.
Preferably, the step of determining whether the verification digital signature is valid specifically includes:
acquiring a digital signature added to a target mirror image;
comparing the digital signature of the target image with the verification digital signature;
if the two are consistent, judging that the target mirror image is effective; otherwise, the target image is judged to be invalid.
Preferably, after the step of retrieving the target image, the method further includes:
confirming the type of cloud computing service currently used by a data using end;
if the currently used cloud computing service type is the first service type, starting a target mirror image; and after starting the target image, executing the following steps: the installed remote access application program is operated, a remote access address of a data providing end is generated, and the remote access address is sent to a data using end;
if the currently used cloud computing service type is the second service type, starting the virtual machine, resetting an administrator password of the virtual machine to be a random password, and then executing the following steps: the installed remote access application program is operated, a remote access address of a data providing end is generated, and the remote access address is sent to a data using end;
the first service type comprises a software as a service (SaaS) type, and the second service type comprises an infrastructure as a service (IaaS) type.
Preferably, after the step of making the image of the base operating system, the method further includes:
trimming the contents of the produced image to delete a preselected type of service of the image.
Preferably, the remote access application comprises a Jupyter application.
In addition, to achieve the above object, the present invention further provides a trusted execution environment implementing apparatus, including:
the system comprises a preparation unit, a data providing unit and a data processing unit, wherein the preparation unit is used for closing all remote access services of a pre-selected basic operating system of the data providing end and installing a preset type of remote access application program;
the mirror image making unit is used for making a mirror image of the basic operating system;
the digital signature unit is used for adding a digital signature to the mirror image and writing the digital signature into a block chain;
the mirror image searching unit is used for searching out a mirror image of a basic operating system corresponding to the trusted execution environment from all manufactured mirror images as a target mirror image when a starting instruction of the trusted execution environment is received;
the verifying unit is used for acquiring a digital signature corresponding to the target mirror image from the block chain as a verification digital signature; judging whether the check digital signature is valid;
the mirror image calling unit is used for calling a target mirror image when the verification digital signature is judged to be valid;
and the application unit is used for running the installed remote access application program, generating a remote access address of the data providing end and sending the remote access address to the data using end.
Preferably, the verification unit is specifically configured to obtain a digital signature added to the target image; comparing the digital signature of the target image with the verification digital signature; if the two are consistent, judging that the target mirror image is effective; otherwise, the target image is judged to be invalid.
Preferably, the application unit is further configured to confirm a type of cloud computing service currently used by the data consumer; if the currently used cloud computing service type is the first service type, starting a target mirror image; and after starting the target image, executing the following steps: the installed remote access application program is operated, a remote access address of a data providing end is generated, and the remote access address is sent to a data using end;
the application unit is further configured to start the virtual machine if the currently used cloud computing service type is the second service type, reset an administrator password of the virtual machine to a random password, and then execute the steps of: the installed remote access application program is operated, a remote access address of a data providing end is generated, and the remote access address is sent to a data using end;
the first service type comprises a software as a service (SaaS) type, and the second service type comprises an infrastructure as a service (IaaS) type.
In addition, to achieve the above object, the present invention also provides a terminal device, including: a memory, a processor, and a trusted execution environment implementation program stored on the memory and executable on the processor, the trusted execution environment implementation program, when executed by the processor, implementing the steps of the trusted execution environment implementation method as described above.
In addition, to achieve the above object, the present invention also provides a readable storage medium, on which a trusted execution environment implementation program is stored, which, when being executed by a processor, implements the steps of the trusted execution environment implementation method as described above.
The embodiment of the invention provides a trusted execution environment implementation method and device, terminal equipment and a readable storage medium, wherein a mirror image operation system which can only realize remote access with a cloud server and cannot be accessed by other third parties is created by making a mirror image of a basic operation system which closes all remote access services in advance and installs a preset type of remote access application program; and adding a digital signature to the mirror image, and recording the digital signature on the block chain to provide verification basis for the subsequent validity verification of the target mirror image. When the data using end needs to obtain the local data of the data providing end, the data providing end runs the installed remote access application program, and generates and sends the remote access address of the data using end to the data using end. Namely, the data providing end can only be remotely accessed through the cloud server, related data can be obtained, and the related data can be transmitted back to the data using end. Therefore, the execution environment is deployed in the cloud server, and the data using end cannot directly contact the physical equipment on one side of the data providing end; meanwhile, the cloud deployment and remote access mode ensures that the input and output links of the execution environment are in a controllable state, so that illegal access to local data of the data providing end is avoided, and meanwhile, the data providing end cannot acquire data and algorithms generated in the process that a data user acquires the data in the cloud execution environment. Therefore, the safety of source data or the safety of an algorithm is effectively guaranteed, and the risks of data leakage and algorithm leakage are reduced.
Drawings
FIG. 1 is a flowchart illustrating a trusted execution environment implementing method according to a first embodiment of the present invention;
fig. 2 is a first schematic diagram of a cloud service function framework according to a first embodiment of the trusted execution environment implementation method of the present invention;
FIG. 3 is a second schematic diagram of a cloud service functional framework according to a first embodiment of the trusted execution environment implementation method of the present invention;
FIG. 4 is a flowchart of a trusted execution environment implementing method according to a second embodiment of the present invention;
FIG. 5 is a schematic diagram illustrating the components of the functional units of the trusted execution environment implementing apparatus according to the present invention;
fig. 6 is a block diagram of the components of the terminal device of the present invention.
The objects, features and advantages of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Some of the terms and explanations related to the present invention are listed below:
SaaS (Software-as-a-Service): software is a service. SaaS is a service model of cloud computing, and the service provided to customers is an application program that an operator runs on a cloud computing infrastructure, and a user can access through a client interface on various devices, such as a browser. The consumer does not need to manage or control any cloud computing infrastructure, including networks, servers, operating systems, storage, and the like.
IaaS (Infrastructure-as-a-Service): the infrastructure is the service. IaaS is a cloud-computing service model that provides consumers with the services of utilizing all the computing infrastructure, including processing CPU, memory, storage, networking and other basic computing resources, and users can deploy and run arbitrary software, including operating systems and applications.
Trusted Execution Environment (TEE): a secure area within the main processor. It runs in a separate environment and in parallel with the operating system. By using both hardware and software to protect data and code, it is ensured that the confidentiality and integrity of both the code and data loaded in the environment is protected more securely than in conventional systems (i.e., REE, rich execution environments). Trusted applications running in the TEE can access all functions of the device main processor and memory, while hardware isolation protects these components from user-installed applications running in the main operating system. The TEE protects different trusted applications together through software and cryptographic isolation.
The data providing end: the associated port/device/equipment that provides the data.
The data use end: the relevant port/device/equipment for data acquisition.
Docker: an open source application container engine. Based on Docker, developers can pack their applications and dependency packages into a portable container, and then distribute the container to various machines using Linux systems, and also can realize virtualization.
The invention provides a trusted execution environment implementation method.
Referring to fig. 1, fig. 1 is a flowchart illustrating a trusted execution environment implementing method according to a first embodiment of the present invention. In this implementation, the method comprises the steps of:
step S10, closing all remote access services of the pre-selected basic operating system of the data providing end, and installing the remote access application program with the preset type;
and preselecting a corresponding basic operating system based on the specific requirement condition of the trusted execution environment of the cloud server. The cloud server is a broad concept and comprises various servers, platforms and systems belonging to a cloud architecture. Different trusted execution environments can be contained on the cloud server; correspondingly, different trusted execution environments have corresponding specific requirements, which should be determined according to specific situations. For a certain trusted execution environment, a basic operating system running on a data providing end and meeting specific requirements of the trusted execution environment needs to be selected in advance. Then, step S10 is executed. Preferably, the remote access application comprises a Jupyter application. The Jupyter application program is an open-source interactive computing environment tool supporting multiple programming languages, and can realize connection and remote access between a data providing end and a cloud server.
Step S20, making a mirror image of the basic operating system;
the implementation of making an image of the underlying operating system is a mature technology and will not be described here.
Optionally, after the mirror image is manufactured, the method further includes: trimming the contents of the produced image to delete a preselected type of service of the image. Understandably, the image of the underlying operating system contains several different types of services. "service" as referred to herein is a broad concept, such as various types of functional code, applications, software, and so on. The method has the advantages that the mirror image is trimmed, useless services are deleted, and only basic services related to data sharing are reserved, so that a lightweight mirror image file is constructed, time consumption of uploading the mirror image file to a cloud server is reduced, and the operation efficiency and stability of data sharing are improved.
Step S30, adding a digital signature to the mirror image, and writing the digital signature into a block chain;
in an embodiment, the digital signature may be only a set of digest information (feature information) of the image file generated according to a certain digest algorithm, or an electronic signature obtained by encrypting the digest information. Specifically, a method for signing electronic information by adopting a public key encryption algorithm. For example, a set of digest information (feature information) of the image file is first generated according to a certain digest algorithm, and the digest information is encrypted by a private key of the generated public and private key pair to form a signature file.
The generated digital signature is directly added to a preset storage area of the image or is used as an attachment of the image.
And recording the digital signature of the image onto a block chain, namely recording (accounting) the digital signature of the image by using a block chain technology based on computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. The digital signature of the image recorded on the blockchain is modified to leave a modification trace (certificate) which is easy to obtain, so that the digital signature can be used for subsequent digital signature verification to further verify the validity of the image (namely, to judge whether the manufactured image is tampered or not).
The steps described above are a series of steps for mirroring the base operating system. Only one mirror image of each basic operating system needs to be manufactured.
Preferably, after step S30, the method includes: uploading the mirror image to a cloud storage area;
the image file added with the digital signature is uploaded to a preset storage area on the cloud server, and the preset storage area can be an image warehouse specially used for storing the image files of the images. The image file is uploaded to the preset storage area on the cloud server, so that the phenomenon that the image file is stored in the local environment of a data provider and is illegally tampered can be avoided, the image file is downloaded only when the trusted execution environment is needed to share data, and the use flexibility of the image file is improved.
Step S40, when a start instruction of the trusted execution environment is received, searching the mirror image of the basic operation system corresponding to the trusted execution environment from the manufactured mirror images as a target mirror image;
when the data using end needs to acquire the related data of the data providing end, the data using end logs in the cloud server, sends a data acquisition request to the cloud server and selects a specific trusted execution environment as a target trusted execution environment, so that the cloud server sends a starting instruction of the trusted execution environment to the data providing end. The data providing end confirms the target trusted execution environment (namely the trusted execution environment selected by the data using end) according to the starting instruction; and determining a target image corresponding to the target trusted execution environment based on the incidence relation among the trusted execution environment, the basic operating system and the corresponding image. Such as determining the name and version number of the target image.
Step S50, acquiring a digital signature corresponding to the target mirror image from the block chain as a verification digital signature;
specifically, position information of a digital signature corresponding to the target mirror image is acquired, and the digital signature is extracted according to the position information of the digital signature.
Step S60, judging whether the check digital signature is valid; if the image is valid, calling a target mirror image;
specifically, one embodiment of determining whether the verification digital signature is valid includes:
step S61, acquiring a digital signature added to the target image;
for example, a digital signature file of the target image is downloaded from a cloud server. Or after generating the digital signature of the mirror image, storing the digital signature to the local position of the data providing end; the digital signature is extracted when step S71 is executed.
Step S62, comparing the digital signature of the target image with the check digital signature;
and if the verification digital signature is not encrypted, directly comparing the digital signature of the target image with the verification digital signature. If the verification digital signature is encrypted by using the public key encryption mode, the public key in the public and private key pair is used for decrypting the verification digital signature, and then the digital signature of the target mirror image is compared with the decrypted verification digital signature.
Step S63, if the two are consistent, the target mirror image is judged to be effective; otherwise, the target image is judged to be invalid.
When the digital signature of the target image is consistent with the verification digital signature, the target image is proved not to be tampered, the safety of the target image passes verification, and the target image is judged to be valid; otherwise, judging that the verification digital signature is invalid, directly finishing the data sharing operation, and sending prompt information of invalid digital signature verification to the data using end or the data providing end so that the data using end or the data providing end can obtain information of verification failure and make relevant countermeasures.
When the target mirror image is judged to be effective, if the target mirror image is stored in a cloud storage area in advance, calling a cloud server, and downloading the target mirror image to be stored in a local storage area of a data providing end; and if the target mirror image is pre-stored in the local storage area of the data providing end, directly calling and operating the target mirror image.
And step S70, running the installed remote access application program, generating a remote access address of the data providing end, and sending the remote access address to the data using end.
And when the target image downloaded from the image storage area of the cloud server passes the consistency verification of the digital signature, locally starting the target image at the data providing end, namely starting the target image operating system. The installed remote access application is launched and run in the mirrored operating system. For example, start the Jupyter program; and based on the Jupyter program, the connection and remote access between the data providing end and the cloud server are realized. At this time, the data provider serves as a destination access port corresponding to a specific remote access address. The remote access address may be generated based on a preset network communication protocol.
And sending the generated remote access address to a data using end. Furthermore, the data user operates at the data user end; correspondingly, the data using end is connected with the cloud server and inputs the remote access address, so that the data providing end under the target mirror image operating system is accessed through the cloud server, corresponding local data are obtained, and the local data are transmitted to the data using end through the cloud server. In this way, the data user can obtain the data from the data provider side.
As shown in the schematic diagrams of the cloud service functional framework shown in fig. 2 and fig. 3, the trusted execution environment in this embodiment is constructed and operated by using a block chain service, a trusted execution environment service, a container service, a mirror service, a computing service, a storage service, a virtualization technology, and a cloud server specifically, and by fusing and applying various services, technologies, and devices, the cloud service-based trusted execution environment in this embodiment is implemented, so as to protect data and algorithms in a data sharing process.
In this embodiment, a mirror image of a basic operating system that closes all remote access services in advance and installs a preset type of remote access application program is made, and a mirror image operating system that can only realize remote access with a cloud server and cannot be accessed by other third parties is created; and adding a digital signature to the mirror image, and recording the digital signature to the block chain to provide a verification basis for the subsequent validity verification of the target mirror image. When the data using end needs to acquire the local data of the data providing end, the data providing end runs the installed remote access application program, and generates and sends the remote access address of the data using end to the data using end. Namely, the data providing end can only be remotely accessed through the cloud server, related data can be obtained, and the related data can be transmitted back to the data using end. Therefore, the execution environment is deployed in the cloud server, and the data using end cannot directly contact the physical equipment on one side of the data providing end; meanwhile, the cloud deployment and remote access mode ensures that the input and output links of the execution environment are in a controllable state, so that illegal access to local data of the data providing end is avoided, and meanwhile, the data providing end cannot acquire data and algorithms generated in the process that a data user acquires the data in the cloud execution environment. Therefore, the safety of source data or the safety of an algorithm is effectively guaranteed, and the risks of data leakage and algorithm leakage are reduced.
Further, after the step of retrieving the target image, the method further includes:
step S80, confirming the current cloud computing service type used by the data using end;
understandably, the cloud server provides a plurality of different cloud computing service types for the data using end to select. The data user can select an appropriate cloud computing service type (including, but not limited to, the following first/second service types) according to actual needs. Correspondingly, different cloud computing service types correspond to different target image starting and running modes. Steps S81, S82 are corresponding steps for two different service types.
Step S81, if the currently used cloud computing service type is the first service type, starting a target mirror image; and after the target image is started, performing step S80;
step S82, if the currently used cloud computing service type is the second service type, starting the virtual machine, resetting the administrator password of the virtual machine to be a random password, and then executing step S80;
the first service type comprises a software as a service (SaaS) type, and the second service type comprises an infrastructure as a service (IaaS) type.
The following is described with reference to the flowchart shown in fig. 4. Take the installed remote access application as an example of a Jupyter application. If the currently used cloud computing Service type is the first Service type (preferably, software as a Service, SaaS, type), a Container Service (Container Service) is used at this time. The container service provides high-performance telescopic container application management service, supports application life cycle management by using a Docker container, provides various application release modes and continuous delivery capability and supports micro-service architecture. After the cloud server is called to download the target image, the target image is directly started at the data providing end, then Jupyter application in the image is started, and corresponding Jupyter service is operated. And then sending the access address of the Jupyter service to the data using end. And the data using end logs in the cloud server, and remotely accesses the access address of the Jupyter service through the cloud server, so as to obtain the local data of the data providing end.
If the currently used cloud computing service type is the second service type (preferably, an infrastructure as a service (IaaS) type), the computing service is used at this time. Based on IaaS services, all the computing infrastructure on the cloud server can be utilized. Therefore, after the cloud server is called to download the target image, the virtual machine is started on the data providing end, and the administrator password on the virtual machine is reset to be the random password. By resetting the password, the security level of the data providing end for receiving the remote access of the cloud server is improved. At this time, due to the starting of the virtual machine, only the Jupyter application in the image needs to be started, and the corresponding Jupyter service is operated. And then sending the access address of the Jupyter service to the data using end. And the data using end logs in the cloud server, and remotely accesses the access address of the Jupyter service through the cloud server, so as to obtain the local data of the data providing end.
In the embodiment, the running way of the corresponding cloud service-based trusted target environment is provided for two specific cloud computing service types, so that the use scenes of the trusted target environment can be enriched, and service choices meeting different user requirements and having different service functions can be provided for users.
In addition, the invention also provides a trusted execution environment implementation device.
Referring to fig. 5, fig. 5 is a schematic diagram showing the components of the functional units of the device. The device comprises:
the system comprises a preparation unit 10, a data providing end and a data processing unit, wherein the preparation unit is used for closing all remote access services of a pre-selected basic operating system of the data providing end and installing a preset type of remote access application program;
and preselecting a corresponding basic operating system based on the specific requirement condition of the trusted execution environment of the cloud server. The cloud server is a broad concept and comprises various servers, platforms and systems belonging to a cloud architecture. Different trusted execution environments can be contained on the cloud server; correspondingly, different trusted execution environments have corresponding specific requirements, which should be determined according to specific situations. For a certain trusted execution environment, a basic operating system running on a data providing end and meeting specific requirements of the trusted execution environment needs to be selected in advance. Then, step S10 is executed. Preferably, the remote access application comprises a Jupyter application. The Jupyter application program is an open-source interactive computing environment tool supporting multiple programming languages, and can realize connection and remote access between a data providing end and a cloud server.
A mirror image creation unit 20 for creating a mirror image of the base operating system;
the implementation of the mirror image making unit 20 to make the mirror image of the base operating system is a mature technology, and will not be described herein.
Optionally, after the mirror image is made, the mirror image making unit 20 is further configured to: trimming the contents of the produced image to delete a preselected type of service of the image. Understandably, the image of the underlying operating system contains several different types of services. "service" as referred to herein is a broad concept, such as various types of functional code, applications, software, and so on. The method has the advantages that the mirror image is trimmed, useless services are deleted, and only basic services related to data sharing are reserved, so that a lightweight mirror image file is constructed, time consumption of uploading the mirror image file to a cloud server is reduced, and the operation efficiency and stability of data sharing are improved.
A digital signature unit 30, configured to add a digital signature to the mirror image, and write the digital signature into a block chain;
in an embodiment, the digital signature may be only a set of digest information (feature information) of the image file generated according to a certain digest algorithm, or an electronic signature obtained by encrypting the digest information. Specifically, a method for signing electronic information by adopting a public key encryption algorithm. For example, a set of digest information (feature information) of the image file is first generated according to a certain digest algorithm, and the digest information is encrypted by a private key of the generated public and private key pair to form a signature file.
The digital signature unit 30 adds the generated digital signature directly to a preset storage area of the image or as an attachment to the image.
The digital signature unit 30 records the digital signature of the image onto the blockchain, that is, records (accounts) the digital signature of the image based on the blockchain technology of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanism, encryption algorithm, etc. The digital signature recorded on the image in the blockchain is modified to leave a modification trace (certificate) that is easy to obtain, so that the digital signature can be used for subsequent verification of the digital signature, and further, the validity of the image is verified (i.e., whether the manufactured image is tampered or not is judged).
The steps described above are a series of steps for mirroring the base operating system. Only one mirror image of each basic operating system needs to be manufactured.
Preferably, the apparatus further includes a mirror uploading unit (not shown in fig. 6) configured to upload the mirror to a cloud storage area;
the image uploading unit uploads the image file added with the digital signature to a preset storage area on the cloud server, and the preset storage area can be an image warehouse specially used for storing the image file of each image. The image file is uploaded to the preset storage area on the cloud server, so that the phenomenon that the image file is illegally tampered when stored in a local environment of a data provider can be avoided, the image file is downloaded only when the trusted execution environment is used for data sharing, and the use flexibility of the image file is improved.
The mirror image searching unit 40 is configured to, when a start instruction of the trusted execution environment is received, search, from the manufactured mirror images, a mirror image of the basic operating system corresponding to the trusted execution environment as a target mirror image;
when the data using end needs to acquire the related data of the data providing end, the data using end logs in the cloud server, sends a data acquisition request to the cloud server and selects a specific trusted execution environment as a target trusted execution environment, so that the cloud server sends a starting instruction of the trusted execution environment to the data providing end. The mirror image searching unit 40 confirms the target trusted execution environment (i.e. the trusted execution environment selected by the data using end) according to the starting instruction; and determining a target image corresponding to the target trusted execution environment based on the incidence relation among the trusted execution environment, the basic operating system and the corresponding image. Such as determining the name and version number of the target image.
A checking unit 50, configured to obtain a digital signature corresponding to the target image from the block chain as a verification digital signature; judging whether the check digital signature is valid;
specifically, the verification unit 50 acquires the position information of the digital signature corresponding to the target image, and extracts the digital signature from the position information of the digital signature.
When determining whether the verification digital signature is valid, the verifying unit 50 is specifically configured to:
a. acquiring a digital signature added to a target mirror image;
for example, a digital signature file of the target image is downloaded from a cloud server. Or after generating the digital signature of the mirror image, storing the digital signature to the local position of the data providing end; when a digital signature added to the target image is required, the digital signature is extracted.
b. Comparing the digital signature of the target image with the verification digital signature;
and if the verification digital signature is not encrypted, directly comparing the digital signature of the target image with the verification digital signature. If the verification digital signature is encrypted by using the public key encryption mode, the public key in the public and private key pair is used for decrypting the verification digital signature, and then the digital signature of the target mirror image is compared with the decrypted verification digital signature.
c. If the two are consistent, judging that the target mirror image is effective; otherwise, the target image is judged to be invalid.
When the digital signature of the target image is consistent with the verification digital signature, the target image is proved to be not tampered, the safety of the target image passes verification, and the target image is judged to be valid; otherwise, judging that the verification digital signature is invalid, directly finishing the data sharing operation, and sending prompt information of invalid digital signature verification to the data using end or the data providing end so that the data using end or the data providing end can obtain information of verification failure and make relevant countermeasures.
A mirror image retrieving unit 60, configured to retrieve a target mirror image when it is determined that the verification digital signature is valid;
when the target mirror image is judged to be valid, if the target mirror image is stored in the cloud storage area in advance, the mirror image calling unit 60 calls the cloud server and downloads the target mirror image to be stored in the local storage area of the data providing end; if the target image is pre-stored in the local storage area of the data provider, the image retrieving unit 60 directly retrieves and runs the target image.
An application unit 70 for running the installed remote access application program, generating a remote access address of the data provider, and sending the remote access address to the data consumer.
After the target image downloaded from the image storage area of the cloud server passes the digital signature consistency verification, the application unit 70 starts the target image locally at the data providing end, that is, starts the target image operating system. The installed remote access application is launched and run in the mirrored operating system. For example, start the Jupyter program; and based on the Jupyter program, the connection and remote access between the data providing end and the cloud server are realized. At this time, the data provider serves as a destination access port corresponding to a specific remote access address. The remote access address may be generated based on a preset network communication protocol.
And sending the generated remote access address to the data using end. Furthermore, the data user operates at the data user end; correspondingly, the data using end is connected with the cloud server and inputs the remote access address, so that the data providing end under the target mirror image operating system is accessed through the cloud server, corresponding local data are obtained, and the local data are transmitted to the data using end through the cloud server. In this way, the data user can obtain the data from the data provider side.
As shown in the schematic diagrams of the cloud service functional framework shown in fig. 2 and fig. 3, the trusted execution environment in this embodiment is constructed and operated by using a block chain service, a trusted execution environment service, a container service, a mirror service, a computing service, a storage service, a virtualization technology, and a cloud server specifically, and by fusing and applying various services, technologies, and devices, the cloud service-based trusted execution environment in this embodiment is implemented, so as to protect data and algorithms in a data sharing process.
In this embodiment, a mirror image of a basic operating system that closes all remote access services in advance and installs a preset type of remote access application program is made, and a mirror image operating system that can only realize remote access with a cloud server and cannot be accessed by other third parties is created; and adding a digital signature to the mirror image, and recording the digital signature on the block chain to provide verification basis for the subsequent validity verification of the target mirror image. When the data using end needs to acquire the local data of the data providing end, the data providing end runs the installed remote access application program, and generates and sends the remote access address of the data using end to the data using end. Namely, the data providing end can only be remotely accessed through the cloud server, related data can be obtained, and the related data can be transmitted back to the data using end. Therefore, the execution environment is deployed in the cloud server, and the data using end cannot directly contact the physical equipment on one side of the data providing end; meanwhile, the cloud deployment and remote access mode ensures that the input and output links of the execution environment are in a controllable state, so that illegal access to local data of the data providing end is avoided, and meanwhile, the data providing end cannot acquire data and algorithms generated in the process that a data user acquires the data in the cloud execution environment. Therefore, the safety of source data or the safety of an algorithm is effectively guaranteed, and the risks of data leakage and algorithm leakage are reduced.
Further, the application unit 70 is further configured to: a. confirming the type of cloud computing service currently used by a data using end;
understandably, the cloud server provides a plurality of different cloud computing service types for the data using end to select. The data consumer may select an appropriate cloud computing service type (including, but not limited to, the following first/second service types) according to actual needs. Correspondingly, different cloud computing service types correspond to different target image starting and running modes. The following b and c are functional implementations of two different service types of the application unit 70.
b. If the currently used cloud computing service type is the first service type, starting a target mirror image; and after starting the target image, executing the following steps: the installed remote access application program is operated, a remote access address of a data providing end is generated, and the remote access address is sent to a data using end;
c. the application unit is further configured to start the virtual machine if the currently used cloud computing service type is the second service type, reset an administrator password of the virtual machine to a random password, and then execute the steps of: the installed remote access application program is operated, a remote access address of a data providing end is generated, and the remote access address is sent to a data using end;
the first service type comprises a software as a service (SaaS) type, and the second service type comprises an infrastructure as a service (IaaS) type.
The following description is made with reference to the flowchart shown in fig. 4. Take the installed remote access application as an example of a Jupyter application. If the currently used cloud computing Service type is the first Service type (preferably, software as a Service, SaaS, type), a Container Service (Container Service) is used at this time. The container service provides high-performance telescopic container application management service, supports application life cycle management by using a Docker container, provides various application release modes and continuous delivery capability and supports micro-service architecture. After the cloud server is called to download the target image, the target image is directly started at the data providing end, then Jupyter application in the image is started, and corresponding Jupyter service is operated. And then sending the access address of the Jupyter service to the data using end. And the data using end logs in the cloud server, and remotely accesses the access address of the Jupyter service through the cloud server, so as to obtain the local data of the data providing end.
If the currently used cloud computing service type is the second service type (preferably, an infrastructure as a service (IaaS) type), the computing service is used at this time. Based on IaaS services, all the computing infrastructure on the cloud server can be utilized. Therefore, after the cloud server is called to download the target image, the virtual machine is started on the data providing end, and the administrator password on the virtual machine is reset to be the random password. By resetting the password, the security level of the data providing end for receiving the remote access of the cloud server is improved. At this time, due to the starting of the virtual machine, only the Jupyter application in the image needs to be started, and the corresponding Jupyter service is operated. And then sending the access address of the Jupyter service to the data using end. And the data using end logs in the cloud server, and remotely accesses the access address of the Jupyter service through the cloud server, so as to obtain the local data of the data providing end.
In the embodiment, the running way of the corresponding trusted target environment based on the cloud service is provided for two specific cloud computing service types, so that the use scenes of the trusted target environment are enriched, and service choices meeting different user requirements and having different service functions are provided for users.
In addition, the present invention also provides a terminal device, which includes: a memory, a processor, and a trusted execution environment implementation program stored on the memory and executable on the processor, the trusted execution environment implementation program, when executed by the processor, implementing the steps of the trusted execution environment implementation method as described above.
As shown in fig. 6, the terminal device according to the embodiment of the present invention may be various devices/devices for implementing centralized control, such as a computer, a single chip microcomputer, an MCU (micro controller Unit), a smart phone, a tablet computer, and a notebook computer. As shown in fig. 6, fig. 6 is a schematic structural diagram of an operating environment of a trusted execution environment implementation apparatus according to an embodiment of the present invention, where the operating environment specifically includes: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001 described previously.
Those skilled in the art will appreciate that the configuration of the operating environment shown in FIG. 6 does not constitute a limitation of trusted execution environment implementations, and may include more or fewer components than those shown, or some components in combination, or a different arrangement of components.
As shown in fig. 6, the memory 1005, which is a readable storage medium, may include therein an operating system, a network communication module, a user interface module, and a trusted execution environment implementation program.
In the terminal device shown in fig. 6, the network interface 1004 is mainly used for connecting to a backend server and performing data communication with the backend server; the user interface 1003 is mainly used for connecting a client (user side) and performing data communication with the client; and the processor 1001 may be configured to invoke the trusted execution environment implementation stored in the memory 1005 and perform the following operations:
closing all remote access services of a pre-selected basic operating system of a data providing end, and installing a preset type of remote access application program;
making a mirror image of the basic operating system;
adding a digital signature to the mirror image, and writing the digital signature into a block chain;
when a starting instruction of the trusted execution environment is received, searching out a mirror image of a basic operating system corresponding to the trusted execution environment from all manufactured mirror images as a target mirror image;
acquiring a digital signature corresponding to the target mirror image from the block chain as a verification digital signature;
judging whether the check digital signature is valid; if the image is valid, calling a target mirror image;
and operating the installed remote access application program, generating a remote access address of a data providing end, and sending the remote access address to a data using end.
Further, the processor 1001 may call the trusted execution environment implementation program stored in the memory 1005, and also perform the following operations:
acquiring a digital signature added to a target mirror image;
comparing the digital signature of the target image with the verification digital signature;
if the two are consistent, judging that the target mirror image is effective; otherwise, the target image is judged to be invalid.
Further, the processor 1001 may call the trusted execution environment implementation program stored in the memory 1005, and also perform the following operations:
confirming the type of cloud computing service currently used by a data using end;
if the currently used cloud computing service type is the first service type, starting a target mirror image; and after starting the target image, executing the following steps: the installed remote access application program is operated, a remote access address of a data providing end is generated, and the remote access address is sent to a data using end;
if the currently used cloud computing service type is the second service type, starting the virtual machine, resetting an administrator password of the virtual machine to be a random password, and then executing the following steps: the installed remote access application program is operated, a remote access address of a data providing end is generated, and the remote access address is sent to a data using end;
the first service type comprises a software as a service (SaaS) type, and the second service type comprises an infrastructure as a service (IaaS) type.
Further, the processor 1001 may call the trusted execution environment implementation program stored in the memory 1005, and also perform the following operations:
trimming the contents of the produced image to delete a preselected type of service of the image.
Preferably, the remote access application comprises a Jupyter application.
Furthermore, the present invention also provides a readable storage medium, on which a trusted execution environment implementation program is stored, and when being executed by a processor, the trusted execution environment implementation program implements the steps of the embodiments of the trusted execution environment implementation method described above.
The trusted execution environment implementation program, when executed by a processor, performs the following:
closing all remote access services of a pre-selected basic operating system of a data providing end, and installing a preset type of remote access application program;
making a mirror image of the basic operating system;
adding a digital signature to the mirror image, and writing the digital signature into a block chain;
when a starting instruction of the trusted execution environment is received, searching out a mirror image of a basic operating system corresponding to the trusted execution environment from all manufactured mirror images as a target mirror image;
acquiring a digital signature corresponding to the target mirror image from the block chain as a verification digital signature;
judging whether the check digital signature is valid; if the image is valid, calling a target mirror image;
and operating the installed remote access application program, generating a remote access address of a data providing end, and sending the remote access address to a data using end.
Further, the trusted execution environment implementation program, when executed by the processor, further implements operations comprising:
acquiring a digital signature added to a target mirror image;
comparing the digital signature of the target image with the verification digital signature;
if the two are consistent, judging that the target mirror image is effective; otherwise, the target image is judged to be invalid.
Further, the trusted execution environment implementation program, when executed by the processor, further implements operations comprising:
confirming the type of cloud computing service currently used by a data using end;
if the currently used cloud computing service type is the first service type, starting a target mirror image; and after starting the target image, executing the following steps: the installed remote access application program is operated, a remote access address of a data providing end is generated, and the remote access address is sent to a data using end;
if the currently used cloud computing service type is the second service type, starting the virtual machine, resetting an administrator password of the virtual machine to be a random password, and then executing the following steps: the installed remote access application program is operated, a remote access address of a data providing end is generated, and the remote access address is sent to a data using end;
the first service type comprises a software as a service (SaaS) type, and the second service type comprises an infrastructure as a service (IaaS) type.
Further, the trusted execution environment implementation program, when executed by the processor, further implements operations comprising:
trimming the contents of the produced image to delete a preselected type of service of the image.
Preferably, the remote access application comprises a Jupyter application.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element identified by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
While the present invention has been described with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, which are illustrative and not restrictive, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (10)

1. A trusted execution environment implementation method, comprising:
closing all remote access services of a pre-selected basic operating system of a data providing end, and installing a preset type of remote access application program;
making a mirror image of the basic operating system;
adding a digital signature to the mirror image, and writing the digital signature into a block chain;
when a starting instruction of the trusted execution environment is received, searching out a mirror image of a basic operating system corresponding to the trusted execution environment from all manufactured mirror images as a target mirror image;
acquiring a digital signature corresponding to the target mirror image from the block chain as a verification digital signature;
judging whether the check digital signature is valid; if the target mirror image is valid, judging that the target mirror image is valid;
and when the target mirror image is effective, operating the remote access application program installed in the target mirror image, generating a remote access address of a data providing end, and sending the remote access address to a data using end.
2. The method for implementing a trusted execution environment of claim 1, wherein said step of determining whether said check digital signature is valid includes:
acquiring a digital signature added to a target mirror image;
comparing the digital signature of the target image with the verification digital signature;
if the two are consistent, judging that the target mirror image is effective; otherwise, the target image is judged to be invalid.
3. The trusted execution environment implementation method of claim 1, wherein said step of determining that the target image is valid is followed by further comprising:
confirming the type of cloud computing service currently used by a data using end;
if the currently used cloud computing service type is the first service type, starting a target mirror image; and after starting the target image, executing the following steps: the installed remote access application program is operated, a remote access address of a data providing end is generated, and the remote access address is sent to a data using end;
if the currently used cloud computing service type is the second service type, starting the virtual machine, resetting an administrator password of the virtual machine to be a random password, and then executing the following steps: the installed remote access application program is operated, a remote access address of a data providing end is generated, and the remote access address is sent to a data using end;
the first service type comprises a software as a service (SaaS) type, and the second service type comprises an infrastructure as a service (IaaS) type.
4. The trusted execution environment implementing method of claim 1, wherein said step of making an image of said base operating system is followed by further comprising:
trimming the contents of the produced image to delete a preselected type of service of the image.
5. The trusted execution environment implementation method of claim 1, wherein the remote access application comprises a Jupyter application.
6. An apparatus for trusted execution environment implementation, the apparatus comprising:
the system comprises a preparation unit, a data providing unit and a data processing unit, wherein the preparation unit is used for closing all remote access services of a pre-selected basic operating system of the data providing end and installing a preset type of remote access application program;
the mirror image making unit is used for making a mirror image of the basic operating system;
the digital signature unit is used for adding a digital signature to the mirror image and writing the digital signature into a block chain;
the mirror image searching unit is used for searching out a mirror image of a basic operating system corresponding to the trusted execution environment from all manufactured mirror images as a target mirror image when a starting instruction of the trusted execution environment is received;
the verifying unit is used for acquiring a digital signature corresponding to the target mirror image from the block chain as a verification digital signature; judging whether the check digital signature is valid or not, and further judging whether the target mirror image is valid or not;
the mirror image calling unit is used for calling a target mirror image when the verification digital signature is judged to be valid;
and the application unit is used for operating the remote access application program installed in the target mirror image, generating a remote access address of a data providing end and sending the remote access address to a data using end.
7. The trusted execution environment implementing apparatus of claim 6, wherein the verification unit is specifically configured to obtain a digital signature added to the target image; comparing the digital signature of the target image with the verification digital signature; if the two are consistent, judging that the target mirror image is effective; otherwise, the target image is judged to be invalid.
8. The trusted execution environment implementing apparatus of claim 6, wherein the application unit is further configured to confirm a type of cloud computing service currently used by the data consumer; if the currently used cloud computing service type is the first service type, starting a target mirror image; and after starting the target image, executing the following steps: the installed remote access application program is operated, a remote access address of a data providing end is generated, and the remote access address is sent to a data using end;
the application unit is further configured to start the virtual machine if the currently used cloud computing service type is the second service type, reset an administrator password of the virtual machine to a random password, and then execute the steps of: the installed remote access application program is operated, a remote access address of a data providing end is generated, and the remote access address is sent to a data using end;
the first service type comprises a software as a service (SaaS) type, and the second service type comprises an infrastructure as a service (IaaS) type.
9. A terminal device, characterized in that the terminal device comprises: a memory, a processor, and a trusted execution environment implementation program stored on the memory and executable on the processor, the trusted execution environment implementation program when executed by the processor implementing the steps of the trusted execution environment implementation method of any one of claims 1 to 5.
10. A readable storage medium having stored thereon a trusted execution environment implementation program, which when executed by a processor implements the steps of the trusted execution environment implementation method of any one of claims 1-5.
CN201811406497.1A 2018-11-23 2018-11-23 Trusted execution environment implementation method and device, terminal device and readable storage medium Active CN109634619B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811406497.1A CN109634619B (en) 2018-11-23 2018-11-23 Trusted execution environment implementation method and device, terminal device and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811406497.1A CN109634619B (en) 2018-11-23 2018-11-23 Trusted execution environment implementation method and device, terminal device and readable storage medium

Publications (2)

Publication Number Publication Date
CN109634619A CN109634619A (en) 2019-04-16
CN109634619B true CN109634619B (en) 2022-05-10

Family

ID=66069297

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811406497.1A Active CN109634619B (en) 2018-11-23 2018-11-23 Trusted execution environment implementation method and device, terminal device and readable storage medium

Country Status (1)

Country Link
CN (1) CN109634619B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110070300B (en) * 2019-04-29 2022-08-05 百度在线网络技术(北京)有限公司 Data auditing and acquiring method, device, system, equipment and medium
CN111241580B (en) * 2020-01-09 2022-08-09 广州大学 Trusted execution environment-based federated learning method
CN113378174A (en) * 2020-03-10 2021-09-10 续科天下(北京)科技有限公司 Trusted computing method and device
CN111625815B (en) * 2020-05-26 2023-09-26 牛津(海南)区块链研究院有限公司 Data transaction method and device based on trusted execution environment
CN111787116B (en) * 2020-07-07 2021-08-20 上海道客网络科技有限公司 System and method for trusted authentication of container mirror image based on block chain technology
CN111541788B (en) 2020-07-08 2020-10-16 支付宝(杭州)信息技术有限公司 Hash updating method and device of block chain all-in-one machine
CN113971289A (en) 2020-07-08 2022-01-25 支付宝(杭州)信息技术有限公司 Trusted starting method and device of block chain all-in-one machine
CN111562970B (en) * 2020-07-15 2020-10-27 腾讯科技(深圳)有限公司 Container instance creating method and device, electronic equipment and storage medium
CN112491548B (en) * 2020-12-07 2022-12-09 苏州浪潮智能科技有限公司 Cloud platform signature mirror image uploading and deleting method and device
CN112817644A (en) * 2021-01-20 2021-05-18 浪潮电子信息产业股份有限公司 Virtual CD driver generation method, device and computer readable storage medium
CN113703927B (en) * 2021-10-29 2022-02-11 杭州链城数字科技有限公司 Data processing method, privacy computing system, electronic device, and storage medium
CN118153120A (en) * 2024-05-10 2024-06-07 中国科学院微生物研究所 Biological information analysis method and device, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103747036A (en) * 2013-12-23 2014-04-23 中国航天科工集团第二研究院七〇六所 Trusted security enhancement method in desktop virtualization environment
CN106384052A (en) * 2016-08-26 2017-02-08 浪潮电子信息产业股份有限公司 Method for realizing BMC U-boot trusted boot control
US9697371B1 (en) * 2015-06-30 2017-07-04 Google Inc. Remote authorization of usage of protected data in trusted execution environments
CN107729743A (en) * 2016-08-10 2018-02-23 中国电信股份有限公司 The method, apparatus and system started for realizing mobile terminal safety

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103747036A (en) * 2013-12-23 2014-04-23 中国航天科工集团第二研究院七〇六所 Trusted security enhancement method in desktop virtualization environment
US9697371B1 (en) * 2015-06-30 2017-07-04 Google Inc. Remote authorization of usage of protected data in trusted execution environments
CN107729743A (en) * 2016-08-10 2018-02-23 中国电信股份有限公司 The method, apparatus and system started for realizing mobile terminal safety
CN106384052A (en) * 2016-08-26 2017-02-08 浪潮电子信息产业股份有限公司 Method for realizing BMC U-boot trusted boot control

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"移动终端TEE技术进展研究";刘志娟等;《信息科技》;20180210(第2期);第84-91页 *

Also Published As

Publication number Publication date
CN109634619A (en) 2019-04-16

Similar Documents

Publication Publication Date Title
CN109634619B (en) Trusted execution environment implementation method and device, terminal device and readable storage medium
CN108628658B (en) License management method and device for container
US10325109B2 (en) Automatic and dynamic selection of cryptographic modules for different security contexts within a computer network
US9407505B2 (en) Configuration and verification by trusted provider
JP4818639B2 (en) Data backup system
KR101794184B1 (en) Application authentication policy for a plurality of computing devices
JP6079875B2 (en) Application execution program, application execution method, and information processing terminal device for executing application
WO2021114614A1 (en) Application program secure startup method and apparatus, computer device, and storage medium
CN107040520B (en) Cloud computing data sharing system and method
TW201337620A (en) Software modification for partial secure memory processing
CN110636057B (en) Application access method and device and computer readable storage medium
CN113297559B (en) Single sign-on method and device, computer equipment and storage medium
US20170005798A1 (en) Binding software application bundles to a physical execution medium
CN111966422A (en) Localized plug-in service method and device, electronic equipment and storage medium
CN109298895B (en) APP management method and device on mobile equipment
CN113835642A (en) Distributed storage network construction method based on IPFS and distributed storage network
US9397995B2 (en) Information processing apparatus and user authentication method
US12107961B2 (en) Connection resilient multi-factor authentication
CN112769565A (en) Method and device for upgrading cryptographic algorithm, computing equipment and medium
CN114791834B (en) Application program starting method and device, electronic equipment and storage medium
CN115130141B (en) Document processing method and device, mobile terminal and storage medium
CN111787019B (en) Information acquisition method and device based on block chain
JP7412835B1 (en) Arithmetic processing device, arithmetic processing system, arithmetic processing method, and arithmetic processing program
CN115577371A (en) Firmware processing method, device and platform
CN117176367A (en) Application sharing method based on block chain, file sharing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220831

Address after: Room 1006, Building 16, Yingcai North 3rd Street, Future Science City, Changping District, Beijing 102200

Patentee after: China Mobile Information Technology Co.,Ltd.

Address before: 518000 Room 201, building A, No. 1, Qian Wan Road, Qianhai Shenzhen Hong Kong cooperation zone, Shenzhen, Guangdong (Shenzhen Qianhai business secretary Co., Ltd.)

Patentee before: SHIJINSHI CREDIT SERVICE Co.,Ltd.