CN111353162A - TrustZone kernel-based asynchronous execution active trusted computing method and system - Google Patents

TrustZone kernel-based asynchronous execution active trusted computing method and system Download PDF

Info

Publication number
CN111353162A
CN111353162A CN202010223440.9A CN202010223440A CN111353162A CN 111353162 A CN111353162 A CN 111353162A CN 202010223440 A CN202010223440 A CN 202010223440A CN 111353162 A CN111353162 A CN 111353162A
Authority
CN
China
Prior art keywords
trusted computing
service
trusted
active
trustzone
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010223440.9A
Other languages
Chinese (zh)
Other versions
CN111353162B (en
Inventor
董攀
杨保绚
马俊
谭郁松
杨增
吴吉红
黄辰林
丁滟
秦莹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National University of Defense Technology
Original Assignee
National University of Defense Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National University of Defense Technology filed Critical National University of Defense Technology
Priority to CN202010223440.9A priority Critical patent/CN111353162B/en
Publication of CN111353162A publication Critical patent/CN111353162A/en
Application granted granted Critical
Publication of CN111353162B publication Critical patent/CN111353162B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/448Execution paradigms, e.g. implementations of programming paradigms
    • G06F9/4482Procedural
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • G06F9/4806Task transfer initiation or dispatching
    • G06F9/4812Task transfer initiation or dispatching by interrupt, e.g. masked

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Mathematical Physics (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses an active trusted computing method and system based on TrustZone core-division asynchronous execution, wherein an active trusted computing system is configured and started after a computer is electrified and comprises trusted computing main body service, trusted computing proxy service and a trusted computing calling interface, the trusted computing main body service and the trusted computing proxy service are mapped into an operating environment TEE, the trusted computing calling interface and a host system are mapped into an operating environment REE, and the active trusted computing system can execute trusted computing, resource monitoring and real-time intervention as required. The invention can realize a new trusted computing architecture on the basis that TrustZone basic service is passively executed, can meet various requirements of active defense trusted computing, fully considers the problems of active trusted measurement and control, can provide active operation and resource access capability in a simple mode, prevents the TEE from occupying the CPU for a long time, and prevents the interruption mechanism of a host system from being influenced by overtime and the like.

Description

TrustZone kernel-based asynchronous execution active trusted computing method and system
Technical Field
The invention relates to an active trusted computing technology in the field of computers, in particular to an active trusted computing method and system based on TrustZone core division asynchronous execution.
Background
The basic idea of trusted computing is: firstly, a trusted root is constructed in a computer system, the trusted root is the most basic of trusted computing and is a part which must be trusted, then a trusted chain is established, the trusted root starts to a software and hardware platform, an operating system and an application, the first-level measurement and authentication and the first-level trust are carried out, and finally the trust is expanded to the whole computer system, so that the trust of the computer system is ensured. The Trusted base module starts from the TPM1.0 specification set by the Trusted Computing Platform Alliance (Trusted Computing Platform Alliance) in 2000. Traditionally, trusted base modules are designed to work in a passive manner in a hardware isolated environment for service invocation by the host CPU. However, this approach presents difficulties in ensuring software integrity when loaded (especially at power-up); software update is difficult; the integrity of the system in the running state cannot be guaranteed, and the system does not have the capability of actively accessing and monitoring the host system, and even the code credibility of the system in the power-on process is difficult to control.
Aiming at the defects, China already puts forward an idea of an active defense system at the 3.0 stage of a trusted computing technology, and aims to ensure that the whole process can be measured and controlled and is not interfered, namely, an active immune computing mode with defense and operation in parallel has active credibility. The active trust capability is defined as: the trusted node monitors the behavior of the system in an active monitoring mode through the monitoring points at the bottom layer, constructs a trusted computing system through the overall strategy control of the information system, creates a security guarantee environment for the application, and ensures that the application is executed as expected and is free from threats such as hackers, viruses and the like. Therefore, the active trusted computing is the capability of actively performing real-time dynamic monitoring on the whole process in the whole trusted computing process and dynamically intervening in real time when an abnormality occurs, and the current active defense trusted computing technology is mainly divided into two modes, namely a software-based mode and a hardware-based mode.
The software approach may be through kernel-based mandatory code detection or the introduction of a higher privilege level software layer, such as hypervisor. A common drawback of such approaches is that they introduce significant performance loss due to frequent field switching, and are themselves vulnerable to malicious attacks because they are software implemented. Ensuring the credibility of the newly added software module also introduces new problems, and the method is difficult to be integrated into the credible component design of the credible 3.0 mode.
The hardware approach is typically physically isolated from the host system and uses some event triggering mechanisms provided by the hardware to detect abnormal events or changes in the state of the host. Although the hardware method can play a good role in immunizing malicious codes in the host and hardly introduces additional overhead, the hardware method has the problems of semantic gap and insufficient detection capability. This is because active defense requires that the expansion hardware be able to monitor various types of events during the operation of the host software. First, memory access events of the host system can be perceived because the kernel uses memory to retain its state information and sensitive data structures; secondly, it should be possible to monitor the status registers of the system, which is important for understanding the current configuration and resource assignment of the system; third, the external mechanism should have the ability to control and change the critical registers and memory space of the host system to prevent malicious behavior and restore the system's health. Existing hardware expansion mechanisms have difficulty meeting these three requirements due to the complexity of the system and the limitations of the bus link.
Therefore, in order to solve various problems existing in the existing software and hardware modes, the existing active defense credible computation is difficult to meet the requirements of an active defense system, and the ability of not only ensuring the safety and credibility of the whole computation process but also realizing active defense cannot be met at the same time. Therefore, designing new active trusted computing system architectures is imminent.
The TrustZone technology in the ARM processor can provide a runtime environment isolated from other software and hardware resources of a platform for a computing platform in a mode of combining software and hardware, is designed to obtain a control right preferentially after a system is powered on and has higher access and control rights than a host, so that the TrustZone technology is more suitable for the function and security requirements of trusted computing. TrustZone keeps all SOC hardware and software resources in two zones (TEE and REE), respectively, by isolating them. An extra control signal bit, called as a Non-Secure (NS) bit, is added by the TrustZone to read and write each channel on the system bus, and resources such as a memory can be divided into a Secure state and a Non-Secure state through the NS bit. On a processor architecture, each physical processor core is virtualized into a Secure core (Secure) and a Non-Secure core (Non-Secure), the Non-Secure core can only access Non-Secure system resources, and the Secure core can access all resources. The two are switched by using Monitor mode. When the common world needs to be switched to the safe world, the processor enters a Monitor mode by calling an SMC instruction or a configured hardware exception, the Monitor mode backups the context of the common world, and then enters the safe world. The safety world is also switched to the common world after the context is backed up through a Monitor mode.
In order to ensure the completeness of a trusted execution environment, the TrustZone technology includes a tbbr (trusted BoardBoot requirements) sub-specification, and particularly defines a trusted guarantee flow and software and hardware requirements of a system after power-on. TBBR specifies that the system must have a root of trust as a starting point of trust (e.g., public key in SoC One-Time-programmable (otp) memory), act immediately after power up from reset, establish a chain of trust through the root of trust, and gradually verify: further signature modes, boot code, TEE environment, TEE service, and regular host environment, etc. The existing TrustZone-based trusted computing method is mainly implemented by the following modes: adding extra hardware, and adopting an eMMC memory as a persistent secure storage facility for trusted computing; some compromises are made that do not compromise the security of the trusted computing, such as limiting the size of the cryptographic computations; part of the semantics of the trusted computing specification are modified to accommodate some of the limitations of TrustZone. However, the TrustZone basic service is designed by the idea of being executed passively, and the existing design does not consider the active credibility measurement and control problem. If the active operation and resource access capability is to be provided, a complex host-TEE switching mechanism needs to be designed, and the CPU is to be prevented from being "seized" by the TEE for a long time, so that the interrupt mechanism of the host system is prevented from being affected by time-out and the like.
Disclosure of Invention
The technical problems to be solved by the invention are as follows: aiming at the problems in the prior art, the invention provides an active trusted computing method and system based on TrustZone core-division asynchronous execution, which can realize a new trusted computing architecture on the basis that TrustZone basic service is executed passively, can meet various requirements of active defense trusted computing, fully considers the problems of active trusted measurement and control, can provide active operation and resource access capability in a simple mode, prevents a TEE from occupying a CPU for a long time, and prevents interruption mechanisms of a host system from being influenced by overtime and the like.
In order to solve the technical problems, the invention adopts the technical scheme that:
an active trusted computing method based on TrustZone core division asynchronous execution comprises the following implementation steps:
1) configuring and starting active trusted computing service after a computer is electrified, establishing a static trusted chain of a host loading module and a host operating system through a static measurement mechanism in the system starting process, wherein the active trusted computing service comprises trusted computing main body service, trusted computing proxy service and a trusted computing calling interface, the trusted computing main body service and the trusted computing proxy service are mapped to an operating environment TEE, the trusted computing calling interface and a host system are mapped to an operating environment REE, and the operating environment TEE and the operating environment REE are two operating environments with mutually isolated software and hardware resources obtained based on TrustZone technology;
2) when the trusted computing is required to be executed, the host system implements system management controller SMC calling through a trusted computing calling interface, switches to a trusted computing agent service operated by a security World kernel by means of a Monitor mode of TrustZone, triggers a soft interrupt SGI (Secure interrupt) of the trusted computing agent service to send a trusted service request, the trusted computing agent service executes the trusted service, informs a service caller in the host system to return an execution result of the trusted service by adopting an asynchronous mode and a soft interrupt SGI mode, and switches the state of the CPU to a normal state (normalWorld) after the active trusted computing service is completed so that the CPU can continuously execute a corresponding normal state program;
when resource monitoring needs to be executed, a trusted computing main body service accesses resources of a computer to obtain resource states, and records the measurement values of a monitoring target in a specified database while updating a PCR register according to the obtained resource states;
when real-time intervention is required to be executed, the task Agent established in the host system dynamically acquires the physical address of the monitoring target after a static credible chain is established so as to realize dynamic real-time monitoring on the host system, record and alarm the abnormity after the credible abnormity is found, and intervene the host system in operation.
Optionally, the detailed steps of step 1) include:
1.1) starting a trusted firmware BL1 stored in a secure ROM memory after a computer is powered on, wherein the trusted firmware BL1 initializes a control device of an active trusted computing service after starting, then verifies a trusted starting firmware BL2 stored in a Flash memory, and finishes and exits if the verification of the trusted starting firmware BL2 fails; otherwise, skipping to execute the next step;
1.2) starting a trusted boot firmware BL2, verifying codes BL31, BL32 and BL33 respectively after the trusted boot firmware BL2 initializes the configuration of the active trusted computing service, wherein BL31 is a Monitor mode code of a running environment TEE for EL3 state system configuration; BL32 is code for starting the secure world related code and configuring the system; BL33 is code for starting a generic world boot program and configuring the system; if any verification of the codes BL31, BL32 and BL33 fails, the method is ended and exits; otherwise, skipping to execute the next step;
1.3) an independent CPU core s-core is divided by configuring a CPU for running a trusted computing subject service, and the state is set to be only in a safe state and not in a normal state, so that the trusted computing subject service cannot be sensed by a host operating system; meanwhile, a host system is started through a common world bootstrap program;
1.4) loading and running a trusted computing subject service by a CPU (Central processing Unit) kernel s-core, and establishing a static trusted chain of a host loading module and a host operating system through a traditional static measurement mechanism;
1.5) a task Agent is set in the host system, the address information of the target module is obtained through a specified information base of the host system and is transmitted to the trusted computing main body service, the task Agent is only responsible for providing a physical address of a monitoring target and does not actually monitor the target, and after the host system runs, the trusted computing Agent service transmits trusted computing parameters, data and the like to the trusted computing main body service through the task Agent.
Optionally, the task Agent takes a code segment of a kernel of the host system as a target of dynamic measurement, obtains a physical address corresponding to a data segment of the linux kernel code segment through/proc/iomem, and implements virtual address mapping in a secure state through a library function provided by a secure state environment, thereby implementing dynamic reading and measurement of the code segment.
Optionally, when the trusted computing subject service executes the trusted service in step 2), the method further includes: in the calculation process, the main body service drives the scheduling program to run the active measurement and monitoring module in a time-sharing mode through an internal independent clock, so that the continuity measurement can be dynamically carried out on the target code segment in real time.
Optionally, the step 2) of intervening on the host system at runtime includes one of the following manners: (1) the control of CPU switching comprises suspending the operation of the host system or switching the host system to shutdown by using a notification mode; (2) rewriting a memory mapping page table of a host system through controlling the memory, setting the memory of the suspicious target as unexecutable, and performing subsequent processing by the host system; (3) read and write operations to designated critical IOs are deprived by modifying the authority of the controller.
Optionally, the specifying of the key IO includes changing a read-write permission of normal software to an IO address, or directly controlling the affiliation of a specific IO controller by means of a TrustZone protection controller.
In addition, the invention also provides an active trusted computing system based on TrustZone core division asynchronous execution, which comprises a computer device, wherein the computer device is programmed or configured to execute the steps of the active trusted computing method based on TrustZone core division asynchronous execution.
In addition, the invention also provides an active trusted computing system based on TrustZone core division asynchronous execution, which comprises a computer device, wherein a computer program which is programmed or configured to execute the active trusted computing method based on TrustZone core division asynchronous execution is stored on a memory of the computer device.
Furthermore, the present invention also provides a computer readable storage medium having stored thereon a computer program programmed or configured to execute the TrustZone core-based asynchronously executed active trusted computing method.
Compared with the prior art, the invention has the following advantages: the invention configures and starts an active trusted computing system after a computer is electrified, establishes a static trusted chain of a host loading module and a host operating system through a static measurement mechanism in the starting process of the system, wherein the active trusted computing service comprises a trusted computing main body service, a trusted computing agent service and a trusted computing calling interface, the trusted computing main body service and the trusted computing agent service are mapped to an operating environment TEE, the trusted computing calling interface and the host system are mapped to an operating environment REE, the operating environment TEE and the operating environment REE are two operating environments with mutually isolated software and hardware resources obtained based on TrustZone technology, and then the active trusted computing service can execute trusted computing, resource monitoring and real-time intervention according to needs. The method has the advantages that a new trusted computing architecture can be realized on the basis that TrustZone basic service is executed passively, various requirements of active defense trusted computing can be met, active trusted measurement and control problems are fully considered, active operation and resource access capability can be provided in a simple mode, CPU (central processing unit) is prevented from being occupied by TEE for too long, and mechanisms such as interruption of a host system are prevented from being influenced by overtime and the like.
Drawings
FIG. 1 is a schematic diagram of a basic flow of a method according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of module matching in the embodiment of the present invention.
Detailed Description
As shown in fig. 1, the implementation steps of the active trusted computing method based on TrustZone core-division asynchronous execution in this embodiment include:
1) configuring and starting active trusted computing service after a computer is electrified, establishing a static trusted chain of a host loading module and a host operating system through a static measurement mechanism in the system starting process, wherein the active trusted computing service comprises trusted computing main body service, trusted computing proxy service and a trusted computing calling interface, the trusted computing main body service and the trusted computing proxy service are mapped to an operating environment TEE, the trusted computing calling interface and a host system are mapped to an operating environment REE, and the operating environment TEE and the operating environment REE are two operating environments with mutually isolated software and hardware resources obtained based on TrustZone technology;
2) the active trusted computing service performs tasks, namely:
when trusted computing needs to be executed, as shown in fig. 2, the host system implements SMC calling of the system management controller through a trusted computing calling interface, switches to a trusted computing agent service operated by a Secure World kernel by means of a Monitor mode of TrustZone, the trusted computing agent service triggers a soft interrupt SGI of a trusted computing subject service to send a trusted service request, the trusted computing subject service executes the trusted service, notifies a service caller in the host system to return an execution result of the trusted service by adopting an asynchronous mode through a soft interrupt SGI mode, and switches the state of the CPU to a Normal state (Normal World) after completing the active trusted computing service, so that the CPU can continue to execute Normal corresponding programs; the Monitor mode switching N-S switching refers to switching between a Secure World (abbreviated as S) state and a Normal World (abbreviated as N) state;
when resource monitoring needs to be executed, a trusted computing main body service accesses resources of a computer to obtain resource states, and records the measurement values of a monitoring target in a specified database while updating a PCR register according to the obtained resource states;
when real-time intervention is required to be executed, the task Agent established in the host system dynamically acquires the physical address of the monitoring target after a static credible chain is established so as to realize dynamic real-time monitoring on the host system, record and alarm the abnormity after the credible abnormity is found, and intervene the host system in operation.
In the embodiment, an active trusted computing system for core division asynchronous execution, which has isolation, monitoring capability, real-time intervention and small influence on imperceptibility, is constructed based on the TrustZone technology, and can provide active trusted computing services for practical applications such as fingerprint identification, secure storage, encryption and decryption. The active trusted computing service is divided into 3 parts, and comprises a trusted computing main body service, a trusted computing agent service and a trusted computing call interface. The method comprises the steps of dividing a CPU core, configuring the CPU core into a safe state, operating trusted computing subject services, taking charge of specific services of trusted computing, including encryption and decryption, command execution and the like, and performing real-time measurement and active intervention on a host system. The trusted computing agent service and the trusted computing agent interface can operate in other kernels of the CPU, wherein the trusted computing agent service operates in a safe state and is responsible for intermediate services such as call interface request forwarding, data returning and the like. The trusted computing call interface is mainly used for providing a trusted computing call interface for a normal program and forwarding a request to the trusted computing proxy service. TrustZone technology provides hardware isolation and communication of TEEs and REEs, while trusted computing agent services and trusted computing agent services run in different cores of the CPU and are therefore also hardware isolated.
In this embodiment, before the system is loaded, an independent CPU core s-core is divided by configuring the CPU to run the trusted computing entity service, and the state is set to run only in a secure state and cannot run in a normal state.
In this embodiment, the CPU core s-core loads and runs a trusted computing agent service program, and establishes a static trusted chain of the host loading module and the host operating system through a conventional static measurement mechanism, and obtains a measurement value of each target while updating the PCR register at each step and records it in another database.
In this embodiment, the communication method used for providing services is soft break (SGI). Trusted computing agent services communicate parameters, data, etc. by triggering a soft interrupt (SGI) targeted to the trusted computing agent's services. And then, the CPU state is switched to a normal state through SMC calling and a Monitor module, and the CPU can continuously execute a normal corresponding program. The trusted computing main body service executes corresponding computing tasks after receiving the request of the proxy service, and in the computing process, the main body service drives the scheduling program to operate the active measurement and monitoring module in a time-sharing mode through an internal independent clock, so that the target code segment can be dynamically measured in real time. After the trusted computing main body service executes the corresponding computing task of the network, a service caller in the host system is informed in a soft interrupt (SGI) mode, a service result is received, the whole calling process is finally completed, and the main body service continues to enter a monitoring state.
In this embodiment, the detailed steps of step 1) include:
1.1) starting a trusted firmware BL1 stored in a secure ROM memory after a computer is powered on, wherein the trusted firmware BL1 initializes a control device of an active trusted computing service after starting, then verifies a trusted starting firmware BL2 stored in a Flash memory, and finishes and exits if the verification of the trusted starting firmware BL2 fails; otherwise, skipping to execute the next step;
1.2) starting a trusted boot firmware BL2, verifying codes BL31, BL32 and BL33 respectively after the trusted boot firmware BL2 initializes the configuration of the active trusted computing service, wherein BL31 is a Monitor mode code of a running environment TEE for EL3 state system configuration; BL32 is code for starting the secure world related code and configuring the system; BL33 is code for starting a generic world boot program and configuring the system; if any verification of the codes BL31, BL32 and BL33 fails, the method is ended and exits; otherwise, skipping to execute the next step;
1.3) an independent CPU core s-core is divided by configuring a CPU for running a trusted computing subject service, and the state is set to be only in a safe state and not in a normal state, so that the trusted computing subject service cannot be sensed by a host operating system; meanwhile, a host system is started through a common world bootstrap program;
1.4) loading and running a trusted computing subject service by a CPU (Central processing Unit) kernel s-core, and establishing a static trusted chain of a host loading module and a host operating system through a traditional static measurement mechanism;
1.5) a task Agent is set in the host system, the address information of the target module is obtained through a specified information base of the host system and is transmitted to the trusted computing main body service, the task Agent is only responsible for providing a physical address of a monitoring target and does not actually monitor the target, and after the host system runs, the trusted computing Agent service transmits trusted computing parameters, data and the like to the trusted computing main body service through the task Agent.
As can be seen from the foregoing description, the active trusted computing service in this embodiment is initiated by five parts: BL1, BL2, BL31, BL32 and BL33, divided into three stages:
stage BL 1: BL1 is called AP Trusted ROM, and is stored in ROM memory for initializing corresponding controller, etc., and verifying the credibility of BL2 image. After the system is powered on, the BL1 is started first, and after the BL1 verifies the image of the BL2, the system enters the BL2 stage.
Stage BL 2: BL2 is called Trusted Boot Firmware, and is stored in Flash memory, and is used for initializing corresponding configuration of the system, and verifying the credibility of BL31, BL32 and BL33, and BL31, BL32 and BL33 are loaded after BL2 is started.
Stage BL 3: BL31, BL32, and BL33 are executed. BL31 is called EL3 Runtime Software, and is used for EL3 state system configuration and the like, namely the Monitor mode code of TEE; BL32 is called Secure-EL1 Payload, and is used to start the security world related code, configure the system, etc.; BL33 is called Non-trusted Firmware, and is used to start the ordinary world bootstrap, and the system performs configuration, etc., and finally the ordinary world bootstrap starts the host system. The procedure for establishing the static trusted chain is to start the BL1 first after the system is powered on, and since the BL1 is written in the ROM memory when the machine leaves the factory, the system is trusted. And then subjected to BL2, BL31, BL32 and BL33, and each step is subjected to the verification of the previous step and is therefore credible. And (3) recording the metric value of the monitoring target in another database while updating the PCR register at each step, so that the whole process forms a static credible chain.
In order to obtain the target information of active monitoring, an Agent task is set in the host system in this embodiment, address information of a target module is obtained through some information bases (such as a/proc file system or/system. map file under a boot directory) of the system and is transmitted to a trusted computing subject service, and the Agent is only responsible for providing a physical address of a monitored target and does not actually monitor the target, so that only the credibility of an initialization stage needs to be ensured. As a specific implementation manner, in this embodiment, the task Agent takes a code segment of a kernel of the host system as a target of dynamic measurement, obtains a physical address corresponding to a data segment of a linux kernel code segment through/proc/iomem, and implements virtual address mapping in a secure state through a library function provided by a secure state environment, thereby implementing dynamic reading and measurement of the code segment. After the host system operates, the trusted computing Agent service Agent transmits trusted computing parameters, data and the like to the trusted computing main body service.
In this embodiment, the step 2), when the trusted computing subject service executes the trusted service, further includes: in the calculation process, the main body service drives the scheduling program to run the active measurement and monitoring module in a time-sharing mode through an internal independent clock, so that the continuity measurement can be dynamically carried out on the target code segment in real time. In the measurement process, when a credible abnormality is encountered, the main service not only records and alarms the abnormality, but also intervenes in a host system in operation.
In this embodiment, the step 2) of intervening the host system during runtime includes one of the following manners: (1) the control of CPU switching comprises suspending the operation of the host system or switching the host system to shutdown by using a notification mode; (2) rewriting a memory mapping page table of a host system through controlling a memory, setting the memory of a suspicious target as non-executable (in a page table description item, a definition containing a page attribute is included, wherein an NX bit defines whether a code in a page is allowed to be executed, TrustZone has the authority of accessing a normal world memory, and a specific memory can be set as non-executable by modifying the page table attribute of the latter), and performing subsequent processing by the host system; although the host system also has the authority to modify the NX bit of the page attribute so as to recover the executable of the page, the monitoring of the trusted computing agent service will increase the difficulty of the attack and can decide whether to take further measures by monitoring the locked page attribute; (3) read and write operations to designated critical IOs are deprived by modifying the authority of the controller. In this embodiment, the step of specifying the key IO includes changing a read-write permission of normal software to an IO address, or directly controlling the affiliation of a specific IO Controller by using a TrustZone Protection Controller (TrustZone Protection Controller).
In summary, the active trusted computing system constructed based on the TrustZone technology in this embodiment has the following characteristics:
isolation of an operating environment: because of the characteristics of the TrustZone technology, the TrustZone provides a software and hardware isolation mechanism, software and hardware resources are isolated into two running environments (namely, a TEE and a REE), a trusted computing subject service and an agent service run in the TEE, and a host system runs in the REE. The TrustZone mechanism ensures that the two environments respectively have resources such as a CPU, a physical memory, a physical IO and the like, and software in the REE cannot access the resources in the TEE, but the TEE software has the right to access the resources in the REE. Meanwhile, a CPU core is separately divided for running the trusted computing subject service, so that the core cannot be sensed by the host system, and the isolation of the trusted computing subject service among the host systems is ensured.
The method has the following traditional trusted service capability: the invention maps each service mechanism of trusted computing to the basic structure of TrustZone, and encapsulates the core service of virtual trusted computing in the trusted computing main service, including: a cryptographic algorithm engine, a command execution engine, and secure persistent storage, among others. And packaging a trusted computing call command interface in the trusted computing interface, calling a Monitor mode by the host system through the trusted computing call interface and an SMC (sheet molding compound) by using a TrustZone technology, switching to the proxy service operated by the core, triggering a soft interrupt (SGI) aiming at the trusted computing main body service after the proxy service, executing a specific active trusted computing system in the trusted computing main body service, and finally returning a computed result in an asynchronous mode to finish the whole active trusted computing system.
Possess the monitoring ability: trusted computing agent services run on the TEE, which has the ability to access all resources of the computer. In the system starting process, a static credible chain of a host loading module and a host operating system is established through a static measurement mechanism, and the measurement value of the monitoring target is recorded in another database while the PCR register is updated in each step, so that the monitoring capability of the host system is realized.
The method has the real-time intervention capability: and after a static credible chain is established, the Agent task dynamically acquires a physical address of a monitoring target to realize dynamic real-time monitoring of the host system. After the credible abnormity is found, the recording and the alarming can be realized, and the intervention on the host system in operation can be realized. The method comprises the steps of suspending the operation of a host system, setting the memory of the suspicious target as unexecutable, depriving the key IO read-write capability of the suspicious target and the like.
Little influence is not perceived: first, the REE system is not aware of the presence of TEE software. In the aspect of performance, the existing TEE service adopts a synchronization mode, and REEs may be suspended in the service process, thereby bringing adverse effects on performance. Before the system is powered on, the invention is used for running the trusted computing host service by independently dividing the CPU core, so that the CPU core cannot be sensed by the system. In the operation process, after receiving the request of the trusted computing of the host system, the trusted computing agent service immediately forwards the request to the main service and then returns to the REE of the host system, and the trusted computing agent service does not directly execute specific services per se, thereby avoiding the problem that the host system is suspended for a long time and waits.
In summary, the present embodiment improves the original passive execution mode of the TrustZone basic service, implements a new trusted computing architecture, can satisfy various requirements of active defense trusted computing, fully considers the active trusted measurement and control problem, can provide active operation and resource access capability in a simple manner, and prevents the TEE from "seizing" the CPU for too long, and prevents the interruption mechanism of the host system from being affected by timeout and the like.
In addition, the present embodiment also provides an active trusted computing system based on TrustZone core asynchronous execution, which includes a computer device programmed or configured to execute the steps of the aforementioned active trusted computing method based on TrustZone core asynchronous execution.
In addition, the present embodiment also provides an active trusted computing system executed asynchronously based on a TrustZone core, which includes a computer device, where a memory of the computer device stores a computer program programmed or configured to execute the foregoing active trusted computing method executed asynchronously based on a TrustZone core.
Furthermore, the present embodiment also provides a computer readable storage medium, on which a computer program is stored, which is programmed or configured to execute the aforementioned active trusted computing method based on TrustZone core asynchronous execution.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks. These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks. These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and the protection scope of the present invention is not limited to the above embodiments, and all technical solutions belonging to the idea of the present invention belong to the protection scope of the present invention. It should be noted that modifications and embellishments within the scope of the invention may occur to those skilled in the art without departing from the principle of the invention, and are considered to be within the scope of the invention.

Claims (9)

1. An active trusted computing method based on TrustZone core division asynchronous execution is characterized by comprising the following implementation steps:
1) configuring and starting active trusted computing service after a computer is electrified, establishing a static trusted chain of a host loading module and a host operating system through a static measurement mechanism in the system starting process, wherein the active trusted computing service comprises trusted computing main body service, trusted computing proxy service and a trusted computing calling interface, the trusted computing main body service and the trusted computing proxy service are mapped to an operating environment TEE, the trusted computing calling interface and a host system are mapped to an operating environment REE, and the operating environment TEE and the operating environment REE are two operating environments with mutually isolated software and hardware resources obtained based on TrustZone technology;
2) when trusted computing needs to be executed, a host system implements System Management Controller (SMC) calling through a trusted computing calling interface, and is switched to a trusted computing agent service operated by a security kernel by means of a Monitor mode of TrustZone, the trusted computing agent service triggers a soft interrupt (SGI) of a trusted computing main body service to send a trusted service request, the trusted computing main body service executes the trusted service, a service caller in the host system is notified to return an execution result of the trusted service in an asynchronous mode through the SGI mode, and after the trusted computing service is completed, the state of a Central Processing Unit (CPU) is switched to a normal state to enable the CPU to continuously execute a normal corresponding program; when real-time resource monitoring needs to be executed, a trusted computing subject service accesses resources of a computer to obtain resource states, and records the measurement values of a monitoring target in a specified database while updating a PCR register according to the obtained resource states; when real-time intervention is required to be executed, the task Agent established in the host system dynamically acquires the physical address of the monitoring target after a static credible chain is established so as to realize dynamic real-time monitoring on the host system, record and alarm the abnormity after the credible abnormity is found, and intervene the host system in operation.
2. The TrustZone core asynchronous execution based active trusted computing method according to claim 1, wherein the detailed steps of step 1) include:
1.1) starting a trusted firmware BL1 stored in a secure ROM memory after a computer is powered on, wherein the trusted firmware BL1 initializes a control device of an active trusted computing service after starting, then verifies a trusted starting firmware BL2 stored in a Flash memory, and finishes and exits if the verification of the trusted starting firmware BL2 fails; otherwise, skipping to execute the next step;
1.2) starting a trusted boot firmware BL2, verifying codes BL31, BL32 and BL33 respectively after the trusted boot firmware BL2 initializes the configuration of the active trusted computing service, wherein BL31 is a Monitor mode code of a running environment TEE for EL3 state system configuration; BL32 is code for starting the secure world related code and configuring the system; BL33 is code for starting a generic world boot program and configuring the system; if any verification of the codes BL31, BL32 and BL33 fails, the method is ended and exits; otherwise, skipping to execute the next step;
1.3) an independent CPU core s-core is divided by configuring a CPU for running a trusted computing subject service, and the state is set to be only in a safe state and not in a normal state, so that the trusted computing subject service cannot be sensed by a host operating system; meanwhile, a host system is started through a common world bootstrap program;
1.4) loading and running a trusted computing subject service by a CPU (Central processing Unit) kernel s-core, and establishing a static trusted chain of a host loading module and a host operating system through a traditional static measurement mechanism;
1.5) a task Agent is set in the host system, the address information of the target module is obtained through a specified information base of the host system and is transmitted to the trusted computing main body service, the task Agent is only responsible for providing a physical address of a monitoring target and does not actually monitor the target, and after the host system runs, the trusted computing Agent service transmits trusted computing parameters, data and the like to the trusted computing main body service through the task Agent.
3. The TrustZone core asynchronous execution-based active trusted computing method as claimed in claim 2, wherein said task Agent takes a code segment of a kernel of a host system as a target of dynamic measurement, obtains a physical address corresponding to a linux kernel code segment data segment through/proc/iomem, and implements virtual address mapping in a secure state through a library function provided by a secure state environment, thereby implementing dynamic reading and measurement of the code segment.
4. The active trusted computing method based on TrustZone core asynchronous execution according to claim 1, wherein the step 2) when the trusted computing subject service executes the trusted service further comprises: in the calculation process, the main body service drives the scheduling program to run the active measurement and monitoring module in a time-sharing mode through an internal independent clock, so that the continuity measurement can be dynamically carried out on the target code segment in real time.
5. The active trusted computing method based on TrustZone core asynchronous execution according to claim 1, wherein the intervention of the host system at runtime in step 2) comprises one of the following ways: (1) the control of CPU switching comprises suspending the operation of the host system or switching the host system to shutdown by using a notification mode; (2) rewriting a memory mapping page table of a host system through controlling the memory, setting the memory of the suspicious target as unexecutable, and performing subsequent processing by the host system; (3) read and write operations to designated critical IOs are deprived by modifying the authority of the controller.
6. The TrustZone kernel-based asynchronous execution active trusted computing method of claim 5, wherein said assigning key IOs comprises changing read-write permissions of normal software on IO addresses or directly controlling attribution of specific IO controllers by TrustZone protection controllers.
7. An active trusted computing system based on TrustZone kernel asynchronous execution, comprising a computer device, characterized in that the computer device is programmed or configured to execute the steps of the active trusted computing method based on TrustZone kernel asynchronous execution according to any one of claims 1 to 6.
8. An active trusted computing system based on TrustZone core asynchronous execution, comprising a computer device, wherein a memory of the computer device has stored thereon a computer program programmed or configured to execute the active trusted computing method based on TrustZone core asynchronous execution according to any one of claims 1 to 6.
9. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a computer program programmed or configured to execute the TrustZone kernel asynchronously-executed active trusted computing method according to any one of claims 1 to 6.
CN202010223440.9A 2020-03-26 2020-03-26 TrustZone kernel-based asynchronous execution active trusted computing method and system Active CN111353162B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010223440.9A CN111353162B (en) 2020-03-26 2020-03-26 TrustZone kernel-based asynchronous execution active trusted computing method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010223440.9A CN111353162B (en) 2020-03-26 2020-03-26 TrustZone kernel-based asynchronous execution active trusted computing method and system

Publications (2)

Publication Number Publication Date
CN111353162A true CN111353162A (en) 2020-06-30
CN111353162B CN111353162B (en) 2022-06-07

Family

ID=71196363

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010223440.9A Active CN111353162B (en) 2020-03-26 2020-03-26 TrustZone kernel-based asynchronous execution active trusted computing method and system

Country Status (1)

Country Link
CN (1) CN111353162B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111931193A (en) * 2020-09-27 2020-11-13 翱捷科技股份有限公司 Method and system for hardware cooperation during software running environment switching
CN113821790A (en) * 2021-08-27 2021-12-21 北京工业大学 Industrial credible computing dual-system architecture implementation method based on Trustzone
WO2022088615A1 (en) * 2020-10-27 2022-05-05 华为技术有限公司 Method for implementing virtual trusted platform module and related device
CN114491565A (en) * 2022-03-31 2022-05-13 飞腾信息技术有限公司 Firmware secure boot method and device, computing equipment and readable storage medium
CN114647453A (en) * 2022-03-01 2022-06-21 芯原微电子(成都)有限公司 Trusted dynamic boot method, system, storage medium and terminal of multiprocessor
CN115618364A (en) * 2022-12-16 2023-01-17 飞腾信息技术有限公司 Method for realizing safe and trusted start, safety architecture system and related equipment
EP4187419A1 (en) * 2021-11-24 2023-05-31 Phytium Technology Co., Ltd. Security architecture system, security management method, and computing device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106650514A (en) * 2016-10-13 2017-05-10 中国科学院信息工程研究所 Secure input system and method based on TrustZone technology
WO2017148083A1 (en) * 2016-02-29 2017-09-08 华为技术有限公司 Secure data transmission device and method
CN109960582A (en) * 2018-06-19 2019-07-02 华为技术有限公司 The method, apparatus and system of multi-core parallel concurrent are realized in the side TEE

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017148083A1 (en) * 2016-02-29 2017-09-08 华为技术有限公司 Secure data transmission device and method
CN106650514A (en) * 2016-10-13 2017-05-10 中国科学院信息工程研究所 Secure input system and method based on TrustZone technology
CN109960582A (en) * 2018-06-19 2019-07-02 华为技术有限公司 The method, apparatus and system of multi-core parallel concurrent are realized in the side TEE

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
董攀,丁滟,江哲,黄辰林,范冠男: ""基于TEE的主动可信TPM/TCM设计与实现"", 《软件学报》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111931193A (en) * 2020-09-27 2020-11-13 翱捷科技股份有限公司 Method and system for hardware cooperation during software running environment switching
WO2022088615A1 (en) * 2020-10-27 2022-05-05 华为技术有限公司 Method for implementing virtual trusted platform module and related device
CN113821790A (en) * 2021-08-27 2021-12-21 北京工业大学 Industrial credible computing dual-system architecture implementation method based on Trustzone
CN113821790B (en) * 2021-08-27 2023-12-29 北京工业大学 Industrial trusted computing dual-system architecture implementation method based on Trustzone
EP4187419A1 (en) * 2021-11-24 2023-05-31 Phytium Technology Co., Ltd. Security architecture system, security management method, and computing device
CN114647453A (en) * 2022-03-01 2022-06-21 芯原微电子(成都)有限公司 Trusted dynamic boot method, system, storage medium and terminal of multiprocessor
CN114647453B (en) * 2022-03-01 2023-06-09 芯原微电子(成都)有限公司 Trusted dynamic starting method, system, storage medium and terminal for multiple processors
CN114491565A (en) * 2022-03-31 2022-05-13 飞腾信息技术有限公司 Firmware secure boot method and device, computing equipment and readable storage medium
CN115618364A (en) * 2022-12-16 2023-01-17 飞腾信息技术有限公司 Method for realizing safe and trusted start, safety architecture system and related equipment
CN115618364B (en) * 2022-12-16 2023-06-23 飞腾信息技术有限公司 Method for realizing safe and reliable starting, safe architecture system and related equipment

Also Published As

Publication number Publication date
CN111353162B (en) 2022-06-07

Similar Documents

Publication Publication Date Title
CN111353162B (en) TrustZone kernel-based asynchronous execution active trusted computing method and system
EP3662385B1 (en) Secure storage device
EP1674965B1 (en) Computer security management in a virtual machine or hardened operating system
TWI570589B (en) Apparatus for providing trusted computing
JP6378758B2 (en) Process evaluation for malware detection in virtual machines
US10032029B2 (en) Verifying integrity of backup file in a multiple operating system environment
US8458791B2 (en) Hardware-implemented hypervisor for root-of-trust monitoring and control of computer system
US8364973B2 (en) Dynamic generation of integrity manifest for run-time verification of software program
RU2472215C1 (en) Method of detecting unknown programs by load process emulation
US8601273B2 (en) Signed manifest for run-time verification of software program identity and integrity
EP3111364B1 (en) Systems and methods for optimizing scans of pre-installed applications
JP6063941B2 (en) Virtual high privilege mode for system administration requests
KR20180099682A (en) Systems and Methods for Virtual Machine Auditing
EP3627368B1 (en) Auxiliary memory having independent recovery area, and device applied with same
CN108959916B (en) Method, device and system for accessing secure world
TW200842646A (en) Protecting operating-system resources
CN112818327A (en) TrustZone-based user-level code and data security credibility protection method and device
KR102579861B1 (en) In-vehicle software update system and method for controlling the same
RU2768196C9 (en) Protected storage device
JP2014112304A (en) Information processor, and method of installing file

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant