CN112651018A - SGX-based trusted input and output control method, device, equipment and storage medium - Google Patents

SGX-based trusted input and output control method, device, equipment and storage medium Download PDF

Info

Publication number
CN112651018A
CN112651018A CN202011506823.3A CN202011506823A CN112651018A CN 112651018 A CN112651018 A CN 112651018A CN 202011506823 A CN202011506823 A CN 202011506823A CN 112651018 A CN112651018 A CN 112651018A
Authority
CN
China
Prior art keywords
enclave
input
user application
output driver
application program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011506823.3A
Other languages
Chinese (zh)
Other versions
CN112651018B (en
Inventor
吴良顺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuo Erzhi Lian Wuhan Research Institute Co Ltd
Original Assignee
Zhuo Erzhi Lian Wuhan Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhuo Erzhi Lian Wuhan Research Institute Co Ltd filed Critical Zhuo Erzhi Lian Wuhan Research Institute Co Ltd
Priority to CN202011506823.3A priority Critical patent/CN112651018B/en
Publication of CN112651018A publication Critical patent/CN112651018A/en
Application granted granted Critical
Publication of CN112651018B publication Critical patent/CN112651018B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to a trusted input and output control method and device based on SGX, computer equipment and a storage medium. According to the method and the device, the encryption channel can be set between the enclave and the input and output program, so that the credible transmission of the sensitive data between the enclave and the input and output equipment is ensured, and the data transmission safety of the enclave is further improved. The method comprises the following steps: establishing a first enclave for running a user application program, wherein an encryption channel is used between the user application program and an input/output driver program for data transmission; acquiring sensitive data input by user equipment by using an input/output driver, transmitting the sensitive data from the input/output driver to a user application program through an input/output channel, and operating the user application program in a first enclave so that the user application program processes the sensitive data to obtain a data processing result; and transmitting the data processing result from the user application program to the input/output driver program through the encryption channel and transmitting the data processing result to the user equipment.

Description

SGX-based trusted input and output control method, device, equipment and storage medium
Technical Field
The present application relates to the field of computer security technologies, and in particular, to a trusted input/output control method and apparatus based on an SGX, a computer device, and a storage medium.
Background
As Software complexity and attack level increase, security of mobile environment and cloud platform needs more stringent hardware and platform security mechanism, and traditional Software encryption technology is still not enough to protect security of the whole computer operating system, for this reason, intel has introduced SGX (Software Guard Extensions), which is an architectural extension to intel processors for enhancing Software security, and encapsulates sensitive data and key code in Software program in an enclave (enclave, also called a security zone) to protect it from being attacked by malicious Software. The translation of enclave into Chinese is the 'enclave', and the meaning comes from an anthropogenic geographic concept, which means that an area belonging to the enclave is in a certain geographic plan. The access rights to enclave are very high and neither privileged nor non-privileged software can access enclave. Once the software and data are in enclave, even operating system administrators and virtual machine monitors cannot affect the code and data inside the enclave.
However, SGX lacks support for generic trusted I/O paths and therefore cannot protect user input/output data between enclaves and I/O devices.
Disclosure of Invention
In view of the foregoing, it is necessary to provide a method, an apparatus, a computer device and a storage medium for SGX-based trusted input/output control.
A method of SGX-based trusted input output control, the method comprising:
a first enclave utilizing a running user application; data transmission is carried out between the user application program and the input/output driving degree by using an encryption channel;
acquiring sensitive data input by user equipment by using the input/output driver, and transmitting the encrypted data from the input/output driver to the user application program through the encryption channel;
running the user application program in the first enclave so that the user application program processes the sensitive data to obtain a data processing result;
and transmitting the data processing result from the user application program to the input/output driver program through the encryption channel and transmitting the data processing result to user equipment.
In one embodiment, after the establishing of the first enclave running the user application, the method includes:
and establishing a symmetric key between the first enclave and the input/output driver by using a key exchange algorithm, and establishing the encryption channel based on the symmetric key.
In one embodiment, establishing a symmetric key between the first enclave and the input output driver using a key exchange algorithm, and establishing the encryption channel based on the symmetric key includes:
establishing a second enclave running the input/output driver;
the first enclave generating a local authentication report on a random enclave for the second enclave; the local authentication report is generated based on a physical address of the first enclave and an identity of the random enclave;
the first enclave sending the identity of the random enclave to the second enclave, so that the second enclave calculates a physical address of the first enclave based on the identity of the random enclave;
the first enclave and the second enclave use a physical address of the first enclave as a symmetric key and establish the encryption channel using the symmetric key and a symmetric encryption algorithm.
In one embodiment, the method further comprises:
the input output driver routing the sensitive data to a first virtual device; the device class of the first virtual device is matched with the device class of the user equipment;
the first virtual device communicates the sensitive data to an operating system.
In one embodiment, the method further comprises:
when the user application requests to transmit the sensitive data through the encrypted channel, the input output driver redirects the sensitive data from the first virtual device to the second virtual device through the encrypted channel;
the sensitive data of the second virtual device is forwarded to the operating system through the encryption channel.
In one embodiment, the method comprises:
establishing a third enclave running a trusted boot program;
the third enclave runs the trusted boot program for a virtual machine monitor to obtain a platform register value and verifies the register value of the platform;
and if the verification is successful, transmitting the authentication result to the user application program through the input and output driver.
In one embodiment, the input output driver is hosted and protected by a virtual machine monitor.
An SGX-based trusted input-output control apparatus, the apparatus comprising:
the enclave establishing module is used for establishing a first enclave for running a user application program; the user application program and the input/output driver program use an encryption channel for data transmission;
the sensitive data acquisition module is used for acquiring sensitive data input by user equipment by using the input/output driver and transmitting the sensitive data from the input/output driver to the user application program through the encryption channel;
the sensitive data processing module is used for operating the user application program in the first enclave so that the user application program processes the sensitive data to obtain a data processing result;
and the data processing result transmission module is used for transmitting the data processing result from the user application program to the input/output driver program through the encryption channel and transmitting the data processing result to the user equipment.
A computer device comprising a memory storing a computer program and a processor implementing the steps of the SGX-based trusted input output control method as described above when the processor executes the computer program.
A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the SGX-based trusted input output control method as described above.
According to the SGX-based trusted input/output control method, the SGX-based trusted input/output control device, the computer equipment and the storage medium, a first enclave for running a user application program is established, wherein an encryption channel is used between the user application program and an input/output driver program for data transmission; acquiring sensitive data input by user equipment by using the input/output driver, transmitting the sensitive data from the input/output driver to a user application program through an input/output channel, and operating the user application program in the first enclave so that the user application program processes the sensitive data to obtain a data processing result; and transmitting the data processing result from the user application program to the input/output driver program through the encryption channel and transmitting the data processing result to the user equipment. The method ensures the credible transmission of the sensitive data between the enclave and the input and output equipment by setting the encryption channel between the enclave and the input and output program, and further improves the data transmission security of the enclave.
Drawings
FIG. 1 is a diagram of an application environment of a trusted input output control method based on SGX in one embodiment;
FIG. 2 is a schematic flow chart illustrating an SGX-based trusted input/output control method according to an embodiment;
FIG. 3 is a flow diagram illustrating the encrypted channel establishment step in one embodiment;
FIG. 4 is a diagram of an application architecture of a SGX-based trusted input output control method in another embodiment;
FIG. 5 is a block diagram of an SGX-based trusted input output control device in one embodiment;
FIG. 6 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The SGX-based trusted input and output control method can be applied to the application environment shown in FIG. 1. Wherein the user equipment 101 communicates with the server 102 over a network. The user device 102 may be, but is not limited to, various personal computer devices including character devices such as a keyboard, a mouse, and a display, and may also be a virtual device such as a virtual keyboard, a virtual mouse, and the like. The server 102 may be implemented by an independent server or a server cluster composed of a plurality of servers, and may also be a cloud server.
In one embodiment, as shown in fig. 2, an SGX-based trusted input output control method is provided, which is described by taking the server 102 in fig. 1 as an example, and includes the following steps:
step S201, establishing a first enclave for running a user application program; and the user application program and the input/output driver program use an encryption channel for data transmission.
The enclave (enclave) is a set of dedicated physical memory created in the memory resources on the server 102, and protects the operation of the key program code and the processing of sensitive data.
Specifically, a first enclave is created through a processor with an SGX mechanism, wherein a user application program runs, and the user application program can be a piece of key code of an application program, such as a piece of key code used for processing a user account number and a password in a bank financial system; the user application or the key program code performs data transmission with the user equipment through an input/output driver, namely an I/O driver, and the user application running on the first enclave performs data transmission with the I/O driver by using an encrypted channel.
Step S202, the sensitive data input by the user equipment is obtained by using the input/output driver, and the sensitive data is transmitted from the input/output driver to the user application program through the encryption channel.
Specifically, the sensitive data input by the user equipment is acquired through an I/O driver, for example, the sensitive data input by a keyboard may be acquired through the keyboard driver, or the sound data input by the user through the sound input device may be acquired through a sound card, and the I/O driver transmits the received sensitive data to the user application program in the first enclave through an encryption channel.
Step S203, running the user application in the first enclave, so that the user application processes the sensitive data to obtain a data processing result.
Specifically, the user application program or the key program code is run in the first enclave, and the received sensitive data is processed by the user application program to obtain a data processing result.
And step S204, transmitting the data processing result from the user application program to the input/output driver program through the encryption channel and transmitting the data processing result to the user equipment.
Specifically, the first enclave transmits the data processing result to the I/O driver through the encryption channel, and transmits the data processing result to the user equipment, for example, to other equipment such as a display screen.
In the embodiment, a first enclave for running a user application program is established, wherein an encryption channel is used between the user application program and an input/output driver program for data transmission; acquiring sensitive data input by user input equipment by using the input/output driver, transmitting the sensitive data from the input/output driver to a user application program through an input/output channel, and operating the user application program in the first enclave so that the user application program processes the sensitive data to obtain a data processing result; and transmitting the data processing result from the user application program to the input/output driver program through the encryption channel and transmitting the data processing result to user output equipment. The method ensures the credible transmission of the sensitive data between the enclave and the input and output equipment by setting the encryption channel between the enclave and the input and output program, and further improves the data transmission security of the enclave.
In an embodiment, after the step S201, the method includes: and establishing a symmetric key between the first enclave and the input/output driver by using a key exchange algorithm, and establishing an encryption channel based on the symmetric key.
Specifically, to open a trusted path, the user application sets an encrypted channel to a secure I/O driver. The encrypted channel protects sensitive users' I/O from untrusted operating systems. To open such a channel, the user application needs to share an encryption key with the driver through some form of key exchange (e.g., Diffie-Hellman key exchange) as a symmetric key and use the symmetric key to establish an encryption channel, such as encrypting data to be transmitted through a symmetric encryption algorithm and transmitting the encrypted data.
In the embodiment, the encryption channel is established between the user application program and the I/O driver by using the key exchange algorithm, so that sensitive data in the enclave is further protected from being intercepted and damaged by malicious programs in the transmission process, and a trusted I/O mechanism is established.
In an embodiment, as shown in fig. 3, fig. 3 illustrates a step of establishing a trusted I/O path, where the establishing a symmetric key between the first enclave and the input/output driver using a key exchange algorithm, and establishing an encryption channel based on the symmetric key includes:
step S301, establishing a second enclave for operating an input/output driver;
specifically, the processor CPU establishes a second enclave on the memory running the I/O driver.
Step S302, the first enclave generates a local authentication report on a random enclave aiming at the second enclave; the local authentication report is generated based on the physical address of the first enclave and the identity of the random enclave.
Specifically, a first enclave running a user application generates a local authentication report on a random enclave for a second enclave running the I/O driver, where the local authentication report is generated according to a Media Access Control (MAC) Address of the first enclave and an ID (identity) of the random enclave. The first enclave running the user application does not deliver the actual local authentication report to the second enclave running the I/O driver, but rather keeps it private and uses the MAC of the local authentication report as a symmetric key.
Step S303, the first enclave sends the identity of the random enclave to the second enclave, so that the second enclave calculates a physical address of the first enclave based on the identity of the random enclave.
Specifically, a first enclave running a user application sends an ID (identity) of a random enclave to a second enclave running an I/O driver, which may recalculate the MAC of the first enclave to obtain the same key based on the ID of the random enclave.
In step S304, the first enclave and the second enclave use the physical address of the first enclave as a symmetric key, and establish an encryption channel using the symmetric key and a symmetric encryption algorithm.
Specifically, the MAC address of the first enclave is used as a symmetric key, sensitive data is encrypted by combining a symmetric encryption algorithm, and the encrypted data is transmitted between the first enclave and the second enclave.
The above embodiments provide a lightweight Local authentication (Local authentication) -based key exchange scheme that connects user applications to a secure I/O driver over an encrypted channel, enabling reliable transmission of data.
In an embodiment, the method further includes: the input output driver routes the sensitive data to the first virtual device; the equipment class of the first virtual equipment is matched with the equipment class of the user equipment; the first virtual device passes the sensitive data to the operating system.
In particular, the I/O drivers process the data flow from user device to user device, respectively, and forward it to the operating system or user applications. Since many User devices (e.g., human interface devices or graphics cards) may be shared between an untrusted operating system and the User application User App, the I/O drivers must multiplex the data flow between these security domains. The present application provides domain multiplexing techniques: the driver provides its services to the operating system through two separate virtual devices. During normal operation, the driver simply routes the unmodified data stream to the first virtual device, which matches the device class of the user device, and the first virtual device passes the sensitive data to the operating system.
In the above embodiment, the first virtual device is established to transfer data, so that transparent access to the user device is provided for the operating system.
In an embodiment, the method further includes: when a user application program requests to transmit sensitive data through an encryption channel, an input/output driver redirects the sensitive data from a first virtual device to a second virtual device through the encryption channel; the second virtual device forwards the sensitive data to the operating system through the encryption channel.
Specifically, if the User App requests a trusted path, the driver redirects all traffic to the second virtual device, but in an encrypted manner. The User App knows the correct decryption key, can access this second virtual device, and routes the data through the second virtual device to the untrusted operating system. The second virtual device may be any standard character device that simply forwards the encrypted data stream. For example, the driver may implement spatial partitioning of graphics card frame buffers to allow for secure screen overlays. Alternatively, it may intercept and mask certain keystrokes to react to a security attention sequence.
In the embodiment, domain multiplexing is realized by setting the second virtual device, and the security of programs or data in the enclave is improved.
In an embodiment, the method further includes: establishing a third enclave running a trusted boot program; the third enclave runs a trusted bootstrap program aiming at the virtual machine monitoring program to acquire a platform register value and verifies the register value of the platform; and if the verification is successful, transmitting the authentication result to the user application program through the input and output driver program.
In particular, a third enclave is established that runs a trusted boot that allows the integrity of the hypervisor to be verified by performing a measurable boot on all boot code. Without it, malware may silently hook up with the boot process and disable any protection provided by hypervisor. All measurements are accumulated in a flat Configuration Register (PCR) in a TPM (Trusted Platform Module). The final PCR value reflects the entire boot process. If any boot phase deviates from the normal boot process, the PCR will contain an erroneous value. The process is as follows: the Trusted Boot (TB) enclave authenticates hypervisor once. To verify hypervisor, a Trusted Boot (TB) enclave needs to verify PCR values obtained during trusted boot. Thus, a Trusted Boot (TB) enclave requests a TPM Quote containing a cryptographic signature for the PCR value and a new nonce. If hypervisor authentication is successful, any driver enclave running on the system may query a Trusted Boot (TB) enclave for approval. The driver enclave in turn may pass the authentication result to the User application User App.
According to the embodiment, trusted authentication is performed on the enclave, the operating system and the virtual machine monitoring program in the whole server through trusted guidance, so that the running reliability of the program is improved, and the program is prevented from being damaged by malicious programs.
In one embodiment, as shown in FIG. 4, FIG. 4 is an application architecture diagram of an embodiment in which an input output driver is hosted and protected by a virtual machine monitor.
In particular, hypervisors are responsible for running untrusted operating systems in VMs (Virtual machines), and loading drivers and binding user devices to these drivers. At system boot, the hypervisor may statically load drivers for permanently installed user devices, such as notebook keyboards and video cards. Drivers for plug and play devices (such as USB) may be dynamically loaded by the hypervisor.
In the embodiment, the application range of the technology is widened by designing the virtual machine monitoring program and setting the corresponding driver loading mode.
It should be understood that although the steps in the flowcharts of fig. 2 to 4 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 2 to 4 may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least some of the other steps or stages.
In one embodiment, as shown in fig. 5, there is provided an SGX-based trusted input output control apparatus 500, comprising: the method includes a enclave establishing module 501, a sensitive data acquiring module 502, a sensitive data processing module 503, and a data processing result transmitting module 504, where:
the enclave establishing module is used for establishing a first enclave for running a user application program; and the user application program and the input/output driver program use an encryption channel for data transmission.
And the sensitive data acquisition module is used for acquiring sensitive data input by user equipment by using the input/output driver and transmitting the sensitive data from the input/output driver to the user application program through the encryption channel.
And the sensitive data processing module is used for operating the user application program in the first enclave so that the user application program processes the sensitive data to obtain a data processing result.
And the data processing result transmission module is used for transmitting the data processing result from the user application program to the input/output driver program through the encryption channel and transmitting the data processing result to the user equipment.
In an embodiment, the apparatus further includes an encryption channel establishing unit configured to establish a symmetric key using a key exchange algorithm between the first enclave and the input output driver, and to establish the encryption channel based on the symmetric key.
In an embodiment, the enclave establishing module 501 is further configured to establish a second enclave for running the input/output driver; the encryption channel establishing unit is further configured to: the first enclave generating a local authentication report on a random enclave for the second enclave; the local authentication report is generated based on a physical address of the first enclave and an identity of the random enclave; the first enclave sending the identity of the random enclave to the second enclave, so that the second enclave calculates a physical address of the first enclave based on the identity of the random enclave; the first enclave and the second enclave use a physical address of the first enclave as a symmetric key and establish the encryption channel using the symmetric key and a symmetric encryption algorithm.
In an embodiment, the input output driver routes the sensitive data to a first virtual device; the device class of the first virtual device is matched with the device class of the user equipment; the first virtual device communicates the sensitive data to an operating system.
In one embodiment, the input output driver redirects the sensitive data from the first virtual device to the second virtual device through the encrypted channel when the user application requests transmission of the sensitive data through the encrypted channel; the second virtual device forwards the sensitive data to the operating system through the encrypted channel.
In an embodiment, the enclave establishing module 501 is further configured to establish a third enclave running a trusted boot program; the third enclave runs the trusted boot program for a virtual machine monitor to obtain a platform register value and verifies the register value of the platform; and if the verification is successful, transmitting the authentication result to the user application program through the input and output driver.
In an embodiment, the input output driver is hosted and protected by a virtual machine monitor.
For specific limitations of the SGX-based trusted input/output control apparatus, reference may be made to the above limitations of the SGX-based trusted input/output control method, which is not described herein again. The various modules in the SGX-based trusted input output control described above may be implemented in whole or in part by software, hardware, and combinations thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 6. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing sensitive data, user data and data processing results. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a SGX-based trusted input output control method.
Those skilled in the art will appreciate that the architecture shown in fig. 6 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory in which a computer program is stored and a processor, which when executing the computer program implements the steps of the SGX-based trusted input output control method as described above.
In one embodiment, a computer readable storage medium is provided, on which a computer program is stored, which computer program, when being executed by a processor, realizes the steps of the SGX-based trusted input output control method as described above.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A method for SGX-based trusted input output control, the method comprising:
establishing a first enclave running a user application; the user application program and the input/output driver program use an encryption channel for data transmission;
acquiring sensitive data input by user equipment by using the input/output driver, and transmitting the sensitive data from the input/output driver to the user application program through the encryption channel;
running the user application program in the first enclave so that the user application program processes the sensitive data to obtain a data processing result;
and transmitting the data processing result from the user application program to the input and output driver program through the encryption channel and transmitting the data processing result to the user equipment.
2. The method of claim 1, wherein after establishing the first enclave on which the user application is to be run, comprising:
and establishing a symmetric key between the first enclave and the input/output driver by using a key exchange algorithm, and establishing the encryption channel based on the symmetric key.
3. The method of claim 2, wherein establishing a symmetric key between the first enclave and the input output driver using a key exchange algorithm, and establishing the encrypted channel based on the symmetric key comprises:
establishing a second enclave running the input/output driver;
the first enclave generating a local authentication report on a random enclave for the second enclave; the local authentication report is generated based on a physical address of the first enclave and an identity of the random enclave;
the first enclave sending the identity of the random enclave to the second enclave, so that the second enclave calculates a physical address of the first enclave based on the identity of the random enclave;
the first enclave and the second enclave use a physical address of the first enclave as a symmetric key and establish the encryption channel using the symmetric key and a symmetric encryption algorithm.
4. The method of claim 1, further comprising:
the input output driver routing the sensitive data to a first virtual device; the device class of the first virtual device is matched with the device class of the user equipment;
the first virtual device communicates the sensitive data to an operating system.
5. The method of claim 4, further comprising:
when the user application requests to transmit the sensitive data through the encrypted channel, the input output driver redirects the sensitive data from the first virtual device to the second virtual device through the encrypted channel;
the second virtual device forwards the sensitive data to the operating system through the encrypted channel.
6. The method according to claim 1, characterized in that it comprises:
establishing a third enclave running a trusted boot program;
the third enclave runs the trusted boot program for a virtual machine monitor to obtain a platform register value and verifies the register value of the platform;
and if the verification is successful, transmitting the authentication result to the user application program through the input and output driver.
7. The method according to any one of claims 1 to 6,
the input output driver is hosted and protected by a virtual machine monitor.
8. An SGX-based trusted input output control apparatus, the apparatus comprising:
the enclave establishing module is used for establishing a first enclave for running a user application program; the user application program and the input/output driver program use an encryption channel for data transmission;
the sensitive data acquisition module is used for acquiring sensitive data input by user equipment by using the input/output driver and transmitting the sensitive data from the input/output driver to the user application program through the encryption channel;
the sensitive data processing module is used for operating the user application program in the first enclave so that the user application program processes the sensitive data to obtain a data processing result;
and the data processing result transmission module is used for transmitting the data processing result from the user application program to the input/output driver program through the encryption channel and transmitting the data processing result to the user equipment.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
CN202011506823.3A 2020-12-18 2020-12-18 SGX-based trusted input and output control method, device, equipment and storage medium Active CN112651018B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011506823.3A CN112651018B (en) 2020-12-18 2020-12-18 SGX-based trusted input and output control method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011506823.3A CN112651018B (en) 2020-12-18 2020-12-18 SGX-based trusted input and output control method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112651018A true CN112651018A (en) 2021-04-13
CN112651018B CN112651018B (en) 2022-08-02

Family

ID=75354985

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011506823.3A Active CN112651018B (en) 2020-12-18 2020-12-18 SGX-based trusted input and output control method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112651018B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104778401A (en) * 2014-01-13 2015-07-15 恩智浦有限公司 Data processing device, method for executing an application and computer program product
CN105745661A (en) * 2013-12-19 2016-07-06 英特尔公司 Policy-based trusted inspection of rights managed content
CN107466464A (en) * 2014-12-23 2017-12-12 迈克菲有限责任公司 Input validation
CN109361668A (en) * 2018-10-18 2019-02-19 国网浙江省电力有限公司 A kind of data trusted transmission method
CN110874468A (en) * 2018-08-31 2020-03-10 华为技术有限公司 Application program safety protection method and related equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105745661A (en) * 2013-12-19 2016-07-06 英特尔公司 Policy-based trusted inspection of rights managed content
CN104778401A (en) * 2014-01-13 2015-07-15 恩智浦有限公司 Data processing device, method for executing an application and computer program product
CN107466464A (en) * 2014-12-23 2017-12-12 迈克菲有限责任公司 Input validation
CN110874468A (en) * 2018-08-31 2020-03-10 华为技术有限公司 Application program safety protection method and related equipment
CN109361668A (en) * 2018-10-18 2019-02-19 国网浙江省电力有限公司 A kind of data trusted transmission method

Also Published As

Publication number Publication date
CN112651018B (en) 2022-08-02

Similar Documents

Publication Publication Date Title
EP3792805B1 (en) Data transmission with obfuscation for a data processing (dp) accelerator
CN107533609B (en) System, device and method for controlling multiple trusted execution environments in a system
US9575790B2 (en) Secure communication using a trusted virtual machine
US9698988B2 (en) Management control method, apparatus, and system for virtual machine
US20230244798A1 (en) Systems and Methods of Performing Computation Operations Using Secure Enclaves
CN107111715B (en) Using a trusted execution environment for security of code and data
US9699150B2 (en) System and method for secure cloud computing
JP4774049B2 (en) Method and program for secure inter-platform and intra-platform communication
US11082231B2 (en) Indirection directories for cryptographic memory protection
US9948616B2 (en) Apparatus and method for providing security service based on virtualization
CN108429719B (en) Key protection method and device
CN102270287B (en) Trusted software base providing active security service
US20140281560A1 (en) Secure zone on a virtual machine for digital communications
Brekalo et al. Mitigating password database breaches with Intel SGX
US10192047B2 (en) Provisioning of identity information
US10771249B2 (en) Apparatus and method for providing secure execution environment for mobile cloud
CA2902294A1 (en) Secure zone on a virtual machine for digital communications
CN112651018B (en) SGX-based trusted input and output control method, device, equipment and storage medium
Khalid et al. Hardware-Assisted Isolation Technologies: Security Architecture and Vulnerability Analysis
US11977647B2 (en) Method, server and system for securing an access to data managed by at least one virtual payload
US10938857B2 (en) Management of a distributed universally secure execution environment
Zhang et al. An efficient TrustZone-based in-application isolation schema for mobile authenticators
Stumpf et al. Towards secure e-commerce based on virtualization and attestation techniques
US11748484B2 (en) Tri-level secure separation kernel
EP3793162B1 (en) Data transmission with obfuscation using an obfuscation unit for a data processing (dp) accelerator

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant