CN112433824B - Virtualized implementation architecture of password equipment - Google Patents
Virtualized implementation architecture of password equipment Download PDFInfo
- Publication number
- CN112433824B CN112433824B CN202011575763.0A CN202011575763A CN112433824B CN 112433824 B CN112433824 B CN 112433824B CN 202011575763 A CN202011575763 A CN 202011575763A CN 112433824 B CN112433824 B CN 112433824B
- Authority
- CN
- China
- Prior art keywords
- user
- password
- kernel
- encryption
- crypto
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention provides a virtualization implementation architecture of password equipment, which comprises an application program interface, a linux user space encryption interface cryptodev, linux kernel encryption framework Linux Kernel Crypto Framework, an I/O paravirtualization program virtual-Crypto, a QEMU simulator, a password card interface and a physical password equipment driver, wherein the application program interface sends a password service request of a user; the linux user space encryption interface cryptodev sends a user password service request to a user virtual machine kernel state; the linux kernel encryption framework Linux Kernel Crypto Framework provides a data processing interface for calling an encryption algorithm by a kernel state of a user virtual machine; the I/O paravirtualized program Virtio-Crypto is used for sending a password service request of a user in the linux kernel encryption framework Linux Kernel Crypto Framewor to the QEMU simulator; the QEMU simulator is used for calling the password card interface to access the physical password equipment driver program according to the password service request of the user so as to provide password service.
Description
Technical Field
The invention relates to the field of information security, in particular to a virtualization implementation architecture of password equipment.
Background
The existing password service providing mode comprises two modes, wherein the first mode for providing the password service based on the cloud has the advantages of high operation performance, strong system scalability, safe and controllable password operation process and data by a user, suitability for different types of cloud computing environments such as private cloud, public cloud, hybrid cloud and the like, complex system structure and service initialization process, high system deployment cost and suitability for providing security service for a large cloud platform. The second password service providing mode is a mode that a service cloud platform simultaneously provides password service, has the advantages of high operation speed, simple structure and protocol flow and low deployment cost, and has the defects that a cloud service provider is required to provide the service and simultaneously provide the password service, the realization of the password operation by a user is uncontrollable, and the method is suitable for occasions where the user is sensitive to the use cost, has low requirements on safety and is completely trusted by the user.
In order to solve the above problems, an ideal technical solution is always sought.
Disclosure of Invention
The invention aims at overcoming the defects of the prior art, and provides a virtualization implementation architecture of a password device.
In order to achieve the above purpose, the technical scheme adopted by the invention is as follows: a virtualized implementation architecture of cryptographic equipment comprises an application program interface, a linux user space encryption interface cryptodev, linux kernel encryption framework Linux Kernel Crypto Framework, an I/O paravirtualized program virtual-Crypto, a QEMU simulator, a cryptographic card interface and a physical cryptographic equipment driver,
the application program interface is deployed in a user state of the user virtual machine and is used for sending a password service request of a user;
the linux user space encryption interface cryptodev is deployed in the user virtual machine and is used for connecting the user state of the user virtual machine and the kernel state of the user virtual machine so as to send a password service request of a user to the kernel state of the user virtual machine;
the linux kernel encryption framework Linux Kernel Crypto Framework is deployed in a kernel state of the user virtual machine, and is used for managing an encryption algorithm and providing a data processing interface for calling the encryption algorithm by the kernel state of the user virtual machine;
the front end driving module of the I/O paravirtualized program Virtio-Crypto is deployed in the linux kernel encryption framework Linux Kernel Crypto Framewor, and the back end processing program of the I/O paravirtualized program Virtio-Crypto is deployed in the QEMU simulator, so as to send a password service request of a user in the linux kernel encryption framework Linux Kernel Crypto Framewor to the QEMU simulator;
the password card interface is deployed in a host user mode and is used for accessing a physical password device driver;
the physical password equipment driver is deployed in a kernel mode of the host and is used for driving the physical password equipment to work and providing password service;
the QEMU simulator is deployed in a host user state and is used for calling the password card interface to access the physical password equipment driver according to a password service request of a user.
Compared with the prior art, the method has the prominent substantive characteristics and remarkable progress, and concretely provides a set of virtualization modes of the password equipment through an application program interface, a linux user space encryption interface cryptodev, linux kernel encryption framework Linux Kernel Crypto Framework, an I/O paravirtualization program virtual-Crypto, a QEMU simulator, a password card interface and a physical password equipment driver, so that a user can directly manage and use the password equipment in the own virtual machine through an API (application program interface), and no more network overhead and management links exist; in the virtualization mode, virtual password equipment and a user virtual machine life cycle coexist, the virtual password equipment is directly allocated and recycled only when the user virtual machine is started and stopped, the problem of intermediate resource recycling does not exist, the whole life cycle of the virtual password equipment is exclusive to a user, and the problem of midway key replacement does not exist, so that the system deployment cost is lower; and because address isolation is performed during hardware allocation, the virtual password equipment is not shared with other users in the cloud environment, has higher security, and is suitable for proprietary private cloud with higher security requirements.
The virtualization is patterned, the cryptodev can also realize a hardware acceleration function, and the data zero replication is realized in the Virtio, so that the acceleration function is realized every time.
Drawings
FIG. 1 is a schematic diagram of a virtualized implementation architecture for a cryptographic device according to the present invention.
Detailed Description
The technical scheme of the invention is further described in detail through the following specific embodiments.
Example 1
As shown in fig. 1, the present embodiment provides a virtualized implementation architecture of a cryptographic device, including an application program interface APP (API), a Linux USER space encryption interface cryptodev, linux kernel encryption framework Linux Kernel Crypto Framework, an I/O paravirtualized program virtual-Crypto, a QEMU simulator, a cryptographic card interface USER API, and a physical cryptographic device driver Dirver for Linux,
the application program interface APP (API) is deployed in a user state Guest user space of the user virtual machine and is used for sending a password service request of the user;
the linux user space encryption interface cryptodev is deployed in the user virtual machine and is used for connecting a user state Guest user space of the user virtual machine and a kernel state Guest kernal space of the user virtual machine so as to send a password service request of a user to the kernel state Guest kernal space of the user virtual machine;
the linux kernel encryption framework Linux Kernel Crypto Framework is deployed in a kernel state Guest kernal space of the user virtual machine, and is used for managing an encryption algorithm and providing a data processing interface for calling the encryption algorithm by the kernel state of the user virtual machine;
the front end driving module of the I/O paravirtualized program Virtio-Crypto is deployed in the linux kernel encryption framework Linux Kernel Crypto Framewor, and the back end processing program of the I/O paravirtualized program Virtio-Crypto is deployed in the QEMU simulator, so as to send a password service request of a user in the linux kernel encryption framework Linux Kernel Crypto Framewor to the QEMU simulator;
the password card interface USER API is deployed in a Host USER mode and used for accessing a physical password device driver;
the physical password device driver Dirver for Linux is deployed in a host kernel mode Host kernal space and is used for driving the physical password device to work and providing password service;
the QEMU simulator is deployed in a Host user mode and used for calling the password card interface to access the physical password equipment driver according to a password service request of a user.
Specifically, the workflow of the virtualization implementation architecture includes the following steps:
a user sends a password service request of the user through an application program interface APP (API);
after the Cryptodev-linux receives the password service request of the user, the password service request of the user is transmitted to the kernel state Guest kernal space of the user virtual machine;
the user virtual machine kernel Guest kernal space calls an encryption algorithm in the linux kernel encryption framework Linux Kernel Crypto Framework to process a password service request of a user;
the front end driving module of the I/O paravirtualized program Virtio-Crypto obtains a password service request of a user from the linux kernel encryption framework and sends the password service request to the rear end processing program of the I/O paravirtualized program Virtio through the intermediate communication module;
the QEMU simulator intercepts the password service request of the user and calls the password card interface to access the physical password equipment of the bottom layer so as to provide password service.
Specifically, the cryptodev is a linux encryption interface implementation mode, is based on a linux original encryption interface, does not need any modification by hardware drive, has high encryption execution efficiency, has simpler compiling and installing steps, and can be used only by simultaneously inserting the cryptodev. Ko and the hardware encryption engine drive ko.
When the method is used, the cryptodev is deployed in the user virtual machine, the device which is used as an encryption frame capable of being directly connected with the linux kernel is connected with the user state and the kernel state, the capability of hardware acceleration can be fully exerted in the user space, the user accesses the cryptodev at the user state virtual machine end through an API provided by a dynamic library, the API is compatible with an OPENBSD user state API, and the cryptodev provides a standard mode to enable an application program to access the password resources of the kernel layer at the user state of the user virtual machine.
The Linux kernel encryption framework (Linux Kernel Crypto Framework) is a set of general crypto algorithm framework realized by the kernel and is used for providing the cryptographic resources of the kernel, and is an independent subsystem, and the source code is positioned under the kernel/crypto; the unified management of the algorithm is realized, and a unified data processing interface is provided for other subsystems to use; based on the framework, a user can add an encryption algorithm which can be realized by using physical password equipment to the linux kernel encryption framework according to the requirement, and the linux kernel encryption framework is loaded to the kernel state of the user virtual machine at the beginning of system starting.
Linux Kernel Crypto Framework passes the user's cryptographic service request to the host through the virtio front-end and back-end drivers.
The Virtio is an I/O paravirtualized solution, is a set of general I/O equipment virtualized program, is an abstraction of a set of general I/O equipment in paravirtualized hypervisors, provides a set of communication framework and programming interfaces between upper-layer application and each hypervisors virtualized equipment, reduces compatibility problems brought by cross-platform, and greatly improves development efficiency of a driving program.
The virtual io uses virtual queue to implement the I/O mechanism, and each virtual queue is a queue carrying a large amount of data, so that the number of virtual queues can be dynamically adjusted according to the requirement. Virtqueue is a simple structure that identifies an optional callback function, a reference to virtual_device, a reference to the Virtqueue operation, and a priv reference to use by the reference.
In specific implementation, the Virtio comprises a front end driving module Virtio-FE Driver and a rear end processing program Virtio-BE Driver, wherein the front end driving module Virtio-FE Driver exists in the virtual machine, and the rear end processing program Virtio-BE Driver exists in the QEMU.
An intermediate layer is also defined between the front-end driving module virtual IO-FE Driver and the back-end processing program virtual IO-BE Driver to support communication between the virtual machine and the Qemu.
No matter what virtualization platform is, the virtual machines are operated in host memory or share the same memory, so that data do not need to be copied between different areas of the same memory, and only simple address remapping is needed. Thus achieving data zero replication at Virtio. Taking network transmission as an example, after receiving the data packet, the host machine forwards the data packet according to the destination MAC address, which essentially shares the data to the user space application program, i.e., QEMU, to realize the communication between the host machine and the virtual machine.
The QEMU intercepts and calls a real password card interface USER API to access the physical password equipment of the bottom layer in a host USER state.
Finally, it should be noted that the above-mentioned embodiments are only for illustrating the technical scheme of the present invention and are not limiting; while the invention has been described in detail with reference to the preferred embodiments, those skilled in the art will appreciate that: modifications may be made to the specific embodiments of the present invention or equivalents may be substituted for part of the technical features thereof; without departing from the spirit of the invention, it is intended to cover the scope of the invention as claimed.
Claims (2)
1. A virtualized implementation architecture for cryptographic devices, characterized by: comprises an application program interface, a linux user space encryption interface cryptodev, linux kernel encryption framework Linux Kernel Crypto Framework, an I/O paravirtualized program virtual-Crypto, a QEMU simulator, a password card interface and a physical password device driver,
the application program interface is deployed in a user state of the user virtual machine and is used for sending a password service request of a user;
the linux user space encryption interface cryptodev is deployed in the user virtual machine and is used for connecting the user state of the user virtual machine and the kernel state of the user virtual machine so as to send a password service request of a user to the kernel state of the user virtual machine;
the linux kernel encryption framework Linux Kernel Crypto Framework is deployed in a kernel state of the user virtual machine, and is used for managing an encryption algorithm and providing a data processing interface for calling the encryption algorithm by the kernel state of the user virtual machine;
the front end driving module of the I/O paravirtualized program Virtio-Crypto is deployed in the linux kernel encryption framework Linux Kernel Crypto Framewor, and the back end processing program of the I/O paravirtualized program Virtio-Crypto is deployed in the QEMU simulator, so as to send a password service request of a user in the linux kernel encryption framework Linux Kernel Crypto Framewor to the QEMU simulator;
the password card interface is deployed in a host user mode and is used for accessing a physical password device driver;
the physical password equipment driver is deployed in a kernel mode of the host and is used for driving the physical password equipment to work and providing password service;
the QEMU simulator is deployed in a host user state and is used for calling the password card interface to access the physical password equipment driver according to a password service request of a user.
2. The virtualized implementation architecture for a cryptographic device of claim 1, wherein: and the user can add an encryption algorithm which can be realized by using physical password equipment to the linux kernel encryption frame according to the requirement, and load the linux kernel encryption frame into the kernel state of the user virtual machine at the beginning of system starting.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011575763.0A CN112433824B (en) | 2020-12-28 | 2020-12-28 | Virtualized implementation architecture of password equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011575763.0A CN112433824B (en) | 2020-12-28 | 2020-12-28 | Virtualized implementation architecture of password equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112433824A CN112433824A (en) | 2021-03-02 |
| CN112433824B true CN112433824B (en) | 2023-06-20 |
Family
ID=74697003
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011575763.0A Active CN112433824B (en) | 2020-12-28 | 2020-12-28 | Virtualized implementation architecture of password equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112433824B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113626156A (en) * | 2021-10-14 | 2021-11-09 | 云宏信息科技股份有限公司 | Encryption method and system for virtual machine disk and computer readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101968746A (en) * | 2010-09-02 | 2011-02-09 | 北京航空航天大学 | Method for implementing organizational architecture mode of kernel-based virtual machine (KVM) |
| CN104461678A (en) * | 2014-11-03 | 2015-03-25 | 中国科学院信息工程研究所 | Method and system for providing password service in virtualized environment |
| CN111782344A (en) * | 2020-07-02 | 2020-10-16 | 北京数字认证股份有限公司 | Method and system for providing password resources and host machine |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR102295960B1 (en) * | 2015-02-10 | 2021-09-01 | 한국전자통신연구원 | Apparatus and method for security service based virtualization |
| CN105184154B (en) * | 2015-09-15 | 2017-06-20 | 中国科学院信息工程研究所 | A kind of system and method that crypto-operation service is provided in virtualized environment |
| CN107634950A (en) * | 2017-09-19 | 2018-01-26 | 重庆大学 | A kind of method that unloading SSL/TLS agreements are designed using pipeline hardware |
-
2020
- 2020-12-28 CN CN202011575763.0A patent/CN112433824B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101968746A (en) * | 2010-09-02 | 2011-02-09 | 北京航空航天大学 | Method for implementing organizational architecture mode of kernel-based virtual machine (KVM) |
| CN104461678A (en) * | 2014-11-03 | 2015-03-25 | 中国科学院信息工程研究所 | Method and system for providing password service in virtualized environment |
| CN111782344A (en) * | 2020-07-02 | 2020-10-16 | 北京数字认证股份有限公司 | Method and system for providing password resources and host machine |
Non-Patent Citations (2)
| Title |
|---|
| 基于KVM-QEMU与Libvirt的虚拟化资源池构建;姚华超;王振宇;;计算机与现代化(07);全文 * |
| 密码卡虚拟化技术研究与实现;苏振宇;;集成技术(03);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112433824A (en) | 2021-03-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7941812B2 (en) | Input/output virtualization through offload techniques | |
| US8832688B2 (en) | Kernel bus system with a hyberbus and method therefor | |
| EP2831732B1 (en) | System and method for supporting live migration of virtual machines in an infiniband network | |
| US9397954B2 (en) | System and method for supporting live migration of virtual machines in an infiniband network | |
| US8849941B2 (en) | Virtual desktop configuration and operation techniques | |
| US9225596B2 (en) | Undifferentiated service domains | |
| JP5275407B2 (en) | Method for network interface shared by multiple virtual machines | |
| CN108228316B (en) | Method and device for virtualizing password device | |
| US7743107B2 (en) | System and method for using remote module on VIOS to manage backups to remote backup servers | |
| EP2648098A2 (en) | System and method for migrating application virtual machines in a network environment | |
| US20180329828A1 (en) | Kernel-assisted inter-process data transfer | |
| US20080189432A1 (en) | Method and system for vm migration in an infiniband network | |
| US20090083829A1 (en) | Computer system | |
| US20120110574A1 (en) | Methods and systems to clone a virtual machine instance | |
| US8091086B1 (en) | System and method for virtualization using an open bus hypervisor | |
| US20070198243A1 (en) | Virtual machine transitioning from emulating mode to enlightened mode | |
| CN103207965A (en) | Method and device for License authentication in virtual environment | |
| CN112433824B (en) | Virtualized implementation architecture of password equipment | |
| US11954198B2 (en) | Unifying hardware trusted execution environment technologies using virtual secure enclave device | |
| CN113242175B (en) | Storage gateway based on SPDK and implementation method thereof | |
| CN116418522A (en) | Cloud server crypto-engine system based on virtualization technology | |
| WO2007123025A1 (en) | Technique of controlling communication of installed apparatus with outside by means of proxy server | |
| US20230138867A1 (en) | Methods for application deployment across multiple computing domains and devices thereof | |
| US20240126580A1 (en) | Transparently providing virtualization features to unenlightened guest operating systems | |
| LU500447B1 (en) | Nested isolation host virtual machine |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |