CN110032870B - Safety guiding method and system of virtual machine monitor and hardware safety monitoring card - Google Patents
Safety guiding method and system of virtual machine monitor and hardware safety monitoring card Download PDFInfo
- Publication number
- CN110032870B CN110032870B CN201910250109.3A CN201910250109A CN110032870B CN 110032870 B CN110032870 B CN 110032870B CN 201910250109 A CN201910250109 A CN 201910250109A CN 110032870 B CN110032870 B CN 110032870B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- machine monitor
- security monitoring
- card
- hardware
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention relates to a safe guide method, a system and a hardware safety monitoring card of a virtual machine monitor, wherein the safe guide method of the virtual machine monitor comprises the following steps: the hardware safety monitoring card establishes a communication link with a safety monitoring center; acquiring dynamic IP and PXE information according to a first request of a PXE client; acquiring a static image file of a virtual machine monitor according to a second request of the PXE client and the acquired PXE information, and storing the static image file; the TFTP server is redirected to a security monitoring center or directly communicates with the security monitoring center to check whether the TFTP server and the static image provided by the TFTP server are credible or not, and a check result is sent to the security monitoring center; and when the static image is credible, expanding the image of the virtual machine monitor according to the stored static image file so as to be accessed by the processor and run the virtual machine monitor. By implementing the technical scheme of the invention, the correctness of the virtual machine monitor in starting can be ensured.
Description
Technical Field
The invention relates to the field of information security, in particular to a secure boot method and a secure boot system for a virtual machine monitor and a hardware security monitoring card.
Background
Most of the current cloud computing servers use an X86 chip. The chip manufacturer Intel/AMD performs hardware virtualization extension on the X86 chip to support the isolation of a virtual machine monitor and a virtual machine operating system and improve the virtualization efficiency. Wherein Intel's Virtualization Technology (Intel VT) Virtualization Technology advances Virtualization from pure software to processor-level Virtualization; visualization Technology for Directed I/O (Intel VT-d) advances to platform-level Virtualization and input/output-level Virtualization. Namely, VT completes virtualization of processor and storage, and VT-d completes virtualization of peripherals such as network.
The X86 processor supports VMX root operation and VMX non-root operation. The VMM/Hypervisor (virtual machine monitor) operates in the VMX root operation environment, and the operating system and the application on the virtual machine operate in the VMX non-root operation environment. Each environment has four Privilege levels, and a virtual machine running in the VMX non-root operation environment can fully utilize 4 Privilege levels of Privilege0/1/2/3 without Privilege compression for running a VMM. Intel designs a Virtual-Machine Control Structure (VMCS) data Structure in VT to support switching between two environments, including Guest-State Area and Host-State Area, to store various State parameters of a Virtual Machine and a physical Host, and provide two operations of VM entry and VM exit, switching between two environments of root/non-root (i.e. VMM and Virtual Machine), and a user may specify, in a VM-execution Control field (VM-execution Control fields) of VMCS, what instruction is executed and what event occurs, a VM exit is triggered by a Virtual Machine in VMX non-root environment and switched to x-root vmoperation environment, so that VMM obtains Control. With these designs, VT technology solves the isolation problem of virtual machines while solving the performance problem of virtualization.
The virtual machine monitor runs at the lowest layer of an X86 processor close to a physical host, and the isolation of the virtual machine and the safety of a guest operating system running in the virtual machine are ensured by means of the privilege level design and hardware virtualization of the X86 hardware level. However, just as the X86 computing environment does not fully secure the operating system running directly on it, the X86 does not fully secure the virtual machine monitor running on it. The virtual machine monitor has no effective security guarantee means to ensure high reliability/high credibility when the virtual machine monitor is started/operated. Once the virtual machine monitor is attacked, the security isolation between the virtual machines is broken, the virtual machines are completely controlled, and the traditional security assurance means used on the environment of a single virtual machine completely fails, resulting in catastrophic consequences. Therefore, the safety of the virtual machine monitor is ensured, and the method is one of the keys for ensuring the safety of the computing nodes and the safety of cloud computing.
The security of the X86 computing environment, the virtual machine monitor itself, has the following problems:
1. the virtual machine escapes. The virtual machine monitor allocates physical resources of the shared host and provides isolation for each virtual machine. Under normal conditions, a program running in a virtual machine cannot sense whether the program runs in the virtual machine or not, and cannot influence other virtual machines managed by a virtual machine monitor. However, due to technical limitations and some potential bugs of virtualization software, there is a special scene of construction, so that a program running in a virtual machine bypasses an operating system and a virtual machine monitor of the virtual machine, and directly interacts with a physical host system, thereby obtaining the capability of completely controlling other virtual machines under the same virtual machine monitor. The virtual machine escape enables isolation between virtual machines established by the virtual machine monitor to be completely broken down, breaks through the limitation of the virtual machines, and obtains system authority and data of other virtual machines managed by the same virtual machine monitor.
X86 has a higher execution run mode than the root virtualized operating environment in which the virtual machine monitor resides. SMM (System management Mode) is a CPU execution Mode that Intel introduces the x86 architecture after 386 SL. The SMM mode is transparent to the operating system, which has no control over when the system enters SMM mode and no knowledge of whether the SMM mode has been executed. The entry and exit of SMM is completely transparent to non-SMM software (e.g., operating system/VMM). When SMM enters, the CPU actively saves all registers of the physical CPU and any other public/non-public saving information needed to be saved to a certain position of the SMRAM. And then directly jumping to a specific entry address in the SMRAM for execution. When exiting, the CPU automatically restores all the information saved during entering, and returns to the interrupted part to continue executing the program. Therefore, the interrupted program (virtual machine monitor/operating system in virtual machine/application code in virtual machine) has no self-aware SMM. SMM functions extremely powerful, being an impersonation king within the X86 chip. Once the characteristics are utilized by malicious codes, security checking/guaranteeing mechanisms declared in all official documents can be bypassed, and the security of the virtual machine monitor cannot be guaranteed at all.
3. Trust and dependency on the X86 system hardware. In the X86 system, a processor core, a bridge chip, a high-speed IO network card chip, and the like are large-scale black boxes. There is sufficient space in which to hide malicious logical functionality, triggered under certain conditions, beyond all authority constraints declared in official published documents, to be desirable and not discovered/defendable by any software and hardware security mechanisms that rely on the X86 system scheduling for execution.
At present, a mode of booting a virtual machine monitor from a storage component connected with a USB/SATA/SAS is often adopted, but a hidden danger that a static image/dynamic running image of the virtual machine monitor is attacked exists in a mode of directly accessing local external storage.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a secure boot method and system for a virtual machine monitor, and a hardware security monitor card, aiming at the defect of potential safety hazard in the prior art.
The technical scheme adopted by the invention for solving the technical problems is as follows: a secure boot method of a virtual machine monitor is constructed, and the secure boot method is applied to a server or a workstation, wherein the server or the workstation comprises a processor and a BIOS device, and the secure boot method comprises the following steps:
the method comprises the following steps that a communication link between a hardware security monitoring card and a security monitoring center is established, wherein the hardware security monitoring card is installed on a server or a workstation and stores a virtual machine monitor;
the hardware security monitoring card acquires dynamic IP and PXE information from a DHCP server according to a first request of a PXE client of a BIOS device, wherein the PXE information comprises a virtual machine monitor file position and a TFTP server address;
the hardware security monitoring card acquires a static image file of the virtual machine monitor from the TFTP server according to a second request of the PXE client and the acquired PXE information, and stores the static image file;
the hardware security monitoring card checks whether the TFTP server and the static image provided by the TFTP server are credible or not by redirecting the TFTP server to a security monitoring center or directly communicating with the security monitoring center, and sends a check result to the security monitoring center;
and when the static image is credible, the hardware security monitoring card expands the image of the virtual machine monitor according to the stored static image file so as to allow the processor to access and operate the virtual machine monitor stored in the hardware security monitoring card.
Preferably, before the image of the virtual machine monitor is expanded, the method further comprises:
and the hardware security monitoring card performs signature check on the static image through communication with the PXE client side and sends a check result to a security monitoring center.
Preferably, after the processor accesses and runs the virtual machine monitor, the method further comprises:
and the hardware security monitoring card performs detection analysis on the dynamic image of the virtual machine monitor according to a first detection strategy acquired from the security monitoring center and sends a detection analysis result to the security monitoring center.
Preferably, after the processor accesses and runs the virtual machine monitor, the method further comprises:
and the hardware security monitoring card performs detection analysis on the virtual machine monitor according to a second detection strategy acquired from the security monitoring center and sends a detection analysis result to the security monitoring center.
Preferably, the virtual machine monitor for the processor to access and run the hardware security monitor card comprises
The virtual machine monitor is used for the processor to access and run through the PCIe interface and is stored in the hardware safety monitoring card.
Preferably, after passing the identity authentication, the hardware security monitoring card logs in the security monitoring center to establish a communication link with the security monitoring center.
Preferably, the hardware security monitoring card is connected to the Ethernet switch through an Ethernet interface, and after passing identity authentication, logs in the security monitoring center to establish a communication link with the security monitoring center.
The invention also constructs a hardware security monitoring card, which is installed on a server or a workstation, and comprises a memory and a controller, wherein the memory stores a virtual machine monitor and a computer program, and the controller realizes the steps of the security booting method when executing the computer program.
The invention also constructs a secure boot system of a virtual machine monitor, comprising at least one server or workstation, wherein the server or workstation comprises a processor and a BIOS device, and further comprising:
a safety monitoring center;
and the hardware safety monitoring card is arranged on the server or the workstation, and is the hardware safety monitoring card.
Preferably, the first and second electrodes are formed of a metal,
the safety monitoring center is used for managing the distribution of the virtual machine monitors running on the server or the workstation; the system is also used for managing the access of the hardware security monitoring card and the establishment of a communication link; the system is also used for managing and distributing the detection strategy executed by the hardware security monitoring card; the hardware security monitoring card is also used for receiving and summarizing detection and analysis results of the hardware security monitoring card and determining whether to generate a security attack alarm according to the detection and analysis results; and the method is also used for detecting the running state of the hardware safety monitoring card and analyzing the faults.
By implementing the technical scheme of the invention, the PXE client in the BIOS device obtains the static image file of the virtual machine monitor through the hardware security monitoring card and stores the static image file in the hardware security monitoring card. And a trusted link is established between the hardware security monitoring card and the security monitoring center, and the static image can be subjected to signature check, so that the correctness and integrity of the static image of the virtual machine monitor can be ensured. In addition, after the boot process is completed, the operation of the virtual machine monitor in the hardware security monitoring card can be seamlessly switched. Therefore, compared with the prior art, the method can resist various software and hardware attacks aiming at the virtual machine monitor in the X86 environment, and further ensure the correctness of the virtual machine monitor when being started.
Drawings
In order to illustrate the embodiments of the invention more clearly, the drawings that are needed in the description of the embodiments will be briefly described below, it being apparent that the drawings in the following description are only some embodiments of the invention, and that other drawings may be derived from those drawings by a person skilled in the art without inventive effort. In the drawings:
FIG. 1 is a flowchart of a first embodiment of a secure boot method of a virtual machine monitor according to the present invention;
fig. 2 is a logical structure diagram of a first embodiment of the secure boot system of the virtual machine monitor according to the present invention.
Detailed Description
The following detailed description of embodiments of the invention refers to the accompanying drawings.
The embodiments/examples described herein are specific embodiments of the present invention, are intended to be illustrative of the concepts of the present invention, are intended to be illustrative and exemplary, and should not be construed as limiting the embodiments and scope of the invention. In addition to the embodiments described herein, those skilled in the art will be able to employ other technical solutions which are obvious based on the disclosure of the claims and the specification of the present application, and these technical solutions include those which make any obvious replacement or modification of the embodiments described herein, and all of which are within the scope of the present invention.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
Fig. 1 is a flowchart of a first embodiment of a secure boot method of a virtual machine monitor according to the present invention, where the secure boot method of the virtual machine monitor is applied to a server or a workstation, and the server or the workstation includes a processor and a BIOS (basic input output system) device, where the processor is an X86 processor. Moreover, the secure boot method of the virtual machine monitor of this embodiment includes the steps of:
s10, establishing a communication link between a hardware safety monitoring card and a safety monitoring center, wherein the hardware safety monitoring card is installed on a server or a workstation and stores a virtual machine monitor;
s20, the hardware security monitoring card acquires dynamic IP and PXE information from a DHCP server according to a first request of a PXE client of the BIOS device, wherein the PXE information comprises a virtual machine monitor file position and a TFTP server address;
s30, the hardware security monitoring card acquires a static image file of the virtual machine monitor from the TFTP server according to a second request of the PXE client and the acquired PXE information, and stores the static image file;
s40, the hardware security monitoring card checks whether the TFTP server and the static image provided by the TFTP server are credible or not by redirecting the TFTP server to a security monitoring center or directly communicating with the security monitoring center, and sends a check result to the security monitoring center;
and S50, when the static image is credible, the hardware security monitoring card expands the image of the virtual machine monitor according to the stored static image file so that the processor can access and operate the virtual machine monitor stored in the hardware security monitoring card.
In this embodiment, in the server or the workstation, the BIOS setting is started from PXE (Preboot execution environment). The PXE client in the BIOS device obtains the static image file of the virtual machine Monitor through a Hardware Security Monitor card (HSM), and stores the static image file in the Hardware Security Monitor card. And a trusted link is established between the hardware security monitoring card and the security monitoring center, and the static image can be subjected to signature check, so that the correctness and integrity of the static image of the virtual machine monitor can be ensured. In addition, after the boot process is completed, the operation of the virtual machine monitor in the hardware security monitoring card can be seamlessly switched. Therefore, compared with the prior art, the method can resist various software and hardware attacks aiming at the virtual machine monitor in the X86 environment, and further ensure the correctness of the virtual machine monitor when being started.
In one embodiment, step S10 includes: after passing the identity authentication, the hardware security monitoring card logs in the security monitoring center to establish a communication link with the security monitoring center, so that the hardware security monitoring card can establish a confidential and credible communication link with the security monitoring center.
In a preferred embodiment, between step S40 and step S50, the method further includes:
and the hardware security monitoring card performs signature check on the static image through communication with the PXE client side and sends a check result to a security monitoring center. Specifically, the PXE client may perform a double signature check on the virtual machine monitor static image by using a TPM or the like.
In this embodiment, in the X86 system boot phase, the PXE client in the hardware security monitor card and the BIOS device confirms the correctness and integrity of the static image of the virtual machine monitor by overlaying the double signature check.
On the basis of the above embodiment, after the step S50, the method further includes:
and the hardware security monitoring card performs detection analysis on the dynamic image of the virtual machine monitor according to a first detection strategy acquired from the security monitoring center and sends a detection analysis result to the security monitoring center.
In the embodiment, the hardware security monitoring card independently and autonomously schedules various dynamic security check analyses aiming at the virtual machine monitor images according to the detection strategy distributed by the security monitoring center, and does not depend on the scheduling execution of the X86 environment, so that various software and hardware attacking means aiming at the X86 environment can not interfere, falsify and bypass the check analysis of the hardware security monitoring card on the virtual machine monitor running images, the reliability of the virtual machine monitor running images is ensured, a good foundation is laid for ensuring the safe running of the virtual machine monitor, and the seamless static/dynamic check is ensured.
On the basis of the above embodiment, after the step S50, the method further includes:
and the hardware security monitoring card performs detection analysis on the virtual machine monitor according to a second detection strategy acquired from the security monitoring center and sends a detection analysis result to the security monitoring center.
In the embodiment, the hardware security monitoring card performs check analysis on the virtual machine monitor stored in the hardware security monitoring card according to a detection strategy distributed by the security monitoring center, the check is performed in parallel with the X86, the scheduling execution of the X86 environment is not interfered, and the execution efficiency of the virtual machine and the application on the X86 platform is not reduced.
In a preferred embodiment, in step S50, the method for accessing and running the virtual machine monitor stored in the hardware security monitor card by the processor includes:
the virtual machine monitor is used for the processor to access and run through the PCIe interface and is stored in the hardware safety monitoring card.
In this embodiment, the hardware security monitor card has a PCIe interface and can be connected to the X86 processor through the PCIe interface, and due to the high bandwidth and low latency of PCIe and the cache systems of the respective stages of the X86 processor, the performance loss caused by the virtual machine monitor stored inside the hardware security monitor card can be reduced to a relatively small degree.
In a preferred embodiment, in step S10, the hardware security monitoring card is connected to the ethernet switch via the ethernet interface, and after passing the identity authentication, logs in to the security monitoring center to establish a communication link with the security monitoring center.
In this embodiment, the hardware security monitoring card is provided with an ethernet interface, and can be connected to an ethernet switch through the ethernet interface, and further connected to the security monitoring center. Of course, in other embodiments, the connection mode between the hardware security monitoring card and the security monitoring center may be replaced by other physical connections, or the IO interface of the X86 computing environment may be multiplexed.
Fig. 2 is a logical structure diagram of a first embodiment of the secure boot system of the virtual machine monitor according to the present invention, and the secure boot system of this embodiment includes a plurality of servers or workstations 10, …, 20 (although in other embodiments, the number of servers or workstations may also be one), and a security monitoring center 30. The logical structure of the server or the workstation in the present invention is described below by taking the server or the workstation 10 as an example, and it should be understood that the logical structure of other servers or workstations is similar or identical to that of the server or the workstation, and is not described herein again.
The server or workstation 10 comprises a hardware security monitor card 11, a BIOS device 12 and a processor 13, wherein the hardware security monitor card 11 comprises a memory (not shown) and a controller (not shown) memory storing a virtual machine monitor and a computer program, and the controller implements the steps of the secure boot method in the above embodiments when executing the computer program.
Further, the security monitoring center 30 is used to manage the distribution of virtual machine monitors running on servers or workstations; the system is also used for managing the access of the hardware security monitoring card and the establishment of a communication link; the system is also used for managing and distributing the detection strategy executed by the hardware security monitoring card; the hardware security monitoring card is also used for receiving and summarizing detection and analysis results of the hardware security monitoring card and determining whether to generate a security attack alarm according to the detection and analysis results; and the method is also used for detecting the running state of the hardware safety monitoring card and analyzing the faults.
The secure boot process of the virtual machine monitor is specifically described below for a server or workstation of a cloud computing environment:
the security monitoring center prestores detection strategies, detection analysis results and security attack warning and processing which are executed by the virtual machine monitors and the hardware security monitoring cards and are suitable for being used by the servers/workstations.
After the hardware security monitoring card is powered on and passes identity authentication, the hardware security monitoring card is registered and logged in a security monitoring center, so that a confidential and credible communication link is established between the hardware security monitoring card and the security monitoring center.
When the server/workstation is powered on, the BIOS initializes the X86 environment, and the PXE client in the BIOS requests the DHCP server to obtain the dynamic IP and PXE related information (virtual machine monitor file location/TFTP server address) through the hardware security monitor card. Then, the PXE client in the BIOS also requests the TFTP server through the hardware security monitor card to obtain the static image file of the virtual machine monitor, and stores the static image file in the hardware security monitor card. The hardware security monitoring card can redirect the TFTP server to the security monitoring center, or contact the security monitoring center to confirm whether the TFTP server and the image provided by the TFTP server are credible. In addition, the security monitoring master in the hardware security monitoring card and the PXE client in the BIOS can also overlap double-signature check to confirm the correctness and the integrity of the static image of the virtual machine monitor in the X86 system boot phase. When it is confirmed that the virtual machine monitor static image is authentic, the hardware security monitor card expands the executable image of the virtual machine monitor in the appropriate memory space within the card, which the X86 processor can access via PCIe.
And after the safety boot of the virtual machine monitor is finished, the hardware safety monitoring card opens the space for the X86 computational core to access, and simultaneously starts to execute detection analysis on the virtual machine monitor running image of the space according to the strategy configured by the center and reports the result to the safety monitoring center. In addition, the X86 computing environment receives a unified schedule of the cloud computing operating system by PCIe executing a virtual machine monitor stored in the hardware security monitor card, and schedules the virtual machine on this physical machine.
And after the virtual machine finishes running, the virtual machine monitor is closed, and the hardware safety monitoring card is released from connection with the safety monitoring center.
By adopting the hardware security monitoring card to guide the virtual machine monitor, the security of the virtual machine monitor can be effectively guaranteed in the cloud computing environment, and the advantages are mainly embodied in the following aspects:
the method comprises the following steps that 1, a BIOS device, a hardware safety monitoring card and a safety monitoring center form a path which is in seamless connection and is independently controllable to safely guide a virtual machine monitor, so that the correctness of static images of the virtual machine monitor is practically guaranteed, and a good foundation is laid for guaranteeing the correctness of the virtual machine monitor in a running stage in the follow-up process;
2. the method comprises the steps that a safety monitoring main control in a hardware safety monitoring card and a PXE client in a BIOS (basic input/output System) carry out superposition double-signature check, and the correctness and the integrity of a static image of a virtual machine monitor are confirmed in an X86 system boot stage;
3. and after the safety guidance is finished, directly switching to the execution of a virtual machine monitor in the hardware safety monitoring card, and simultaneously triggering the internal inspection and analysis of the hardware safety monitoring card. The static/dynamic security check of the virtual machine monitor image is in seamless connection without leaving a security gap.
4. The hardware security monitor card independently and autonomously schedules various dynamic security check analyses aiming at the virtual machine monitor image and does not depend on the scheduling execution of the X86 environment. Aiming at various software and hardware attack means of an X86 environment, the detection and analysis of the virtual machine monitor image by a hardware security monitoring card cannot be interfered, tampered and bypassed, so that the reliability of the virtual machine monitor running image is ensured;
5. the virtual machine monitor is stored in the hardware security monitoring card, and the hardware security monitoring card performs inspection analysis on the virtual machine monitor in parallel with the X86, so that the scheduling execution of the X86 environment is not interfered, and the execution efficiency of the virtual machine application on the X86 platform is not reduced;
6. through the connection between PCIe and the X86 computing environment, the performance loss caused by the fact that the virtual machine monitor is stored in the hardware security monitoring card can be reduced to a smaller degree due to the high bandwidth and low delay of PCIe and the cache systems of all levels of the X86.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the claims of the present invention.
Claims (9)
1. A secure boot method of a virtual machine monitor is applied to a server or a workstation, wherein the server or the workstation comprises a processor and a BIOS device, and the method is characterized by comprising the following steps:
the method comprises the following steps that a communication link between a hardware security monitoring card and a security monitoring center is established, wherein the hardware security monitoring card is installed on a server or a workstation and stores a virtual machine monitor;
the hardware security monitoring card acquires dynamic IP and PXE information from a DHCP server according to a first request of a PXE client of a BIOS device, wherein the PXE information comprises a virtual machine monitor file position and a TFTP server address;
the hardware security monitoring card acquires a static image file of the virtual machine monitor from the TFTP server according to a second request of the PXE client and the acquired PXE information, and stores the static image file;
the hardware security monitoring card checks whether the TFTP server and the static image provided by the TFTP server are credible or not by redirecting the TFTP server to a security monitoring center or directly communicating with the security monitoring center, and sends a check result to the security monitoring center;
when the static image is credible, the hardware security monitoring card expands the image of the virtual machine monitor according to the stored static image file so as to allow the processor to access and operate the virtual machine monitor stored in the hardware security monitoring card;
and the hardware security monitoring card performs detection analysis on the dynamic image of the virtual machine monitor according to a first detection strategy acquired from the security monitoring center and sends a detection analysis result to the security monitoring center.
2. A secure boot method of a virtual machine monitor according to claim 1, further comprising, before the expanding the image of the virtual machine monitor:
and the hardware security monitoring card performs signature check on the static image through communication with the PXE client side and sends a check result to a security monitoring center.
3. A method for secure booting of a virtual machine monitor according to claim 1, further comprising, after the processor accesses and runs the virtual machine monitor:
and the hardware security monitoring card performs detection analysis on the virtual machine monitor according to a second detection strategy acquired from the security monitoring center and sends a detection analysis result to the security monitoring center.
4. A method for secure booting of a virtual machine monitor according to claim 1, wherein the virtual machine monitor stored in the hardware security monitor card is accessed and run by a processor, comprising
The virtual machine monitor is used for the processor to access and run through the PCIe interface and is stored in the hardware safety monitoring card.
5. A secure boot method of a virtual machine monitor according to claim 1,
after passing the identity authentication, the hardware security monitoring card logs in a security monitoring center to establish a communication link with the security monitoring center.
6. A secure boot method of a virtual machine monitor according to claim 5,
the hardware safety monitoring card is connected to the Ethernet switch through an Ethernet interface and logs in the safety monitoring center after passing identity authentication so as to establish a communication link with the safety monitoring center.
7. A hardware security monitor card installed on a server or a workstation, comprising a memory and a controller, wherein the memory stores a virtual machine monitor and a computer program, and the controller implements the steps of the secure boot method according to any one of claims 1 to 6 when executing the computer program.
8. A secure boot system for a virtual machine monitor, comprising at least one server or workstation, and the server or workstation comprising a processor, a BIOS device, further comprising:
a safety monitoring center;
a hardware security monitor card installed on the server or workstation, and the hardware security monitor card is the hardware security monitor card of claim 7.
9. The secure boot system of the virtual machine monitor according to claim 8,
the safety monitoring center is used for managing the distribution of the virtual machine monitors running on the server or the workstation; the system is also used for managing the access of the hardware security monitoring card and the establishment of a communication link; the system is also used for managing and distributing the detection strategy executed by the hardware security monitoring card; the hardware security monitoring card is also used for receiving and summarizing detection and analysis results of the hardware security monitoring card and determining whether to generate a security attack alarm according to the detection and analysis results; and the method is also used for detecting the running state of the hardware safety monitoring card and analyzing the faults.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910250109.3A CN110032870B (en) | 2019-03-29 | 2019-03-29 | Safety guiding method and system of virtual machine monitor and hardware safety monitoring card |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910250109.3A CN110032870B (en) | 2019-03-29 | 2019-03-29 | Safety guiding method and system of virtual machine monitor and hardware safety monitoring card |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110032870A CN110032870A (en) | 2019-07-19 |
| CN110032870B true CN110032870B (en) | 2020-10-02 |
Family
ID=67236942
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910250109.3A Active CN110032870B (en) | 2019-03-29 | 2019-03-29 | Safety guiding method and system of virtual machine monitor and hardware safety monitoring card |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110032870B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101276284A (en) * | 2007-03-27 | 2008-10-01 | 英特尔公司 | System and method for increasing platform network boot efficiency |
| CN102033755A (en) * | 2009-09-30 | 2011-04-27 | 国际商业机器公司 | Method and system for running virtual machine mirror image |
| CN104221325A (en) * | 2012-04-30 | 2014-12-17 | 思科技术公司 | System and method for secure provisioning of virtualized images in network environment |
| CN108874459A (en) * | 2017-05-10 | 2018-11-23 | 华为机器有限公司 | Quick start method and device based on virtualization technology |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2008033392A (en) * | 2006-07-26 | 2008-02-14 | Nec Corp | Virtual computer system and operation method thereof |
-
2019
- 2019-03-29 CN CN201910250109.3A patent/CN110032870B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101276284A (en) * | 2007-03-27 | 2008-10-01 | 英特尔公司 | System and method for increasing platform network boot efficiency |
| CN102033755A (en) * | 2009-09-30 | 2011-04-27 | 国际商业机器公司 | Method and system for running virtual machine mirror image |
| CN104221325A (en) * | 2012-04-30 | 2014-12-17 | 思科技术公司 | System and method for secure provisioning of virtualized images in network environment |
| CN108874459A (en) * | 2017-05-10 | 2018-11-23 | 华为机器有限公司 | Quick start method and device based on virtualization technology |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110032870A (en) | 2019-07-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11200080B1 (en) | Late load technique for deploying a virtualization layer underneath a running operating system | |
| JP5055380B2 (en) | Protection agent and privileged mode | |
| US9465652B1 (en) | Hardware-based mechanisms for updating computer systems | |
| US9372984B2 (en) | Authenticated launch of virtual machines and nested virtual machine managers | |
| US9898609B2 (en) | Trusted boot of a virtual machine | |
| US9189247B2 (en) | Method for switching between virtualized and non-virtualized system operation | |
| US8156298B1 (en) | Virtualization-based security apparatuses, methods, and systems | |
| US9323563B2 (en) | Determining virtual machine migration in view of a migration rule | |
| US20180165224A1 (en) | Secure encrypted virtualization | |
| US20140053272A1 (en) | Multilevel Introspection of Nested Virtual Machines | |
| US8584229B2 (en) | Methods and apparatus supporting access to physical and virtual trusted platform modules | |
| US10592434B2 (en) | Hypervisor-enforced self encrypting memory in computing fabric | |
| Nanavati et al. | Cloud security: A gathering storm | |
| US20140025961A1 (en) | Virtual machine validation | |
| WO2009123640A1 (en) | Virtual machine manager system and methods | |
| US11163597B2 (en) | Persistent guest and software-defined storage in computing fabric | |
| US10430261B2 (en) | Detecting a guest operating system crash on a virtual computing instance | |
| US9824225B1 (en) | Protecting virtual machines processing sensitive information | |
| EP3514720B1 (en) | Data structure measurement comparison | |
| US9785492B1 (en) | Technique for hypervisor-based firmware acquisition and analysis | |
| US9734325B1 (en) | Hypervisor-based binding of data to cloud environment for improved security | |
| KR20130101648A (en) | Apparatus and method for providing security for virtualization | |
| US11645400B2 (en) | Secured interprocess communication | |
| Morgan et al. | Design and implementation of a hardware assisted security architecture for software integrity monitoring | |
| US11675902B2 (en) | Security detection system with privilege management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |