CN111382445B - Method for providing trusted service by using trusted execution environment system - Google Patents

Method for providing trusted service by using trusted execution environment system Download PDF

Info

Publication number
CN111382445B
CN111382445B CN202010140483.0A CN202010140483A CN111382445B CN 111382445 B CN111382445 B CN 111382445B CN 202010140483 A CN202010140483 A CN 202010140483A CN 111382445 B CN111382445 B CN 111382445B
Authority
CN
China
Prior art keywords
trusted
service
root
root task
trusted application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010140483.0A
Other languages
Chinese (zh)
Other versions
CN111382445A (en
Inventor
张倩颖
冀东旭
施智平
关永
李晓娟
王瑞
王国辉
邵振洲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Capital Normal University
Original Assignee
Capital Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Capital Normal University filed Critical Capital Normal University
Priority to CN202010140483.0A priority Critical patent/CN111382445B/en
Publication of CN111382445A publication Critical patent/CN111382445A/en
Application granted granted Critical
Publication of CN111382445B publication Critical patent/CN111382445B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the disclosure discloses a method for providing trusted service by using a trusted execution environment system based on a microkernel architecture, which comprises the following steps: starting a trusted operating system, creating a first process for running a root task by the trusted operating system, verifying the integrity of a mirror image of the root task, and executing the root task by the first process; responding to a service request from the common world, creating a trusted application process corresponding to the running service identifier by the root task, verifying the integrity of a trusted application mirror image corresponding to the service identifier, and creating the trusted application process based on the trusted application mirror image after verification is completed; after the trusted application finishes processing the related data, the root task switches the processor to a monitor mode by calling a preset switching instruction; in monitor mode, the monitor component is used to save the context data of the trusted operating system and switch to the common world general operating system.

Description

Method for providing trusted service by using trusted execution environment system
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method for providing trusted services using a trusted execution environment system based on a microkernel architecture.
Background
With the rapid development of random computer technology and the increasing change of network technology, mobile devices have been applied to various fields of society, such as smart home, consumer electronics, network devices, medical instruments, and the like. Data processed in mobile devices is becoming more and more important and therefore targeted for attack. Nowadays, the application of mobile devices in online payment, electronic banking and the like is rapidly developed, and once user data is revealed or user equipment is utilized by an attacker, property loss of the user is directly caused. Thus, the importance of mobile device security is self evident. In view of the above, global Platform (GP) proposes the concept of Trusted Execution Environment (TEE), which is used for digital rights management, mobile payment and sensitive data protection. The TEE is compatible with a Rich Execution Environment (REE) in which an Operating System (OS) such as Android and Linux is run on a device, and provides a security service to the REE.
The ARM TrustZone technology is used as a specific scheme of TEE, and the system is isolated into two worlds. It refers to TEE and REE as the Secure World (Secure World) and the general World (normallworld), respectively. Operations with higher safety requirements, such as fingerprint comparison, private key signature and the like, need to be completed in a safe world. Trusted Applications (TAs) are applications that run in the secure world. In TrustZone, the software and hardware resources of the secure world are isolated from the ordinary world, and the secure world can access the resources of the two worlds, while the ordinary world can only access the resources of the ordinary world. TrustZone is now widely used in products of various mainstream equipment suppliers such as huashi, samsung, etc.
Since the ARM TrustZone technology is proposed, many scholars and research institutions concentrate on the implementation scheme of TrustZone-based trusted execution environment, and currently, a plurality of open-source projects and schemes are available for research.
OP-TEE is an open source TEE project developed by Linaro, consisting essentially of three components: an ordinary world user layer client (option _ client), a Linux kernel TEE driver (option _ Linux driver), and a secure world TEE OS (option _ OS). Optee _ client is a client API that runs in the common world user space. The API allows a user to call trusted applications using standard APIs. The Optee _ linux driver is a device driver for controlling common world user space and secure world communications. Opte _ os is a trusted operating system running in the secure world.
ANDIX OS is a TEE OS developed by Andrea et al, university of Glanz, based on TrustZone technology, which is a multitasking, non-preemptive operating system. The ANDIX OS uses TrustZone to achieve isolation between the security tasks and the REE OS. The overall architecture of the ANDIX OS is similar to that of OP-TEE, with the difference that the core component in the secure world is the ANDIX secure kernel. The ANDIX kernel is a macro kernel and provides functions of process isolation, scheduling, communication and the like.
Open-TEE is a hardware-independent TEE implemented by the university of Helsinki design. Open-TEE is designed as a daemon on the user level. It starts with the execution of Base, which is a process that encapsulates the TEE functionality into a whole. After Base completes its initialization, it will create two separate but related processes, manager and Launcher. Manager is responsible for communication between trusted applications and monitoring their status, and provides secure storage and control of shared memory, etc. functions similar to OS. The only purpose of launchers is to make TA creation more efficient.
In addition, there are commercially available TEE systems such as QSEE and TrustedCore, hua.
Most of the TEE OS in the scheme adopts a macro kernel architecture, and the isolation of the privilege is generally lacked. The kernel services all run in the address space of the kernel in a privileged mode. The individual software components have a high degree of compactness and can be called directly by functions between services. If a component has a vulnerability, it may cause a crash of the entire system. Thus vulnerabilities associated with TEE and TA are constantly being discovered, such as VE-2016-0825, CVE-2017-0518/0519, CVE-2016-2431/2432, CVE-2015-6639/6647, and CVE-2016-8762/8763/8764. In Open-TEE, it is not a true OS and does not provide the functionality of a full OS. Furthermore, in OP-TEE, the secure world verifies its integrity before executing TA, but does not mention services related to data encapsulation and remote attestation; trusted computing related functionality is not mentioned in neither ANDIX nor Open-TEE. The above disadvantages directly affect the security of the TEE system.
Disclosure of Invention
The embodiment of the disclosure provides a method for providing trusted service by using a trusted execution environment system based on a microkernel architecture, wherein the trusted execution environment system runs a trusted operating system, a trusted service component, a monitor component and a root task, and the trusted operating system is constructed based on the microkernel and provides core service by the microkernel; the trusted service component is used for providing trusted computing service; the monitor component is used for switching between a safe world and a common world; the root task is an application program which runs at the first user layer of the trusted execution environment system, is used for taking over unused resources in the trusted execution environment system and is responsible for creating and managing other application programs; the method comprises the following steps:
starting the trusted operating system, creating a first process for running the root task by the trusted operating system, verifying the integrity of the root task image, and executing the root task by the first process;
responding to a service request from the common world, wherein the service request comprises a service identifier and related data, the root task creates and runs a trusted application process corresponding to the service identifier, verifies the integrity of a trusted application mirror image corresponding to the service identifier, maps the trusted application mirror image to an address space of a newly-built trusted application process after the verification is completed so as to run the trusted application, and the trusted application processes the related data;
after the trusted application completes processing the related data, the root task switches the processor to a monitor mode by calling a preset switching instruction;
in the monitor mode, the monitor component is utilized to save the context data of the trusted operating system and switch to the general operating system of the common world so as to return the processing result of the related data to the common world.
Further, the method also comprises the following steps:
acquiring a root symmetric encryption key and a device root key provided by a device running a trusted execution environment system; and protecting data by using the symmetric encryption key and the equipment root key, wherein the equipment root key is an asymmetric key issued by an equipment manufacturer and represents the identity of the equipment.
Furthermore, the trusted operating system is constructed based on the microkernel, and isolation guarantee is provided for upper-layer trusted application by using an isolation mechanism provided by the microkernel; the trusted operating system provides interface service for creating, managing and destroying trusted applications, and is used for realizing full life cycle management of the trusted applications; the message transmission between the trusted applications is realized by calling an interprocess communication interface provided by the microkernel; the trusted operating system provides an interrupt processing function, and comprises the steps of registering an interrupt in the kernel and sending a notification signal to a corresponding interrupt processing program for processing after the interrupt is triggered.
Further, the monitor component is used for being responsible for context switching of the common world and the secure world: when a preset switching instruction is called by the common world or the secure world, the processor is triggered to be switched to the monitor mode, in the monitor mode, the monitor jumps to a corresponding preset exception handling program to execute according to an exception vector table stored in a vector base address register in the monitor mode, the preset exception handling program saves the processor context of the current world, and then the processor context of the other world is loaded.
Further, the root task is a first user layer application program created by the microkernel; the integrity of the mirror image of the root task is checked and verified by the microkernel before starting; after the microkernel is started, all unused resources of the system are handed to a root task for management; the root task has the highest priority and is responsible for creating and managing other applications; when a service request from the common world is received, the root task forwards service request data to a corresponding trusted application for processing according to a service ID in the request; and after the trusted application finishes processing, the root task returns a processing result to the common world by calling a preset switching instruction.
Further, a trusted service component is operated in the trusted execution environment system; the trusted service component is a service component created by the root task, and the trusted service component is used for completing the trusted computing service of the only trusted application interacting with the storage root symmetric encryption key and the device root key by the trusted service component so as to ensure that confidential information required by the trusted computing service cannot leave the trusted service component.
Further, the root task creates and runs a trusted application process corresponding to the service identifier, verifies the integrity of a trusted application mirror image corresponding to the service identifier, and maps the trusted application mirror image to an address space of the trusted application process after the verification is completed, so as to run the trusted application, including:
when a trusted application is operated, the root task is utilized to create the trusted application process and configure related information;
verifying a digital signature certificate of a trusted application image file by using the root task; the digital signature certificate is attached to the end of the trusted application mirror image by an application developer and comprises a standard integrity value of the trusted application mirror image; the integrity value of the trusted application can be calculated by using a one-way hash algorithm in cryptography;
calculating the integrity value of the trusted application mirror image by using the root task, comparing the integrity value with a standard value in a digital certificate, and mapping the mirror image file into the address space of the process if the integrity value is consistent with the comparison; otherwise, the process creation fails and returns an error value.
Further, the method further comprises:
responding to an encapsulation request sent by the trusted application, and sending an integrity value representing the identity of the trusted application and data to be encapsulated to a trusted service component by using the root task, wherein the encapsulation request comprises the data to be encapsulated;
deriving an encapsulation key by using the trusted service component according to the integrity value and a root symmetric encryption key of the equipment, then encrypting the data to be encapsulated by using the encapsulation key, and returning an encapsulation result to the root task;
responding to a decapsulation request sent by the trusted application, and sending a encapsulation result to be decapsulated and an integrity value of the trusted application to the trusted service component by using the root task;
and performing key derivation and decryption operation by using the trusted service component, returning an unsealing result to the root task, and returning unsealed original data to the trusted application by using the root task.
Further, the method further comprises:
responding to a verification request sent by a remote trusted entity as a verifier, wherein the verification request comprises a service identification to be verified and a random number; sending, by the root task, an integrity value and a nonce of the trusted application corresponding to the service identification to a trusted service component; the trusted service component is used for signing the integrity value and the random number by using a certification key, and a signing result is returned to the root task;
and returning a signature result to the verifier by using the root task so that the verifier can determine whether the current state of the trusted application corresponding to the service identifier is trusted according to the signature result.
In a second aspect, embodiments of the present disclosure provide an electronic device, including a memory and a processor; wherein the memory is configured to store one or more computer instructions, wherein the one or more computer instructions are executed by the processor to implement the method of any of the above aspects.
In a third aspect, the disclosed embodiments provide a computer-readable storage medium for storing computer instructions for implementing the above method, which contains computer instructions for executing the method according to any one of the above aspects.
The technical scheme provided by the embodiment of the disclosure can have the following beneficial effects:
1. the first advantage of the present disclosure is that the TEE system is built based on a microkernel architecture. The isolation mechanism provided by the microkernel is utilized to provide isolation for the upper-layer trusted application, so that the components of the TEE OS and the trusted applications are safely isolated, the whole system cannot be crashed even if a certain component goes wrong, and the safety of other components cannot be influenced even if the certain component is utilized by an attacker.
2. The second advantage of the disclosure is that trusted computing services are provided for the user layer of the TEE system. The method adds core trusted computing functions such as integrity measurement and verification, data encapsulation/decapsulation, remote certification and the like to a user layer. Integrity measurement and verification are carried out on the mirror image of the trusted application before the trusted application is executed, and the validity and the integrity of the mirror image identity are ensured; the data encapsulation binds sensitive data to a specific trusted application, so that the confidentiality of the data is ensured; remote attestation may attest to a remote trusted entity the operational state of a particular application. The core trusted computing function provided by the present disclosure may further improve the security of the system.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
Other features, objects, and advantages of the present disclosure will become more apparent from the following detailed description of non-limiting embodiments when taken in conjunction with the accompanying drawings. In the drawings:
FIG. 1 illustrates a flow diagram of a method for providing trusted services using a microkernel architecture-based trusted execution environment system, according to an embodiment of the present disclosure;
FIG. 2 illustrates a software architecture diagram of a trusted execution environment system according to an embodiment of the present disclosure;
FIG. 3 illustrates a flow diagram of a trusted application responding to a common world service request process according to an embodiment of the present disclosure;
FIG. 4 illustrates a flow diagram of an integrity measurement and verification process according to an embodiment of the present disclosure;
FIG. 5 shows a flow diagram of a data encapsulation process according to an embodiment of the present disclosure;
FIG. 6 illustrates a flow diagram of a remote attestation process in accordance with an embodiment of the present disclosure.
Detailed Description
Hereinafter, exemplary embodiments of the present disclosure will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily implement them. Furthermore, parts that are not relevant to the description of the exemplary embodiments have been omitted from the drawings for the sake of clarity.
In the present disclosure, it is to be understood that terms such as "including" or "having," etc., are intended to indicate the presence of the disclosed features, numbers, steps, behaviors, components, parts, or combinations thereof, and are not intended to preclude the possibility that one or more other features, numbers, steps, behaviors, components, parts, or combinations thereof may be present or added.
It should be further noted that the embodiments and features of the embodiments in the present disclosure may be combined with each other without conflict. The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
Aiming at the defects of the TEE scheme realized by adopting a macro-kernel architecture, the disclosure provides a method for providing a Trusted service by using a Trusted Execution Environment system based on a micro-kernel architecture, the TEE (Trusted Execution Environment) system is realized based on the micro-kernel architecture, the Trusted service is provided for a common operating system, isolation is provided for the Trusted service based on an isolation mechanism of the micro-kernel, and meanwhile, trusted computing services such as integrity measurement and verification, data encapsulation/decapsulation, remote certification and the like are provided. The TEE system constructed by the method mainly comprises a TEE OS (operating System), a Monitor (Monitor), a Root Task (Root Task), a Trusted Service, a Trusted application and the like. The TEE OS is built based on a microkernel, which provides core services. The monitor is the component in TrustZone responsible for switching between the secure world and the common world. The root task is the first application running at the user level, taking over all system unused resources and being responsible for the creation and management of other applications. The Trusted Service provides Trusted computing services such as data encapsulation/decapsulation and remote attestation. Trusted applications are mainly security-sensitive operations responsible for providing security services to the general world.
In order to achieve one of the purposes of the present disclosure, a TEE system based on a microkernel architecture is provided, and an adopted technical scheme includes three components, namely a TEE OS, a monitor and a root task.
The technical scheme of the TEE OS is as follows:
1) The TEE OS is constructed based on the microkernel, and isolation guarantee is provided for upper-layer application by using an isolation mechanism provided by the microkernel.
2) The TEE OS provides a process management function, is responsible for creating, managing and destroying services of the trusted application, and realizes the full life cycle management of the trusted application.
3) The TEE OS provides Inter-Process Communication (IPC) services. IPC mechanisms may be used for communication and messaging between trusted applications.
4) Interrupt handling services require interrupt registration in the kernel. When an interrupt is triggered, the interrupt notification signal is sent to a corresponding user layer interrupt processing program through the kernel for processing.
The monitor is responsible for context switching between the secure world and the common world in ARM TrustZone. When the ordinary world or the Secure world calls a switch instruction (SMC), the processor switches to Monitor mode. And the corresponding SMC processing program completes the operations of saving and restoring the corresponding world context and transmitting the relevant parameters.
The root task is the first application program run by the user layer, and is created by the kernel, the mirror integrity of the root task is checked, and a starting environment is provided. And after the microkernel is started, all the unused resources of the system are taken over by the root task. The root task has the highest priority and is responsible for creating and managing other applications. When receiving a service request from the common world, the root task is responsible for forwarding the request data to the corresponding trusted application for processing according to the request ID. And after the processing request is completed, the root task returns the processing result to the common world by calling the SMC instruction.
To achieve another object of the present disclosure, a core trusted computing service of integrity measurement and verification, data encapsulation/decapsulation, and remote attestation is provided. The technical scheme adopted by the trusted computing service comprises a user-level cryptography library for providing a basic cryptography algorithm and a TrustService for providing a trusted computing function.
The cryptography library is added at a user layer and provides basic cryptography algorithms, and at least comprises a symmetric encryption algorithm, an asymmetric encryption algorithm and a Hash algorithm.
The Trust Service is a trusted application with the priority lower than that of a root task. TrustService trusted computing service requires equipment to provide basic hardware key support, and comprises a root symmetric encryption key and an equipment root key, wherein the symmetric encryption key is responsible for protecting platform data, and the equipment root key is an asymmetric key issued by a manufacturer and represents equipment identity. And the Trust Service provides trusted computing services such as data encapsulation/decapsulation and remote certification based on the hardware key.
The integrity measurement and verification specific scheme is as follows:
1) When the trusted application needs to run, the root task creates a new process and configures.
2) The root task verifies the digitally signed certificate of the trusted application image. The digitally signed certificate is attached by the application developer to the end of the image and contains the standard integrity value of the trusted application image.
3) And calculating the integrity value of the image of the trusted application program, and comparing the integrity value with the standard value in the digital certificate. If the two are consistent, the verification is successful; otherwise, the process creation fails and an error value is returned. The computed integrity value is saved by the root task and can be used for data encapsulation/decapsulation and remote attestation.
4) And after the verification is successful, mapping the trusted application mirror image to the address space of the new process.
The specific scheme of data encapsulation/decapsulation is as follows:
1) The trusted application sends a data encapsulation request to the root task, containing the original data to be encapsulated.
2) And the root task sends the integrity value representing the identity of the Trusted application and the data to be encapsulated to the Trusted Service.
3) And the Trusted Service derives an encapsulation key according to the integrity value of the Trusted application and the root symmetric encryption key. The derivation of the encapsulation key uses the device root symmetric encryption key and the integrity value of the trusted application, thus ensuring that data protected using the encapsulation key can only be used by the corresponding trusted application of the device.
4) And the derived key is utilized to realize the symmetric encryption operation of the data to be packaged, and a packaging result is obtained.
5) And returning the encapsulation result to the root task for storage.
6) Decapsulation is the reverse of encapsulation. The trusted application sends a decapsulation request to the root task. And the root task sends the encapsulation result and the integrity value to the Trusted Service for decapsulation operation, wherein the decapsulation operation relates to operations such as key derivation, symmetric decryption and the like. And finally, returning the decapsulation result, namely the original data, to the trusted application.
The remote certification specific scheme is as follows:
1) The remote trusted entity acts as a verifier sending a verification request to the prover, the request including the service ID and the random number nonce to be verified.
2) And after the prover receives the verification request, the root task sends the integrity value and the random number nonce of the Trusted application corresponding to the ID to the Trusted Service.
3) The Trust Service signs the integrity value and the random number nonce by using the certification key, and returns the signature result to the root task. Where the certification key is generated by the device and issued by the vendor's signing key.
4) And the root task returns the signature result to the verifier, and the verifier determines whether the service is credible according to the signature result.
The details of the embodiments of the present disclosure are described in detail below by way of specific embodiments.
FIG. 1 illustrates a flow diagram of a method for providing trusted services using a microkernel architecture-based trusted execution environment system according to an embodiment of the present disclosure. A trusted operating system, a trusted service component, a monitor component and a root task run in the trusted execution environment system, wherein the trusted operating system is constructed based on a microkernel, and the microkernel provides core services; the trusted service component is used for providing trusted computing service; the monitor component is used for switching between a safe world and a common world; the root task is an application program which runs at the first user layer of the trusted execution environment system, is used for taking over unused resources in the trusted execution environment system and is responsible for creating and managing other application programs; as shown in fig. 1, the method for providing trusted services by using a trusted execution environment system based on a microkernel architecture includes the following steps:
in step S101, starting the trusted operating system, creating a first process running the root task by the trusted operating system, verifying the integrity of the root task image, and executing the root task by the first process;
in step S102, in response to a service request from the common world, where the service request includes a service identifier and related data, the root task creates and runs a trusted application process corresponding to the service identifier, verifies the integrity of a trusted application image corresponding to the service identifier, and maps the trusted application image to an address space of a newly-created trusted application process after verification is completed, so as to run the trusted application, and the trusted application processes the related data;
in step S103, after the trusted application completes processing the relevant data, the root task switches the processor to a monitor mode by calling a preset switching instruction;
in step S104, in the monitor mode, the monitor component is used to save the context data of the trusted operating system, and switch to the general operating system in the general world, so as to return the processing result of the relevant data to the general world.
In this embodiment, the trusted execution environment system provides two execution environments by using an ARM TrustZone technology: the secure world and the general world; wherein the common world runs a common operating system; the safe world runs a trusted execution environment, and trusted applications run in the trusted execution environment to provide safe services for the common world.
In an optional implementation manner of this embodiment, the method further includes:
acquiring a root symmetric encryption key and a device root key provided by a device running a trusted execution environment system; and protecting data by using the symmetric encryption key and the device root key, wherein the device root key is an asymmetric key issued by a device manufacturer and represents the identity of the device.
In an optional implementation manner of this embodiment, the trusted operating system is constructed based on a microkernel, and an isolation mechanism provided by the microkernel is used to provide isolation guarantee for an upper-layer trusted application; the trusted operating system provides interface service for creating, managing and destroying trusted applications, and is used for realizing full life cycle management of the trusted applications; the message transmission between the trusted applications is realized by calling an interprocess communication interface provided by a microkernel; the trusted operating system provides an interrupt processing function, and comprises the steps of registering an interrupt in the kernel and sending a notification signal to a corresponding interrupt processing program for processing after the interrupt is triggered.
In an alternative implementation of the embodiment, the monitor component is used for being responsible for context switching between the common world and the secure world: when a preset switching instruction is called by the common world or the secure world, the processor is triggered to be switched to the monitor mode, in the monitor mode, the monitor jumps to a corresponding preset exception handling program to execute according to an exception vector table stored in a vector base address register in the monitor mode, the preset exception handling program saves the processor context of the current world, and then the processor context of the other world is loaded.
In an optional implementation manner of this embodiment, a trusted service component is further run in the trusted execution environment system; the trusted service component is a service component created by a root task, and the trusted service component is a trusted application trusted computing service which is only interacted with a storage root symmetric encryption key and a device root key and is completed by the trusted service component so as to ensure that confidential information required by the trusted computing service cannot leave the trusted service component.
FIG. 2 illustrates a software architecture diagram of a trusted execution environment system according to an embodiment of the present disclosure. As shown in fig. 2, the trusted execution environment system based on the microkernel architecture of the present disclosure mainly includes the following components: TEE OS (MicroTEE), monitor (Monitor) component, root Task (Root Task) component, trusted Service (Trusted Service) component, and Trusted Application (TA). The TEE OS builds and provides core services such as process management, interprocess communication, and address space management based on the microkernel. The monitor is responsible for switching between the secure world and the general world. The root task, as the first application running at the user level, takes over all system unused resources and is responsible for creating and managing other trusted applications. The Trusted Service is responsible for managing platform keys and providing Trusted computing services. Trusted applications provide security services for the general world.
1. The TEE OS builds and provides a core service interface for upper-level trusted applications based on the microkernel. When the trusted application needs to be executed, a new process can be created through the process creation interface service and the memory space with the specified size is allocated. When the trusted applications need to communicate for message exchange, the method is realized by calling IPC interface service provided by TEE OS for sending and receiving messages. Mutual isolation between upper-layer trusted applications is guaranteed by the isolation mechanism of the microkernel. The TEE OS user layer provides a cryptography library for providing basic cryptographic algorithms for trusted applications, including at least a symmetric encryption algorithm, an asymmetric encryption algorithm, and a hash algorithm. The cryptographic library may be linked into the executable file as a static library.
2. The monitor is responsible for switching between the secure world and the general world. The SMC instruction triggers the processor to switch into monitor mode. The following are related to monitor settings and functions:
1) Configuration operations of the Monitor are completed at platform initialization, including setting the top of stack pointer for Monitor mode and writing the vector table base Address into the vector table base Address Register (MVBAR).
2) SMC instructions need to be executed in privileged mode and so a system call needs to be added. The user-level trusted application may enter privileged mode and execute SMC instructions through the system call.
3) The monitor mode may pass parameters and data through physical registers r0, r1, etc. When data is large, it needs to be transferred through a shared memory between the two worlds.
4) After the SMC instruction is called to trigger the processor to enter the monitor mode, the corresponding SMC processing program can be skipped to through the vector table. The handler needs to complete the operations of saving the current world context and restoring another world context and changing the NS bit. The NS bit is stored in a Secure Configuration Register (SCR).
3. The root task may be implemented as an initial process, which is the first user-level application that runs after the kernel is started. It is created by the kernel and verifies the integrity of the image when loading other trusted applications. And after the kernel finishes starting, handing all the unused system resources to the root task for management. Thus, the root task has the highest priority at the user level. The root task is responsible for managing other trusted applications, including the management of the entire lifecycle of creation, configuration, and destruction. When a service request is sent from the ordinary world, the root task forwards data to a corresponding trusted application for processing according to the service ID in the request. When the processing is finished, the root task executes the SMC instruction to return the result to the common world.
4. A Trusted Service may be implemented as a Trusted application, created by the root task and having a lower priority than the root task. The Trusted Service can interact with a root symmetric encryption key and a device root key of the platform and provide Trusted computing services such as data encapsulation/decapsulation and remote attestation.
5. Trusted applications provide security services for the general world. The procedure for the trusted application to respond to the generic world service request is shown in figure 3.
1) The ordinary world passes the service request to the secure world via the SMC directive, including the service ID and associated data.
2) And the root task forwards the request data to the corresponding trusted application according to the service ID.
3) And after the trusted application processes the completion request, returning the result to the root task.
4) And the root task carries out world switching through SMC calling, and returns the result to the common world.
In an optional implementation manner of this embodiment, in step S202, the step of creating, by the root task, a trusted application process corresponding to the service identifier, verifying integrity of a trusted application image corresponding to the service identifier, and mapping the trusted application image to an address space of the trusted application process after the verification is completed, so as to run the trusted application further includes:
when a trusted application is operated, the root task is utilized to establish the trusted application process and configure related information;
verifying a digital signature certificate of a trusted application image file by using the root task; the digital signature certificate is attached to the end of the trusted application mirror image by an application developer and comprises a standard integrity value of the trusted application mirror image; the integrity value of the trusted application can be obtained by calculating through a one-way hash algorithm in cryptography;
calculating an integrity value of the trusted application image by using the root task and comparing the integrity value with a standard value in a digital certificate, and mapping the image file to an address space of a process if the integrity value is consistent with the standard value; otherwise, the process creation fails and returns an error value.
In an optional implementation manner of this embodiment, the method further includes:
responding to an encapsulation request sent by the trusted application, and sending an integrity value representing the identity of the trusted application and data to be encapsulated to a trusted service component by using the root task, wherein the encapsulation request comprises the data to be encapsulated;
deriving an encapsulation key by using the trusted service component according to the integrity value and a root symmetric encryption key of the equipment, then encrypting the data to be encapsulated by using the encapsulation key, and returning an encapsulation result to the root task;
responding to a decapsulation request sent by the trusted application, and sending an encapsulation result to be decapsulated and an integrity value of the trusted application to the trusted service component by using the root task;
and performing key derivation and decryption operation by using the trusted service component, returning an unsealing result to the root task, and returning unsealed original data to the trusted application by using the root task.
In an optional implementation manner of this embodiment, the method further includes:
responding to a verification request sent by a remote trusted entity as a verifier, wherein the verification request comprises a service identification to be verified and a random number; sending, by the root task, an integrity value and a nonce of the trusted application corresponding to the service identification to a trusted service component; the trusted service component is used for signing the integrity value and the random number by using the certification key, and a signing result is returned to the root task;
and returning a signature result to the verifier by using the root task so that the verifier can determine whether the current state of the trusted application corresponding to the service identifier is trusted according to the signature result.
In some embodiments, the trusted service component is used to implement trusted computing services.
The trusted computing service implementation steps are as follows:
1. the integrity measurement and verification is to verify the integrity and digital certificate signature of the mirror image of the trusted application before the trusted application runs. The process is shown in fig. 4:
1) And a new process is established for the trusted application by the root task, and relevant information such as an address space, interprocess communication and the like is configured.
2) The trusted application image comprises two parts: a digital certificate of the original image and the end of the image. Verifying the signature of the digital certificate to ensure that it is from a legitimate developer; and then calculating the integrity value of the original mirror image and comparing the integrity value with the standard value in the digital certificate, wherein the calculated integrity value is stored by the root task.
3) If the integrity verification is passed, mapping the trusted application mirror image to the address space of the new process; otherwise, the process creation fails and an error value is returned.
2. Data encapsulation is the binding of data to a specified trusted application to ensure the confidentiality of the data. The process is shown in fig. 5.
1) When a trusted application needs to encapsulate confidential data, an encapsulation request may be sent to the root task, where the request includes data to be encapsulated.
2) And after receiving the encapsulation request of the Trusted application, the root task sends the data to be encapsulated and the integrity value representing the identity of the Trusted application to the Trusted Service.
3) And the Trusted Service derives an encapsulation key according to the integrity value of the Trusted application and the root symmetric encryption key, and encrypts the data to be encapsulated by using the encapsulation key.
4) And returning the encapsulation result to the root task for storage.
5) Decapsulation is the reverse process of encapsulation. And after receiving the decapsulation request of the Trusted application, the root task sends the encapsulation result and the integrity value of the Trusted application to TrustedService, then TrustedService performs key derivation and decryption operation and returns the decapsulation result to the root task, and finally returns the original data to the Trusted application.
3. The remote attestation may attest to a remote trusted entity to specify a current state of the trusted application. The process is shown in fig. 6.
1) The remote trusted entity acts as a verifier sending a verification request to the prover, the request including the service ID and the random number nonce to be verified.
2) And after the prover receives the verification request, the root task sends the integrity value and the random number nonce of the Trusted application corresponding to the ID to the Trusted Service.
3) The Trusted Service signs the integrity value and the random number nonce with the attestation key and returns the signature result to the root task. Where the attestation key is generated by the device and issued by a signing key of the device vendor.
4) And the root task returns the signature result to the verifier, and the verifier determines whether the current state of the service is credible or not according to the signature result.
As another aspect, the present disclosure also provides a computer-readable storage medium, which may be the computer-readable storage medium included in the apparatus in the above embodiment; or it may be a separate computer readable storage medium not incorporated into the device. The computer readable storage medium stores one or more programs for use by one or more processors in performing the methods described in the present disclosure.
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the invention in the present disclosure is not limited to the specific combination of the above-mentioned features, but also encompasses other embodiments in which any combination of the above-mentioned features or their equivalents is made without departing from the inventive concept. For example, the above features and (but not limited to) the features disclosed in this disclosure having similar functions are replaced with each other to form the technical solution.

Claims (7)

1. A method for providing trusted service by using a trusted execution environment system based on a microkernel architecture is characterized in that a trusted operating system, a trusted service component, a monitor component and a root task are operated in the trusted execution environment system, the trusted operating system is constructed based on the microkernel, and the microkernel provides core service; the trusted service component is configured to provide a trusted computing service, the trusted computing service comprising: integrity measurement and verification, data encapsulation/decapsulation, and remote certification; the monitor component is used for switching between a safe world and a common world; the root task is an application program which runs at the first user layer of the trusted execution environment system, is used for taking over unused resources in the trusted execution environment system and is responsible for creating and managing other application programs; the method comprises the following steps:
starting the trusted operating system, creating a first process for running the root task by the trusted operating system, verifying the integrity of the root task image, and executing the root task by the first process;
responding to a service request from the common world, wherein the service request comprises a service identifier and related data, the root task creates and operates a trusted application process corresponding to the service identifier, verifies the integrity of a trusted application mirror image corresponding to the service identifier, and maps the trusted application mirror image to an address space of a newly-established trusted application process after verification is completed so as to operate the trusted application, and the trusted application processes the related data;
after the trusted application finishes processing the related data, the root task switches the processor to a monitor mode by calling a preset switching instruction;
under the monitor mode, the monitor component is utilized to save the context data of the trusted operating system and switch to a general operating system of the common world so as to return the processing result of the related data to the common world;
the method for running the trusted application process includes the following steps that the root task creates and runs the trusted application process corresponding to the service identifier, verifies the integrity of the trusted application mirror image corresponding to the service identifier, and maps the trusted application mirror image to an address space of a newly-built trusted application process after verification is completed so as to run the trusted application, and the method includes the following steps:
when a trusted application is operated, the root task creates the trusted application process and configures relevant information;
verifying a digital signature certificate of a trusted application image file by using the root task; the digital signature certificate is attached to the end of the trusted application mirror image by an application developer and comprises a standard integrity value of the trusted application mirror image; the integrity value of the trusted application can be obtained by calculating through a one-way hash algorithm in cryptography;
calculating an integrity value of the trusted application mirror image by using the root task and comparing the integrity value with a standard value in a digital certificate, and if the integrity value is consistent with the integrity value, mapping the mirror image file into an address space of a newly-built trusted application process; otherwise, the trusted application process fails to be established and returns an error value;
the method further comprises the following steps:
responding to an encapsulation request sent by the trusted application, and sending an integrity value representing the identity of the trusted application and data to be encapsulated to a trusted service component by using the root task, wherein the encapsulation request comprises the data to be encapsulated;
deriving an encapsulation key by using the trusted service component according to the integrity value and a root symmetric encryption key of the equipment, then encrypting the data to be encapsulated by using the encapsulation key, and returning an encapsulation result to the root task;
responding to a decapsulation request sent by the trusted application, and sending an encapsulation result to be decapsulated and an integrity value of the trusted application to the trusted service component by using the root task;
performing key derivation and decryption operations by using the trusted service component, returning an unsealing result to the root task, and returning unsealed original data to the trusted application by using the root task;
the method further comprises the following steps:
responding to a verification request sent by a remote trusted entity as a verifier, wherein the verification request comprises a service identification to be verified and a random number; sending, by the root task, an integrity value and a nonce of the trusted application corresponding to the service identification to a trusted service component; the trusted service component is used for signing the integrity value and the random number by using a certification key, and a signing result is returned to the root task;
and returning a signature result to the verifier by using the root task so that the verifier can determine whether the current state of the trusted application corresponding to the service identifier is trusted according to the signature result.
2. The method of claim 1, further comprising:
acquiring a root symmetric encryption key and a device root key provided by a device running a trusted execution environment system; and protecting data by using the symmetric encryption key and the equipment root key, wherein the equipment root key is an asymmetric key issued by an equipment manufacturer and represents the identity of the equipment.
3. The method according to claim 1 or 2, wherein the trusted operating system is constructed based on a microkernel, and isolation assurance is provided for upper-layer trusted applications by using an isolation mechanism provided by the microkernel; the trusted operating system provides interface service for creating, managing and destroying trusted applications, and is used for realizing full life cycle management of the trusted applications; the message transmission between the trusted applications is realized by calling an interprocess communication interface provided by the microkernel; the trusted operating system provides an interrupt processing function, and comprises the steps of registering an interrupt in the kernel and sending a notification signal to a corresponding interrupt processing program for processing after the interrupt is triggered.
4. The method of claim 1 or 2, wherein the monitor component is configured to take care of context switching between the general world and the secure world: when a preset switching instruction is called by the common world or the secure world, the processor is triggered to be switched to the monitor mode, in the monitor mode, the monitor jumps to a corresponding preset exception handling program to execute according to an exception vector table stored in a vector base address register in the monitor mode, the preset exception handling program saves the processor context of the current world, and then the processor context of the other world is loaded.
5. The method of claim 1 or 2, wherein the root task is a first user layer application created by a microkernel; the integrity of the mirror image of the root task is checked and verified by a micro kernel before starting; after the microkernel is started, all unused resources of the system are handed over to a root task for management; the root task has the highest priority and is responsible for creating and managing other applications; when a service request from the common world is received, the root task forwards service request data to a corresponding trusted application for processing according to a service ID in the service request; and after the trusted application finishes processing, the root task returns a processing result to the common world by calling a preset switching instruction.
6. The method of claim 1 or 2, wherein a trusted service component is also running in the trusted execution environment system; the trusted service component is a service component created for a root task, and is a unique trusted application interacting with a storage root symmetric encryption key and an equipment root key; trusted computing services are performed by trusted service components to ensure that confidential information required by the trusted computing services does not leave the trusted service components.
7. The method of claim 1, wherein the attestation key is an asymmetric key generated by the device and issued with a vendor's signing key.
CN202010140483.0A 2020-03-03 2020-03-03 Method for providing trusted service by using trusted execution environment system Active CN111382445B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010140483.0A CN111382445B (en) 2020-03-03 2020-03-03 Method for providing trusted service by using trusted execution environment system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010140483.0A CN111382445B (en) 2020-03-03 2020-03-03 Method for providing trusted service by using trusted execution environment system

Publications (2)

Publication Number Publication Date
CN111382445A CN111382445A (en) 2020-07-07
CN111382445B true CN111382445B (en) 2023-04-07

Family

ID=71217144

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010140483.0A Active CN111382445B (en) 2020-03-03 2020-03-03 Method for providing trusted service by using trusted execution environment system

Country Status (1)

Country Link
CN (1) CN111382445B (en)

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111858004A (en) * 2020-07-21 2020-10-30 中国人民解放军国防科技大学 TEE expansion-based real-time application dynamic loading method and system for computer security world
EP4216087A4 (en) * 2020-10-27 2024-03-06 Huawei Technologies Co., Ltd. Method for implementing virtual trusted platform module and related device
CN113296879B (en) * 2020-10-29 2024-03-08 阿里巴巴集团控股有限公司 Container creation method and device
CN112446032B (en) * 2020-11-20 2022-05-31 南方科技大学 Trusted execution environment construction method, system and storage medium
CN112434306B (en) * 2020-12-11 2024-04-16 中国科学院信息工程研究所 Trusted measurement method, device, system, electronic equipment and storage medium
CN112702740B (en) * 2020-12-24 2023-04-07 国网浙江省电力有限公司经济技术研究院 Data safety transmission method of LoRa Internet of things system
CN116635858A (en) * 2020-12-29 2023-08-22 华为技术有限公司 Safety isolation device and method
CN113312630B (en) * 2021-05-31 2022-07-01 支付宝(杭州)信息技术有限公司 Method and device for realizing trusted scheduling
CN113867805B (en) * 2021-08-20 2023-08-15 苏州浪潮智能科技有限公司 Method and system for constructing measurement chain compatible with trusted root based on firmware
CN113791898B (en) * 2021-08-24 2022-07-26 电子科技大学 TrustZone-based trusted microkernel operating system
CN113886834B (en) * 2021-09-29 2022-06-21 南方科技大学 ARM architecture-based GPU trusted execution method, system, equipment and storage medium
CN114021141A (en) * 2021-10-29 2022-02-08 中国银联股份有限公司 Electronic equipment, trusted application calling method, device, equipment and medium
CN114500054B (en) * 2022-01-27 2024-03-01 百度在线网络技术(北京)有限公司 Service access method, service access device, electronic device, and storage medium
CN114676392B (en) * 2022-03-18 2024-06-04 北京百度网讯科技有限公司 Application trusted authorization method and device and electronic equipment
CN117375864A (en) * 2022-06-30 2024-01-09 华为技术有限公司 Remote attestation method, apparatus, system, storage medium, and computer program product
CN117971347B (en) * 2024-03-28 2024-06-11 中国人民解放军国防科技大学 TrustZone-based container trusted service design method, trustZone-based container trusted service design equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107682159A (en) * 2017-10-12 2018-02-09 北京握奇智能科技有限公司 The trusted application management method and trusted application management system of a kind of intelligent terminal
CN108595950A (en) * 2018-04-18 2018-09-28 中南大学 A kind of safe Enhancement Methods of SGX of combination remote authentication
CN109522754A (en) * 2018-11-28 2019-03-26 中国科学院信息工程研究所 A kind of credible isolation environment core control method of mobile terminal
CN110011801A (en) * 2018-11-16 2019-07-12 阿里巴巴集团控股有限公司 Remote certification method and device, the electronic equipment of trusted application

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101226577A (en) * 2008-01-28 2008-07-23 南京大学 Method for protecting microkernel OS integrality based on reliable hardware and virtual machine
EP2880587B1 (en) * 2012-08-03 2017-05-10 North Carolina State University Methods, systems, and computer readable medium for active monitoring, memory protection and integrity verification of target devices
US9722775B2 (en) * 2015-02-27 2017-08-01 Verizon Patent And Licensing Inc. Network services via trusted execution environment
CN105260663B (en) * 2015-09-15 2017-12-01 中国科学院信息工程研究所 A kind of safe storage service system and method based on TrustZone technologies
US20180254898A1 (en) * 2017-03-06 2018-09-06 Rivetz Corp. Device enrollment protocol
US10397005B2 (en) * 2017-03-31 2019-08-27 Intel Corporation Using a trusted execution environment as a trusted third party providing privacy for attestation
US10922441B2 (en) * 2018-05-04 2021-02-16 Huawei Technologies Co., Ltd. Device and method for data security with a trusted execution environment
CN108733455B (en) * 2018-05-31 2020-08-18 上海交通大学 Container isolation enhancing system based on ARM TrustZone
CN109086100B (en) * 2018-07-26 2020-03-31 中国科学院信息工程研究所 High-security credible mobile terminal security system architecture and security service method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107682159A (en) * 2017-10-12 2018-02-09 北京握奇智能科技有限公司 The trusted application management method and trusted application management system of a kind of intelligent terminal
CN108595950A (en) * 2018-04-18 2018-09-28 中南大学 A kind of safe Enhancement Methods of SGX of combination remote authentication
CN110011801A (en) * 2018-11-16 2019-07-12 阿里巴巴集团控股有限公司 Remote certification method and device, the electronic equipment of trusted application
CN109522754A (en) * 2018-11-28 2019-03-26 中国科学院信息工程研究所 A kind of credible isolation environment core control method of mobile terminal

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
石元兵 ; .基于可信计算的可信应用研究.信息安全与通信保密.2010,(12),第92-94页. *
郑显义 等 ; .系统安全隔离技术研究综述.计算机学报.2016,40(05),第1057-1079页. *

Also Published As

Publication number Publication date
CN111382445A (en) 2020-07-07

Similar Documents

Publication Publication Date Title
CN111382445B (en) Method for providing trusted service by using trusted execution environment system
Tiburski et al. Lightweight security architecture based on embedded virtualization and trust mechanisms for IoT edge devices
KR102110273B1 (en) Chain security systems
JP5497171B2 (en) System and method for providing a secure virtual machine
CN109669734B (en) Method and apparatus for starting a device
JP6053786B2 (en) Firmware-based Trusted Platform Module (TPM) for ARM® Trust Zone implementation
US20160350534A1 (en) System, apparatus and method for controlling multiple trusted execution environments in a system
CN111753311B (en) Method and device for safely entering trusted execution environment in hyper-thread scene
US11714895B2 (en) Secure runtime systems and methods
Bouazzouni et al. Trusted mobile computing: An overview of existing solutions
Ménétrey et al. An exploratory study of attestation mechanisms for trusted execution environments
Bornträger et al. Secure your cloud workloads with IBM Secure Execution for Linux on IBM z15 and LinuxONE III
Scopelliti et al. End-to-End Security for Distributed Event-Driven Enclave Applications on Heterogeneous TEEs
Coppola et al. Automation for industry 4.0 by using secure lorawan edge gateways
US12010250B2 (en) Capability enabling method and apparatus
Park et al. TGVisor: A tiny hypervisor-based trusted geolocation framework for mobile cloud clients
US20200167085A1 (en) Operating a secure storage device
Park et al. Design and implementation of trusted sensing framework for IoT environment
Ushakov et al. Trusted hart for mobile RISC-V security
Ribeiro et al. DBStore: A TrustZone-backed Database Management System for Mobile Applications.
CN113966510A (en) Trusted device and computing system
Quaresma TrustZone based Attestation in Secure Runtime Verification for Embedded Systems
EP4174694A1 (en) Method for securely executing an application
Fitzek Development of an ARM TrustZone aware operating system ANDIX OS
POUYANRAD et al. End-to-End Security for Distributed Event-Driven Enclave Applications on Heterogeneous TEEs

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant