CN110647740A - TPM-based container trusted boot method and device - Google Patents
TPM-based container trusted boot method and device Download PDFInfo
- Publication number
- CN110647740A CN110647740A CN201810681800.2A CN201810681800A CN110647740A CN 110647740 A CN110647740 A CN 110647740A CN 201810681800 A CN201810681800 A CN 201810681800A CN 110647740 A CN110647740 A CN 110647740A
- Authority
- CN
- China
- Prior art keywords
- container
- tpm
- trusted
- virtual
- mirror image
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000012795 verification Methods 0.000 claims abstract description 5
- 230000008569 process Effects 0.000 claims description 17
- 238000005259 measurement Methods 0.000 claims description 9
- 230000004048 modification Effects 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 2
- 238000012986 modification Methods 0.000 claims 1
- 230000008859 change Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012550 audit Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention belongs to the technical field of network and information security, and relates to a trusted starting method and a trusted starting device for a TPM-based container, wherein the trusted starting method and the trusted starting device for the TPM-based container are composed of a physical TPM, a mirror image summary library, a vTPM platform and a virtual TPM, wherein the physical TPM is used as a trusted root; the mirror image abstract library uses an improved Merkle credible tree structure to store the abstract of each layer of mirror image of the container; the vTPM platform is implanted in the container engine and can provide a virtual TPM when the container is started for the first time; the virtual TPM provides credibility verification for the application programs in the container, the trusted starting of the container is realized through the verification of the mirror image of the physical TPM, and the application credibility in the container is ensured through the virtual TPM. The invention has good compatibility and is suitable for various container realization modes; the usability is high, the specific mirror image with errors is positioned, the fault tolerance of container starting is provided, and the method can adapt to the scene of quick change of the container; the expansibility is good, the virtual TPM in the container is the same as the physical device in use, various application programs in various containers can be verified, and the credibility of an application layer is ensured.
Description
Technical Field
The invention belongs to the technical field of network and information security, and relates to a trusted starting method and a trusted starting device for a container based on a TPM (trusted platform). the trusted starting method for the container on a cloud platform is realized by using trusted computing devices such as the TPM and the like.
Background
The data shows that the container technology is another hot spot technology after big data and cloud computing. As micro-service architectures become the mainstream for developing application systems, containers are becoming more and more interesting as a foundation for such architectures. The prior art discloses that a container can create a relatively independent operating environment in a host, but different from a virtual machine, the container does not need to install a host operating system, a container layer is directly installed on a host system, and a lightweight virtual environment is realized by using a kernel of the host.
Research discloses that in order to save resources and improve the starting speed, a container adopts a mirror image layered structure, when the container is started, a new writable layer is loaded to the top of the mirror image, and the same mirror image only stores one copy and is provided for all containers to use, so that if the mirror image of the bottom layer is tampered, the application in the container can spread to all containers created based on the mirror image, and besides, due to the isolation of a file name space, the application in the container cannot access and use Trusted root devices such as a Trusted Platform Module (TPM) and a Trusted Cryptography Module (TCM), and therefore cannot directly use the Trusted computing support function of the TPM or the TCM.
In order to realize the trusted computing support of Docker, Wuhan university proposes 'a trusted container security reinforcement method based on Docker', the measurement of mirror images is to calculate hash values of all mirror images, then connect the hash values to calculate a hash again, encrypt the final result by TPM and store the result in a file, and the method has the defect that after one mirror image is modified, which mirror image cannot be judged except for the problem, so all mirror images need to be destroyed. Meanwhile, the monitoring of the process in the container adopts the form of a host white list, and the container is forcibly blocked from calling the processes except the white list. This approach limits the scalability of the container functions, does not allow customization of different types of containers, and is difficult to meet the needs of large-scale container clusters with complex and variable conditions.
In order to ensure the credibility of the container mirror layer and the container layer, the inventor of the application proposes a method for verifying the credible starting of the container by using a physical credible module. The invention can ensure the credibility of the production process of the container and can provide credible authentication for the application on the container.
Disclosure of Invention
The invention aims to provide a method for verifying trusted start of a container by using a physical trusted module, aiming at the defects in the prior art. In particular to a trusted starting method and a trusted starting device for a TPM-based container.
The method for verifying the trusted start of the container by using the physical trusted module comprises a physical TPM, a mirror image digest library, a vTPM platform and a virtual TPM, wherein the physical TPM is used as a trusted root; the mirror image abstract library uses an improved Merkle credible tree structure to store the abstract of each layer of mirror image of the container; the vTPM platform is implanted in the container engine and can provide virtual TPM when the container is started for the first time; the virtual TPM provides trusted verification for applications in the container. The trusted start of the container is realized by verifying the mirror image through the physical TPM, and the application trust in the container is ensured through the virtual TPM.
Compared with the traditional container framework, the TPM-based container trusted boot method adds the mirror image summary file authenticated by the TPM on the operating system layer and is used for carrying out trusted measurement on the container mirror image on the operating system layer; a vTPM (virtual TPM) platform is added in the container engine, is connected with a physical TPM and is mapped into a plurality of virtual TPM devices for the container to use; therefore, software modification is not needed in the container layer, and only the virtual TPM device specially set for the vTPM platform needs to be mounted during starting.
The container architecture hierarchy of the present invention is shown in FIG. 1.
The process of starting the container of the invention comprises (as shown in figure 2):
firstly, a user initiates a container starting request after executing trusted starting on a host machine operating system by utilizing a TPM;
secondly, measuring the container mirror image by utilizing the TPM equipment, if the container mirror image is credible, allowing the container to be started, otherwise, sending an alarm and prompting a user to operate according to the type of the error; . Specific mirror image metrology processes are set forth below.
Step three, the container is started normally, and meanwhile, corresponding virtual TPM equipment is mounted from the vTPM platform to the system;
fourthly, performing credible measurement on the application in the container by using the virtual TPM equipment in the container, and starting the credible application; the specific process of vTPM mount and measurement is set forth below.
And fifthly, starting the application in the container to provide service for the outside. The entire trusted boot process for the container is complete.
In the invention, an important step in the process of measuring the mirror image is verifying the mirror image abstract, and in the process of calculating the mirror image abstract, the invention uses an improved Merkle credible tree method to improve the fault-tolerant capability, wherein for each container, firstly, a read-only mirror image part is calculated, the abstract of each mirror image is calculated (the abstract methods such as SHA, CRC and the like can be used), then, the abstract is calculated in a combined mode of two pairs, the abstract of the read-only part is calculated, and as the read-write mirror image on the top layer of the container needs to be changed frequently, the higher level is modified every time or every other period of time, and after system authentication, the total abstract is calculated, and the TPM is notified to update the value of the corresponding PCR (platform configuration register); the values of the total digest and the read-only digest are saved in the PCR.
In the present invention, the manner of acquiring the mirror digest is shown in fig. 3.
In the invention, the process of measuring the mirror image of the container is shown in figure 4, after the mirror image measurement is started, reading a related abstract value from the PCR register of the TPM equipment, comparing the abstract value with a locally calculated value, confirming the credibility if the abstract value is the same, otherwise, further judging the credibility of the read-only mirror image and the read-write mirror image, if the read-only mirror image is damaged, searching a Merkle tree structure to compare the read-only mirror image with a public or private warehouse from which the read-write mirror image is from, finding the damaged mirror image position layer by layer, updating the partial mirror image, and if the read-write layer is damaged, repairing by searching a credible backup existing in a host system or discarding the partial data.
In the invention, the flow of trusted start of the application in the container is shown in fig. 5, when the container is started, the vTPM platform generates a corresponding virtual TPM which is only provided for the container to use, corresponding device files are generated in the step, mapping between the virtual PCR and the physical PCR is completed, then the files are mounted under a/dev folder of the container, the container considers that the virtual TPM is a real TPM device, the TPM device collects key information on the state of the current system, calculates a summary of the key system files, stores the summary in the virtual PCR, and can give the container itself the decision of the application requiring trusted authentication to record the summary information when the trusted authentication is required to be performed on the applications, compares the information before starting, and can be started according with the records.
The method of the invention has the advantages that:
this patent provides a trusted starting tool of container, it can be to the authentication of container each layer mirror image to through the application in virtual TPM equipment authentication container, thereby provided the trusted start of container and the interior application trusted start's of container scheme, it includes:
1. good compatibility
The invention is suitable for a plurality of Container realization modes, accords with the OCI (open Container initiative) standard Container, comprises containers, rkt and the like which can be used, and can be arranged in a plurality of Container arrangement engines, comprising kubernets, Docker Swam, meso and the like;
2. high usability
The invention uses the improved Merkle credible tree method, can position the specific mirror image with error, even if part of the mirror image is tampered, if the part of the container depends on is credible, the container can still be started, and because the read-only mirror image and the read-write mirror image are separated to calculate the abstract, the invention can adapt to the scene of quick change of the container;
3. good expansibility
A virtual TPM device is arranged in each container and is delivered to the container for use, and the virtual TPM device does not appear to be different from a real physical TPM in the container and can be used for verifying various application programs in various containers and ensuring the credibility of an application layer.
In the present invention, the terms are described in the following Table 1:
TABLE 1
Drawings
FIG. 1 is a schematic diagram of a container architecture hierarchy according to the present invention.
Fig. 2 is a schematic view of the process of starting the container of the present invention.
Fig. 3 is a schematic diagram of a mirror abstract acquisition method according to the present invention.
FIG. 4 is a schematic diagram of a process for measuring container mirroring according to the present invention.
FIG. 5 is a flowchart illustrating trusted boot of an application in a container according to the present invention.
FIG. 6 is a schematic view of the operation flow of embodiment 1 of the present invention.
The specific implementation mode is as follows:
example 1
The implementation process is described with reference to fig. 6, which illustrates an example of trusted boot of a Docker container providing an Apache HTTP service.
The method comprises the following steps that firstly, a host operating system is started up in a trusted mode, at the moment, a user initiates a request for starting a Docker to provide HTTP service, the step assumes that the user starts the Docker before, and otherwise, a vTPM platform intervenes and mounts a virtual TPM into a container;
secondly, a mirror image measurement module intervenes to audit whether each layer of the mirror image is tampered, if the layers of the mirror image are tampered, corresponding read-only mirror image and read-write mirror image countermeasures are adopted to repair, errors of the read-only mirror image are firstly determined by means of hierarchical abstract comparison, then the layer of the mirror image is obtained again from a mirror image warehouse of the cluster, the errors of the read-write mirror image can be repaired by means of recovering a trusted backup, if no backup exists, the read-write layer is discarded, and a user is informed in advance;
and thirdly, if the mirror image is credible, starting a Docker, completing initialization and loading the virtual TPM equipment. If the mirror image is not credible, an alarm is sent out, and Docker is refused to start;
step four, if the Apache is configured with credible audit before, measuring Apache application by using virtual TPM equipment, and determining whether the Apache application is credible or not; otherwise, the required application is configured in a trusted way according to the needs of the user.
And fifthly, if the application is credible, starting the Apache application in the Docker, and if the application is credible, quitting and giving an alarm prompt to the user. In the using process of a user, if the read-write layer is modified, the value of the PCR can be updated by calling the bind command of the virtual TPM and using the hash value of the new read-write layer.
Example 2
Based on the basis of embodiment 1, in this embodiment, the TPM device is replaced with a TCM (trusted cryptography module) device, which has different encryption algorithms but similar principles;
docker in this embodiment is replaced with other containers, such as CoreOS' rkt;
apache in this embodiment may be replaced with any other application program.
Because the method is a back-end technology, all analysis and processing processes are finished in the background, and therefore, whether others infringe or not cannot be judged exactly. If a virtual TPM device is found in a container system of another person, the infringement may be considered suspect.
Claims (6)
1. A trusted container starting method based on TPM is characterized in that a trusted container starting method is verified by using a physical trusted module, wherein the container comprises a physical TPM, a mirror digest library, a vTPM platform and a virtual TPM, and the method comprises the following steps: the physical TPM is used as a credible root; the mirror image abstract library uses an improved Merkle credible tree structure to store the abstract of each layer of mirror image of the container; the vTPM platform is implanted in the container engine and can provide virtual TPM when the container is started for the first time; the virtual TPM provides credibility verification for the application programs in the container, the trusted starting of the container is realized through the verification of the mirror image of the physical TPM, and the application credibility in the container is ensured through the virtual TPM.
2. The trusted starting method for the TPM-based container according to claim 1, wherein a TPM-certified image digest file is added to an operating system layer for performing trusted measurement on a container image thereon; a vTPM (virtual TPM) platform is added in the container engine, is connected with a physical TPM and is mapped into a plurality of virtual TPM devices for the container to use; software modification is not needed in the container layer, and only the virtual TPM equipment specially set for the vTPM platform is mounted during starting.
3. The TPM-based trusted boot of a container as claimed in claim 1 wherein the container boot process comprises:
firstly, a user initiates a container starting request after executing trusted starting on a host machine operating system by utilizing a TPM;
secondly, measuring the container mirror image by utilizing the TPM equipment, if the container mirror image is credible, allowing the container to be started, otherwise, sending an alarm and prompting a user to operate according to the type of the error;
step three, the container is started normally, and meanwhile, corresponding virtual TPM equipment is mounted from the vTPM platform to the system;
fourthly, performing credible measurement on the application in the container by using the virtual TPM equipment in the container, and starting the credible application;
and fifthly, starting the application in the container to provide service for the outside.
4. The trusted boot method for TPM-based container according to claim 1, wherein in the process of computing the mirror digests, the fault tolerance is improved by using a modified Merkle trusted tree method, wherein for each container, a read-only mirror portion is computed first, the respective mirror is computed into digests, then the digests are computed in a pairwise combination, and the digest of the read-only portion is computed, wherein, at a higher level, each modification or at intervals, after system authentication, the TPM is notified to update the value of the corresponding PCR (Platform Configuration Registers) after computing the total digest; the values of the total digest and the read-only digest are saved in the PCR.
5. The TPM-based trusted boot method for a container as claimed in claim 1 wherein measuring the container image comprises: after image measurement is started, reading a related abstract value from a PCR register of TPM equipment, comparing the abstract value with a locally calculated value, confirming credibility if the abstract value is the same, otherwise, further judging the credibility of a read-only image and a read-write image, if the read-only image is damaged, comparing the read-only image with a public or private warehouse from which the image is from by inquiring a Merkle tree structure, finding the damaged image position layer by layer, updating the partial image, and if the read-write layer is damaged, repairing by searching a credible backup existing in a host system or discarding the partial data.
6. The TPM-based trusted boot method for a container as claimed in claim 1, wherein the trusted boot process of the application in the container comprises: when the container is started, the vTPM platform generates a corresponding virtual TPM which is only provided for the container to use, corresponding device files are generated in the step, mapping between the virtual PCR and the physical PCR is completed, then the files are mounted under a dev folder of the container, the container is regarded as a real TPM device, the TPM device collects key information of the current system state, calculates an abstract of the key system file, stores the abstract in the virtual PCR, and compares the abstract information with an application which is determined by the container to need trusted authentication before starting, so that the application can be started according with the record.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810681800.2A CN110647740B (en) | 2018-06-27 | 2018-06-27 | Container trusted starting method and device based on TPM |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810681800.2A CN110647740B (en) | 2018-06-27 | 2018-06-27 | Container trusted starting method and device based on TPM |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110647740A true CN110647740A (en) | 2020-01-03 |
| CN110647740B CN110647740B (en) | 2023-12-05 |
Family
ID=68988833
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810681800.2A Active CN110647740B (en) | 2018-06-27 | 2018-06-27 | Container trusted starting method and device based on TPM |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110647740B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113032736A (en) * | 2021-03-05 | 2021-06-25 | 海能达通信股份有限公司 | Encryption and decryption method of Docker layered mirror image and related device |
| CN113391880A (en) * | 2021-06-21 | 2021-09-14 | 西安超越申泰信息科技有限公司 | Trusted mirror image transmission method for layered double hash verification |
| CN113536361A (en) * | 2021-09-15 | 2021-10-22 | 统信软件技术有限公司 | Method and device for realizing trusted reference library and computing equipment |
| CN113791786A (en) * | 2021-09-23 | 2021-12-14 | 安然 | APP page control automation method and device based on IOS system |
| CN114048485A (en) * | 2021-11-12 | 2022-02-15 | 四川大学 | Dynamic monitoring method for integrity of process code segment in Docker container |
| CN114780168A (en) * | 2022-03-30 | 2022-07-22 | 全球能源互联网研究院有限公司南京分公司 | Method and device for dynamically changing security policy of intelligent terminal container and electronic equipment |
| CN115098895A (en) * | 2022-07-18 | 2022-09-23 | 中国联合网络通信集团有限公司 | Docker container local mirror image tampering detection method, Docker container local mirror image tampering detection starting method, Docker container local mirror image tampering detection device and Docker container local mirror image tampering detection equipment |
| CN115314495A (en) * | 2022-08-08 | 2022-11-08 | 国网智能电网研究院有限公司 | Container reinforcement system and reinforcement method for 5G edge computing node |
| CN117971347A (en) * | 2024-03-28 | 2024-05-03 | 中国人民解放军国防科技大学 | TrustZone-based container trusted service design method, trustZone-based container trusted service design equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101539973A (en) * | 2009-04-28 | 2009-09-23 | 北京交通大学 | Method of seamless operation of integrity measurement technology in trusted virtual domain |
| WO2011149329A1 (en) * | 2010-05-26 | 2011-12-01 | Mimos Berhad | Method of providing trusted application services |
| CN102722665A (en) * | 2012-05-22 | 2012-10-10 | 中国科学院计算技术研究所 | Method and system for generating trusted program list based on trusted platform module (TPM)/virtual trusted platform module (VTPM) |
| CN103747036A (en) * | 2013-12-23 | 2014-04-23 | 中国航天科工集团第二研究院七〇六所 | Trusted security enhancement method in desktop virtualization environment |
| CN104715183A (en) * | 2013-12-13 | 2015-06-17 | 中国移动通信集团公司 | Trusted verifying method and equipment used in running process of virtual machine |
| CN105069353A (en) * | 2015-08-11 | 2015-11-18 | 武汉大学 | Security reinforcement method for credible container based on Docker |
| CN105956465A (en) * | 2016-05-04 | 2016-09-21 | 浪潮电子信息产业股份有限公司 | Method for constructing virtual trusted platform based on VTPM |
| CN106354550A (en) * | 2016-11-01 | 2017-01-25 | 广东浪潮大数据研究有限公司 | Method, device and system for protecting security of virtual machine |
-
2018
- 2018-06-27 CN CN201810681800.2A patent/CN110647740B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101539973A (en) * | 2009-04-28 | 2009-09-23 | 北京交通大学 | Method of seamless operation of integrity measurement technology in trusted virtual domain |
| WO2011149329A1 (en) * | 2010-05-26 | 2011-12-01 | Mimos Berhad | Method of providing trusted application services |
| CN102722665A (en) * | 2012-05-22 | 2012-10-10 | 中国科学院计算技术研究所 | Method and system for generating trusted program list based on trusted platform module (TPM)/virtual trusted platform module (VTPM) |
| CN104715183A (en) * | 2013-12-13 | 2015-06-17 | 中国移动通信集团公司 | Trusted verifying method and equipment used in running process of virtual machine |
| CN103747036A (en) * | 2013-12-23 | 2014-04-23 | 中国航天科工集团第二研究院七〇六所 | Trusted security enhancement method in desktop virtualization environment |
| CN105069353A (en) * | 2015-08-11 | 2015-11-18 | 武汉大学 | Security reinforcement method for credible container based on Docker |
| CN105956465A (en) * | 2016-05-04 | 2016-09-21 | 浪潮电子信息产业股份有限公司 | Method for constructing virtual trusted platform based on VTPM |
| CN106354550A (en) * | 2016-11-01 | 2017-01-25 | 广东浪潮大数据研究有限公司 | Method, device and system for protecting security of virtual machine |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113032736A (en) * | 2021-03-05 | 2021-06-25 | 海能达通信股份有限公司 | Encryption and decryption method of Docker layered mirror image and related device |
| CN113391880A (en) * | 2021-06-21 | 2021-09-14 | 西安超越申泰信息科技有限公司 | Trusted mirror image transmission method for layered double hash verification |
| CN113536361A (en) * | 2021-09-15 | 2021-10-22 | 统信软件技术有限公司 | Method and device for realizing trusted reference library and computing equipment |
| CN113536361B (en) * | 2021-09-15 | 2022-02-25 | 统信软件技术有限公司 | Method and device for realizing trusted reference library and computing equipment |
| CN113791786B (en) * | 2021-09-23 | 2024-01-19 | 安然 | APP page control automation method and device based on IOS system |
| CN113791786A (en) * | 2021-09-23 | 2021-12-14 | 安然 | APP page control automation method and device based on IOS system |
| CN114048485A (en) * | 2021-11-12 | 2022-02-15 | 四川大学 | Dynamic monitoring method for integrity of process code segment in Docker container |
| CN114780168A (en) * | 2022-03-30 | 2022-07-22 | 全球能源互联网研究院有限公司南京分公司 | Method and device for dynamically changing security policy of intelligent terminal container and electronic equipment |
| CN114780168B (en) * | 2022-03-30 | 2023-04-28 | 全球能源互联网研究院有限公司南京分公司 | Method and device for dynamically changing security policy of intelligent terminal container and electronic equipment |
| CN115098895A (en) * | 2022-07-18 | 2022-09-23 | 中国联合网络通信集团有限公司 | Docker container local mirror image tampering detection method, Docker container local mirror image tampering detection starting method, Docker container local mirror image tampering detection device and Docker container local mirror image tampering detection equipment |
| CN115314495A (en) * | 2022-08-08 | 2022-11-08 | 国网智能电网研究院有限公司 | Container reinforcement system and reinforcement method for 5G edge computing node |
| CN115314495B (en) * | 2022-08-08 | 2024-08-27 | 国网智能电网研究院有限公司 | Container reinforcement system and reinforcement method for 5G edge computing nodes |
| CN117971347A (en) * | 2024-03-28 | 2024-05-03 | 中国人民解放军国防科技大学 | TrustZone-based container trusted service design method, trustZone-based container trusted service design equipment and storage medium |
| CN117971347B (en) * | 2024-03-28 | 2024-06-11 | 中国人民解放军国防科技大学 | TrustZone-based container trusted service design method, trustZone-based container trusted service design equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110647740B (en) | 2023-12-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110647740A (en) | TPM-based container trusted boot method and device | |
| US10338946B1 (en) | Composable machine image | |
| US10372914B2 (en) | Validating firmware on a computing device | |
| US9628277B2 (en) | Methods, systems and apparatus to self authorize platform code | |
| KR102618665B1 (en) | Version history management using blockchain | |
| US8161012B1 (en) | File integrity verification using a verified, image-based file system | |
| TWI444826B (en) | Method, system and medium holding computer-executable instructions for providing secure storage for firmware in a computing device | |
| EP2965192B1 (en) | Configuration and verification by trusted provider | |
| CN110069921A (en) | A kind of trusted software authority checking system and method towards container platform | |
| CN110069316B (en) | Integrity verification of entities | |
| CN107045611B (en) | Safe starting method and device | |
| US10379894B1 (en) | Lineage-based trust for virtual machine images | |
| CN111066016B (en) | Application certificate | |
| US11252193B2 (en) | Attestation service for enforcing payload security policies in a data center | |
| GB2550322A (en) | Remote attestation of cloud infrastructure | |
| US20200243205A1 (en) | Building device with blockchain based verification of building device files | |
| US11868474B2 (en) | Securing node groups | |
| US10725767B2 (en) | Systems and methods for reinforced update package authenticity | |
| CN108345805B (en) | Method and device for verifying firmware | |
| JP2011511331A (en) | Secure boot method and secure boot device | |
| JP7536437B2 (en) | Device certification technology | |
| JP7319461B2 (en) | METHOD AND APPARATUS FOR HOLDING PRIVATE DATA USING CONSORTIUM BLOCKCHAIN | |
| WO2018233638A1 (en) | Method and apparatus for determining security state of ai software system | |
| WO2011126357A1 (en) | A method and system for a remote attestation in a trusted foundation platform | |
| CN117519812A (en) | Software starting method, controller, vehicle and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |