CN111159716A - Safety protection method and electronic equipment - Google Patents

Safety protection method and electronic equipment Download PDF

Info

Publication number
CN111159716A
CN111159716A CN201911349197.9A CN201911349197A CN111159716A CN 111159716 A CN111159716 A CN 111159716A CN 201911349197 A CN201911349197 A CN 201911349197A CN 111159716 A CN111159716 A CN 111159716A
Authority
CN
China
Prior art keywords
virtual
machine
key
target
physical machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911349197.9A
Other languages
Chinese (zh)
Other versions
CN111159716B (en
Inventor
郭双拴
闻征涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Beijing Ltd
Original Assignee
Lenovo Beijing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Beijing Ltd filed Critical Lenovo Beijing Ltd
Priority to CN201911349197.9A priority Critical patent/CN111159716B/en
Publication of CN111159716A publication Critical patent/CN111159716A/en
Application granted granted Critical
Publication of CN111159716B publication Critical patent/CN111159716B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The application relates to a safety protection method and electronic equipment, wherein the method comprises the following steps: sending a creating instruction to a main board of a physical machine, wherein the creating instruction is used for triggering the main board of the physical machine to create one or more virtual keys; and receiving a target virtual key in the one or more virtual keys sent by the main board of the physical machine, and loading the target virtual key on the virtual machine, wherein the target virtual key is used for carrying out security verification on an object loaded by the virtual machine, so that the security guarantee of the virtual machine is improved.

Description

Safety protection method and electronic equipment
Technical Field
The present disclosure relates to the field of security technologies, and in particular, to a security protection method and an electronic device.
Background
A Virtual Machine (VM) has a Secure Boot function, and the Secure Boot function of the VM is implemented by virtualizing a Unified Extensible Firmware Interface (UEFI) Firmware through a Virtual Machine monitoring module (Hypervisor).
For UEFI firmware of a virtual machine (referred to as virtual UEFI firmware), the core foundation for realizing the Secure Boot function of the virtual machine is a public key certificate, however, the public key certificate of the virtual machine is stored in a host system in a file form, and the public key certificate is very vulnerable to attack and tampering. Once the public key certificate is tampered, an attacker can mount the operating system and the driver in the virtual machine at will, and the result is not obvious.
Disclosure of Invention
The embodiment of the application provides a safety protection method, electronic equipment and a computer storage medium.
The safety protection method provided by the embodiment of the application comprises the following steps:
sending a creating instruction to a main board of a physical machine, wherein the creating instruction is used for triggering the main board of the physical machine to create one or more virtual keys;
receiving a target virtual key in the one or more virtual keys sent by the main board of the physical machine, and loading the target virtual key on the virtual machine, wherein the target virtual key is used for performing security verification on an object loaded by the virtual machine.
The safety protection method provided by the embodiment of the application comprises the following steps:
receiving a creation instruction sent by a virtual machine monitoring module;
responding to the creating instruction, and creating one or more virtual keys on a main board of the physical machine;
and sending a target virtual key in the one or more virtual keys, wherein the target virtual key can be loaded on a virtual machine, and performing security verification on an object loaded by the virtual machine.
The safety protection method provided by the embodiment of the application comprises the following steps:
the method comprises the steps that a virtual machine receives a loading instruction aiming at a target program, and a target virtual key on a main board of a physical machine is loaded on the virtual machine;
and the virtual machine responds to the loading instruction, performs security verification on the target program by using the target virtual key, and determines whether to load the target program based on a verification result.
The electronic equipment that this application embodiment provided includes:
a sending unit, configured to send a creation instruction to a motherboard of a physical machine, where the creation instruction is used to trigger the motherboard of the physical machine to create one or more virtual keys;
a receiving unit, configured to receive a target virtual key in the one or more virtual keys sent by a motherboard of the physical machine;
and the loading unit is used for loading the target virtual key on the virtual machine, wherein the target virtual key is used for carrying out security verification on the object loaded by the virtual machine.
The electronic equipment that this application embodiment provided includes:
the receiving unit is used for receiving a creation instruction sent by the virtual machine monitoring module;
the creating unit is used for responding to the creating instruction and creating one or more virtual keys on a main board of the physical machine;
a sending unit, configured to send a target virtual key in the one or more virtual keys, where the target virtual key may be loaded on a virtual machine, and perform security verification on an object loaded by the virtual machine.
The electronic equipment that this application embodiment provided includes:
a receiving unit, configured to receive a load instruction for a target program, where a target virtual key on a motherboard of a physical machine is loaded on a virtual machine;
the verification unit is used for responding to the loading instruction and performing security verification on the target program by using the target virtual key;
and the loading unit is used for determining whether to load the target program or not based on the verification result.
The electronic equipment that this application embodiment provided includes: a processor and a memory for storing executable instructions capable of being executed on the processor, wherein the processor is configured to execute any of the steps of the above-described security protection method when executing the executable instructions.
The computer storage medium provided by the embodiment of the application stores computer instructions, and the computer instructions, when executed by the processor, implement any steps of the above security protection method.
In the technical solution of the embodiment of the present application, one or more virtual keys are created on a motherboard of a physical machine, and a virtual machine monitoring module loads one of target virtual keys on the motherboard of the physical machine on the virtual machine when creating the virtual machine, so that the virtual machine can perform security verification on an object to be loaded by using the target virtual key. By adopting the technical scheme of the embodiment of the application, the virtual key of the virtual machine comes from the mainboard of the physical machine, so that the virtual machine is not easy to be tampered, the virtual machine has the same safety capability of the hardware level of the mainboard as the physical machine, and the safety guarantee of the virtual machine is improved.
Drawings
Fig. 1 is a first schematic flow chart of a security protection method according to an embodiment of the present application;
FIG. 2 is an architecture diagram of a physical machine provided by an embodiment of the present application;
fig. 3 is a schematic flowchart illustrating a second security protection method according to an embodiment of the present application;
fig. 4 is a third schematic flowchart of a security protection method according to an embodiment of the present application;
fig. 5 is a first schematic structural component diagram of an electronic device according to an embodiment of the present disclosure;
fig. 6 is a schematic structural composition diagram ii of an electronic device according to an embodiment of the present application;
fig. 7 is a schematic structural component diagram of a virtual machine according to an embodiment of the present application;
fig. 8 is a schematic diagram of a hardware component structure of an electronic device according to an embodiment of the present application.
Detailed Description
Various exemplary embodiments of the present application will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present application unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the application, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
Fig. 1 is a first schematic flow chart of a security protection method provided in an embodiment of the present application, and as shown in fig. 1, the security protection method includes the following steps:
step 101: sending a creating instruction to a main board of the physical machine, wherein the creating instruction is used for triggering the main board of the physical machine to create one or more virtual keys.
In the embodiment of the present application, the architecture of the physical machine may be divided into three parts: a Main Board (MB), a Kernel (Kernel), and a User Space (User Space). The main board of the physical machine belongs to the hardware part, and the inner core and the user space of the physical machine belong to the software part. Typically, the operating system and drivers run in the kernel, and the applications run in the user space.
In this embodiment of the present application, a virtual machine monitoring module (Hypervisor) sends a creation instruction to a motherboard of a physical machine. Here, the virtual machine monitoring module runs in the user space, and the virtual machine monitoring module located in the user space may interact with the main board of the physical machine by:
a kernel driving module is arranged in a kernel of the physical machine and used for providing a virtual key creating interface; and the virtual machine monitoring module calls a virtual key creation interface provided by the kernel driving module and sends a creation instruction to a mainboard of the physical machine.
For example, referring to fig. 2, a kernel driver module uefi.ko is newly added to a kernel of the physical machine, and the uefi.ko is used to provide a virtual Key creation interface, and the user space may schedule the virtual Key creation interface to create a virtual Key (vKey). In specific implementation, the virtual machine monitoring module provides a virtual key creation interface for a user, the user can set the number of vkeys to be created to be an N, N positive integer through the virtual key creation interface, after the setting is completed, the user executes a confirmation operation to trigger the virtual machine monitoring module to call the virtual key creation interface to send a creation instruction to a main board of the physical machine, and the creation instruction is used for triggering the main board of the physical machine to create one or more virtual keys.
In an embodiment, the virtual key creation interface provided by the kernel driver module has a virtual key deletion function in addition to the virtual key creation function. Specifically, the virtual machine monitoring module calls a virtual key creation interface provided by the kernel driver module, and sends a deletion instruction to the motherboard of the physical machine, where the deletion instruction is used to trigger the motherboard of the physical machine to execute one of the following operations: deleting all virtual keys; the specified virtual key or keys are deleted.
In specific implementation, the virtual machine monitoring module provides a virtual key editing interface for a user, the user can select one or more virtual keys from the created virtual keys through the virtual key editing interface to delete the virtual keys, or select all the virtual keys to delete the virtual keys, and after the selection is completed, the user performs a confirmation operation to trigger the virtual machine monitoring module to call the virtual key creating interface to send a deletion instruction to a mainboard of the physical machine, so that the mainboard of the physical machine is triggered to delete one or more specified virtual keys or delete all the virtual keys.
Step 102: receiving a target virtual key in the one or more virtual keys sent by the main board of the physical machine, and loading the target virtual key on the virtual machine, wherein the target virtual key is used for performing security verification on an object loaded by the virtual machine.
In the embodiment of the application, the mainboard of the physical machine is provided with UEFI firmware, and the UEFI firmware is provided with a physical key. The UEFI firmware is added with a function of virtualizing a physical key, namely one or more virtual keys can be virtualized based on the physical key. The virtualized one or more virtual keys are also stored on the motherboard, for example, in a Non-Volatile Random Access Memory (NVRAM) on the motherboard. It should be noted that the virtual key and the physical key are both stored on the motherboard, and thus they have the same security capability of the motherboard hardware level. The UEFI firmware opens an interface for calling the virtual key in the storage module (such as the NVRAM) through the kernel, so that the virtual machine monitoring module receives a target virtual key in the one or more virtual keys sent by the mainboard of the physical machine directly through the interface when the virtual machine is created.
In this embodiment of the present application, a virtual UEFI (virtual UEFI) firmware is provided on a virtual motherboard of the virtual machine, and the virtual machine monitoring module loads the target virtual key on the virtual UEFI firmware of the virtual machine when creating the virtual machine. It should be noted that, the virtual machine monitoring module may also be understood to bind the target virtual key to the virtual machine when the target virtual key is loaded on the virtual machine.
According to the technical scheme of the embodiment of the application, the virtual key of the virtual machine comes from the mainboard of the physical machine, so that the virtual machine is not easy to tamper, the virtual machine has the same safety capability of the hardware level of the mainboard as the physical machine, and the safety guarantee of the virtual machine is improved.
Fig. 3 is a schematic flowchart of a second security protection method provided in an embodiment of the present application, and as shown in fig. 3, the security protection method includes the following steps:
step 301: and receiving a creation instruction sent by the virtual machine monitoring module.
In the embodiment of the present application, the architecture of the physical machine may be divided into three parts: mainboard, kernel and user space. The main board of the physical machine belongs to the hardware part, and the inner core and the user space of the physical machine belong to the software part. Typically, the operating system and drivers run in the kernel, and the applications run in the user space.
In this embodiment of the present application, a motherboard of a physical machine receives a creation instruction sent by a virtual machine monitoring module. Here, the virtual machine monitoring module runs in the user space, and the main board of the physical machine may interact with the virtual machine monitoring module located in the user space by:
a kernel driving module is arranged in a kernel of the physical machine and used for creating an interface for providing a virtual key; and the main board of the physical machine receives a creation instruction sent by the virtual machine monitoring module through a virtual key creation interface provided by the kernel driving module.
For example, referring to fig. 2, a kernel driver module uefi.ko is newly added to a kernel of the physical machine, and the uefi.ko is used to provide a virtual Key creation interface, and the user space may schedule the virtual Key creation interface to create a virtual Key (vKey). In specific implementation, the virtual machine monitoring module provides a virtual key creation interface for a user, the user can set the number of vkeys to be created to be an N, N positive integer through the virtual key creation interface, after the setting is completed, the user executes a confirmation operation to trigger the virtual machine monitoring module to call the virtual key creation interface to send a creation instruction to the main board of the physical machine, and therefore the main board of the physical machine receives the creation instruction sent by the virtual machine monitoring module through the virtual key creation interface.
Step 302: and responding to the creating instruction, and creating one or more virtual keys on the main board of the physical machine.
In this embodiment of the application, the main board of the physical machine responds to the creation instruction, and creates one or more virtual keys on the main board of the physical machine.
In an embodiment, the virtual key creation interface provided by the kernel driver module has a virtual key deletion function in addition to the virtual key creation function. Specifically, the virtual machine monitoring module calls a virtual key creation interface provided by the kernel driving module, and sends a deletion instruction to the motherboard of the physical machine, so that the motherboard of the physical machine receives the deletion instruction sent by the virtual machine monitoring module through the virtual key creation interface; and the main board of the physical machine responds to the deletion instruction, and deletes all the virtual keys or deletes one or more specified virtual keys on the main board of the physical machine.
In specific implementation, the virtual machine monitoring module provides a virtual key editing interface for a user, the user can select one or more virtual keys from the created virtual keys through the virtual key editing interface to delete the virtual keys, or select all the virtual keys to delete the virtual keys, and after the selection is completed, the user performs a confirmation operation to trigger the virtual machine monitoring module to call the virtual key creating interface to send a deletion instruction to a mainboard of the physical machine, so that the mainboard of the physical machine is triggered to delete one or more specified virtual keys or delete all the virtual keys.
In this embodiment of the present application, the motherboard of the physical machine has UEFI firmware and a physical key located on the UEFI firmware. The UEFI firmware is added with a function of virtualizing a physical key, namely one or more virtual keys can be virtualized based on the physical key. The UEFI firmware creates one or more virtual keys on a motherboard of the physical machine based on a physical key on the UEFI firmware. The virtualized one or more virtual keys are also stored on the motherboard, for example, in the NVRAM on the motherboard. It should be noted that the virtual key and the physical key are both stored on the motherboard, and thus they have the same security capability of the motherboard hardware level.
Step 303: and sending a target virtual key in the one or more virtual keys, wherein the target virtual key can be loaded on a virtual machine, and performing security verification on an object loaded by the virtual machine.
In this embodiment, the UEFI firmware opens an interface, which calls a virtual key, in a storage module (e.g., NVRAM) through a kernel, so that a motherboard of the physical machine can send a target virtual key of the one or more virtual keys to the virtual machine monitoring module through the interface, and the virtual machine monitoring module loads the target virtual key to the virtual machine when the virtual machine is created.
According to the technical scheme of the embodiment of the application, the virtual key of the virtual machine comes from the mainboard of the physical machine, so that the virtual machine is not easy to tamper, the virtual machine has the same safety capability of the hardware level of the mainboard as the physical machine, and the safety guarantee of the virtual machine is improved.
Fig. 4 is a schematic flowchart of a third process of the security protection method provided in the embodiment of the present application, and as shown in fig. 4, the security protection method includes the following steps:
step 401: the virtual machine receives a loading instruction aiming at a target program, and a target virtual key on a main board from a physical machine is loaded on the virtual machine.
Here, the target virtual key of the virtual machine comes from the motherboard of the physical machine, and therefore the virtual machine is not easily tampered with, and the virtual machine has the same security capability at the motherboard hardware level as the physical machine.
In one embodiment, the target program includes at least one of: system programs and hardware drivers.
It should be noted that a virtual machine refers to a complete computer system with complete hardware system functions, which is simulated by software and runs in a completely isolated environment. The work that can be done in a physical computer can be implemented in a virtual machine. When the target program is loaded through the virtual machine, the security verification needs to be performed on the target program, and the following steps are included.
Step 402: and the virtual machine responds to the loading instruction, performs security verification on the target program by using the target virtual key, and determines whether to load the target program based on a verification result.
In the embodiment of the application, the target virtual secret key is a public key; performing security verification on the target program by using the public key to obtain a verification result; 1) if the verification result is that the verification is successful, loading the target program by the virtual UEFI firmware of the virtual machine; 2) and if the verification result is verification failure, the virtual UEFI firmware of the virtual machine refuses to load the target program.
In the above scheme, the verification result is successful verification when the target program is signed by the private key corresponding to the public key.
In the embodiment of the application, a Secure Boot function of the virtual UEFI firmware can be realized through a target virtual key from the motherboard, the target virtual key is a reliable public key, and any system program or hardware driver which wants to be loaded on the virtual motherboard must be authenticated through the public key of the virtual UEFI firmware. That is, the target program to be loaded must be signed by the private key corresponding to the public key, otherwise, the virtual UEFI firmware refuses to load the target program. Because the malicious program cannot pass the authentication, the system of the virtual machine cannot be infected, and the safety of the virtual machine is guaranteed.
Fig. 5 is a schematic structural composition diagram of an electronic device according to an embodiment of the present application, and as shown in fig. 5, the electronic device includes:
a sending unit 501, configured to send a creating instruction to a motherboard of a physical machine, where the creating instruction is used to trigger the motherboard of the physical machine to create one or more virtual keys;
a receiving unit 502, configured to receive a target virtual key in the one or more virtual keys sent by a motherboard of the physical machine;
a loading unit 503, configured to load the target virtual key on the virtual machine, where the target virtual key is used to perform security verification on the object loaded by the virtual machine.
In an embodiment, a kernel driver module is disposed in a kernel of the physical machine, and the kernel driver module is configured to provide a virtual key creation interface;
the sending unit 501 is configured to call a virtual key creation interface provided by the kernel driver module, and send a creation instruction to a motherboard of a physical machine.
In an embodiment, the sending unit 501 is further configured to call a virtual key creation interface provided by the kernel driver module, and send a deletion instruction to a motherboard of a physical machine, where the deletion instruction is used to trigger the motherboard of the physical machine to perform one of the following operations:
deleting all virtual keys;
the specified virtual key or keys are deleted.
In one embodiment, the virtual motherboard of the virtual machine has virtual UEFI firmware thereon;
the loading unit 503 is configured to load the target virtual key on virtual UEFI firmware of the virtual machine when the virtual machine is created.
It will be understood by those skilled in the art that the functions implemented by the units in the electronic device shown in fig. 5 can be understood by referring to the related description of the aforementioned security protection method. The functions of the units in the electronic device shown in fig. 5 may be implemented by a program running on a processor, or may be implemented by specific logic circuits.
Fig. 6 is a schematic structural composition diagram of an electronic device according to an embodiment of the present application, and as shown in fig. 6, the electronic device includes:
a receiving unit 601, configured to receive a creation instruction sent by a virtual machine monitoring module;
a creating unit 602, configured to create one or more virtual keys on a motherboard of the physical machine in response to the creating instruction;
a sending unit 603, configured to send a target virtual key in the one or more virtual keys, where the target virtual key can be loaded on a virtual machine, and perform security verification on an object loaded by the virtual machine.
In an embodiment, a kernel driver module is disposed in a kernel of the physical machine, and the kernel driver module is configured to create an interface for providing a virtual key;
the receiving unit 601 is configured to receive, through a virtual key creation interface provided by the kernel driver module, a creation instruction sent by the virtual machine monitoring module.
In an embodiment, the receiving unit 601 is further configured to receive, through a virtual key creation interface provided by the kernel driver module, a deletion instruction sent by a virtual machine monitor module;
the device further comprises: and a deletion unit (not shown in the figure) configured to delete all the virtual keys or delete one or more specified virtual keys on the motherboard of the physical machine in response to the deletion instruction.
In one embodiment, the physical machine has UEFI firmware on a motherboard and a physical key located on the UEFI firmware;
the creating unit 602 is configured to create one or more virtual keys on the motherboard of the physical machine based on the physical key on the UEFI firmware.
Those skilled in the art will appreciate that the functions implemented by the units in the electronic device shown in fig. 6 can be understood by referring to the related description of the aforementioned security protection method. The functions of the units in the electronic device shown in fig. 6 may be implemented by a program running on a processor, or may be implemented by specific logic circuits.
Fig. 7 is a schematic structural component diagram of a virtual machine provided in the embodiment of the present application, and as shown in fig. 7, the virtual machine includes:
a receiving unit 701, configured to receive a load instruction for a target program, where a target virtual key on a motherboard of a physical machine is loaded on a virtual machine;
a verification unit 702, configured to perform security verification on the target program by using the target virtual key in response to the load instruction;
a loading unit 703, configured to determine whether to load the target program based on the verification result.
In one embodiment, the target virtual key is a public key;
the verification unit 702 is configured to perform security verification on the target program by using the public key to obtain a verification result;
the loading unit 703 is configured to load the target program through the virtual UEFI firmware if the verification result is that the verification is successful; and if the verification result is verification failure, the virtual UEFI firmware refuses to load the target program.
It will be understood by those skilled in the art that the functions implemented by the units in the electronic device shown in fig. 7 can be understood by referring to the related description of the aforementioned security protection method. The functions of the units in the electronic device shown in fig. 7 may be implemented by a program running on a processor, or may be implemented by specific logic circuits.
Based on the hardware implementation of the above device, an embodiment of the present application further provides an electronic device, fig. 8 is a schematic diagram of a hardware structure of the electronic device according to the embodiment of the present application, and as shown in fig. 8, the electronic device includes:
a processor 802 and a memory 801 for storing executable instructions capable of being executed on the processor, wherein the processor 802 is configured to perform any of the above security protection methods when executing the executable instructions.
In one embodiment, the processor 802 is configured to execute the executable instructions to perform the following steps:
sending a creating instruction to a main board of a physical machine, wherein the creating instruction is used for triggering the main board of the physical machine to create one or more virtual keys;
receiving a target virtual key in the one or more virtual keys sent by the main board of the physical machine, and loading the target virtual key on the virtual machine, wherein the target virtual key is used for performing security verification on an object loaded by the virtual machine.
In another embodiment, the processor 802 is configured to execute the executable instructions to perform the following steps:
receiving a creation instruction sent by a virtual machine monitoring module;
responding to the creating instruction, and creating one or more virtual keys on a main board of the physical machine;
and sending a target virtual key in the one or more virtual keys, wherein the target virtual key can be loaded on a virtual machine, and performing security verification on an object loaded by the virtual machine.
In yet another embodiment, the processor 802, when executing the executable instructions, performs the following steps: receiving a load instruction for a target program; and responding to the loading instruction, performing security verification on the target program by using the target virtual key, and determining whether to load the target program based on a verification result.
It will be appreciated that the memory in this embodiment can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read Only Memory (EPROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a magnetic Random Access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical Disc, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. The volatile memory may be a Random Access Memory (RAM), which acts as an external cache memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced Synchronous Dynamic Random Access Memory, ESRAM), Synchronous linked Dynamic Random Access Memory (Sync Dynamic Random Access RAM), Direct Memory Random Access Memory (DRDRM). The memories described in the embodiments of the present application are intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed in the embodiments of the present application may be applied to a processor, or may be implemented by a processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The processor described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor may implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium having a memory and a processor reading the information in the memory and combining the hardware to perform the steps of the method.
The embodiment of the application also provides a computer storage medium, in particular a computer readable storage medium. As a first embodiment, when the computer storage medium is located in an electronic device, the computer instructions are executed by a processor to implement any of the above security protection methods.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may be separately regarded as one unit, or at least two units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
Alternatively, the integrated units described above in the present application may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially implemented or portions thereof contributing to the prior art may be embodied in the form of a software product stored in a storage medium, and including several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
It should be noted that: the technical solutions described in the embodiments of the present application can be arbitrarily combined without conflict.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (11)

1. A method of security protection, the method comprising:
sending a creating instruction to a main board of a physical machine, wherein the creating instruction is used for triggering the main board of the physical machine to create one or more virtual keys;
receiving a target virtual key in the one or more virtual keys sent by the main board of the physical machine, and loading the target virtual key on the virtual machine, wherein the target virtual key is used for performing security verification on an object loaded by the virtual machine.
2. The method according to claim 1, wherein a kernel driver module is arranged in a kernel of the physical machine, and the kernel driver module is used for providing a virtual key creation interface;
the sending of the creation instruction to the main board of the physical machine includes:
and calling a virtual key creation interface provided by the kernel driving module, and sending a creation instruction to a mainboard of the physical machine.
3. The method of claim 2, wherein the method further comprises:
calling a virtual key creation interface provided by the kernel driving module, and sending a deletion instruction to a main board of the physical machine, wherein the deletion instruction is used for triggering the main board of the physical machine to execute one of the following operations:
deleting all virtual keys;
the specified virtual key or keys are deleted.
4. The method of any of claims 1-3, wherein the virtual machine has virtual UEFI firmware on a virtual motherboard;
the loading the target virtual key on the virtual machine includes:
and when the virtual machine is created, loading the target virtual key on virtual UEFI firmware of the virtual machine.
5. A method of security protection, the method comprising:
receiving a creation instruction sent by a virtual machine monitoring module;
responding to the creating instruction, and creating one or more virtual keys on a main board of the physical machine;
and sending a target virtual key in the one or more virtual keys, wherein the target virtual key can be loaded on a virtual machine, and performing security verification on an object loaded by the virtual machine.
6. The method of claim 5, wherein a kernel driver module is arranged in a kernel of the physical machine, and the kernel driver module is used for creating an interface for providing a virtual key;
the receiving of the creation instruction sent by the virtual machine monitoring module includes:
and receiving a creation instruction sent by the virtual machine monitoring module through a virtual key creation interface provided by the kernel driver module.
7. The method of claim 6, wherein the method further comprises:
receiving a deleting instruction sent by a virtual machine monitoring module through a virtual key creating interface provided by the kernel driving module;
and in response to the deleting instruction, deleting all the virtual keys or deleting one or more specified virtual keys on the main board of the physical machine.
8. The method of any of claims 5 to 7, wherein the physical machine has UEFI firmware on a motherboard and a physical key located on the UEFI firmware;
the creating one or more virtual keys on the motherboard of the physical machine includes:
creating one or more virtual keys on a motherboard of the physical machine based on a physical key on the UEFI firmware.
9. A method of security protection, the method comprising:
the method comprises the steps that a virtual machine receives a loading instruction aiming at a target program, and a target virtual key on a main board of a physical machine is loaded on the virtual machine;
and the virtual machine responds to the loading instruction, performs security verification on the target program by using the target virtual key, and determines whether to load the target program based on a verification result.
10. The method of claim 9, wherein the target virtual key is a public key;
the performing security verification on the target program by using the target virtual key and determining whether to load the target program based on a verification result includes:
performing security verification on the target program by using the public key to obtain a verification result;
if the verification result is that the verification is successful, loading the target program by the virtual UEFI firmware of the virtual machine;
and if the verification result is verification failure, the virtual UEFI firmware of the virtual machine refuses to load the target program.
11. An electronic device, characterized in that the electronic device comprises: a processor and a memory for storing executable instructions capable of running on the processor,
wherein the processor is configured to execute the executable instructions to perform the steps of the method of any one of claims 1 to 10.
CN201911349197.9A 2019-12-24 2019-12-24 Safety protection method and electronic equipment Active CN111159716B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911349197.9A CN111159716B (en) 2019-12-24 2019-12-24 Safety protection method and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911349197.9A CN111159716B (en) 2019-12-24 2019-12-24 Safety protection method and electronic equipment

Publications (2)

Publication Number Publication Date
CN111159716A true CN111159716A (en) 2020-05-15
CN111159716B CN111159716B (en) 2022-03-25

Family

ID=70557871

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911349197.9A Active CN111159716B (en) 2019-12-24 2019-12-24 Safety protection method and electronic equipment

Country Status (1)

Country Link
CN (1) CN111159716B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101599025A (en) * 2009-07-07 2009-12-09 武汉大学 Safety virtualization method of trusted crypto module
CN102208001A (en) * 2010-03-30 2011-10-05 微软公司 Hardware-supported virtualized cryptographic service
CN104951712A (en) * 2014-03-24 2015-09-30 国家计算机网络与信息安全管理中心 Data safety protection method in Xen virtualization environment
CN105245334A (en) * 2015-10-28 2016-01-13 武汉大学 TPM secret key and authorized data backup recovery system and method thereof
US20160034702A1 (en) * 2014-07-15 2016-02-04 Neil Sikka Apparatus For And Method Of Preventing Unsecured Data Access
CN105718794A (en) * 2016-01-27 2016-06-29 华为技术有限公司 Safety protection method and system for virtual machine based on VTPM
CN105830082A (en) * 2013-12-24 2016-08-03 微软技术许可有限责任公司 Virtual Machine Guarantee
CN108155988A (en) * 2017-12-22 2018-06-12 浪潮(北京)电子信息产业有限公司 A kind of moving method, device, equipment and readable storage medium storing program for executing for protecting key
CN108572861A (en) * 2018-04-26 2018-09-25 浪潮(北京)电子信息产业有限公司 A kind of guard method, system, equipment and the storage medium of virtual credible root

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101599025A (en) * 2009-07-07 2009-12-09 武汉大学 Safety virtualization method of trusted crypto module
CN102208001A (en) * 2010-03-30 2011-10-05 微软公司 Hardware-supported virtualized cryptographic service
CN105830082A (en) * 2013-12-24 2016-08-03 微软技术许可有限责任公司 Virtual Machine Guarantee
CN104951712A (en) * 2014-03-24 2015-09-30 国家计算机网络与信息安全管理中心 Data safety protection method in Xen virtualization environment
US20160034702A1 (en) * 2014-07-15 2016-02-04 Neil Sikka Apparatus For And Method Of Preventing Unsecured Data Access
CN105245334A (en) * 2015-10-28 2016-01-13 武汉大学 TPM secret key and authorized data backup recovery system and method thereof
CN105718794A (en) * 2016-01-27 2016-06-29 华为技术有限公司 Safety protection method and system for virtual machine based on VTPM
CN108155988A (en) * 2017-12-22 2018-06-12 浪潮(北京)电子信息产业有限公司 A kind of moving method, device, equipment and readable storage medium storing program for executing for protecting key
CN108572861A (en) * 2018-04-26 2018-09-25 浪潮(北京)电子信息产业有限公司 A kind of guard method, system, equipment and the storage medium of virtual credible root

Also Published As

Publication number Publication date
CN111159716B (en) 2022-03-25

Similar Documents

Publication Publication Date Title
Raj et al. {fTPM}: A {Software-Only} Implementation of a {TPM} Chip
KR101888712B1 (en) Protecting operating system configuration values
EP3123311B1 (en) Malicious code protection for computer systems based on process modification
TWI559167B (en) A unified extensible firmware interface(uefi)-compliant computing device and a method for administering a secure boot in the uefi-compliant computing device
US9830162B2 (en) Technologies for indirect branch target security
US7364087B2 (en) Virtual firmware smart card
US9037873B2 (en) Method and system for preventing tampering with software agent in a virtual machine
KR101289581B1 (en) Method and apparatus for secure scan of data storage device from remote server
CN103718165B (en) BIOS flash memory attack protection and notice
KR101700552B1 (en) Context based switching to a secure operating system environment
CN105393255A (en) Process evaluation for malware detection in virtual machines
TW201500960A (en) Detection of secure variable alteration in a computing device equipped with unified extensible firmware interface (UEFI)-compliant firmware
EP3627368B1 (en) Auxiliary memory having independent recovery area, and device applied with same
US10877903B2 (en) Protected memory area
CN106909848A (en) A kind of computer security strengthening system and its method based on BIOS extensions
US10929148B2 (en) Executing services in containers
CN113448682A (en) Virtual machine monitor loading method and device and electronic equipment
CN100514305C (en) System and method for implementing safety control of operation system
CN111428240B (en) Method and device for detecting illegal access of memory of software
CN111159716B (en) Safety protection method and electronic equipment
KR20180067581A (en) exception handling
KR101013419B1 (en) Guarding apparatus and method for system
CN116089327A (en) Data protection method and related equipment
Butler et al. New security architectures based on emerging disk functionality
US20240354404A1 (en) Migration of attacking software as a mitigation to an attack by a malicious actor

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant