CN112989319B

CN112989319B - Method, device, electronic equipment and storage medium for realizing trusted computing

Info

Publication number: CN112989319B
Application number: CN202110515727.3A
Authority: CN
Inventors: 余逸荣; 邱鸿霖; 吴行行; 陈辰; 顾宗敏; 田洪亮; 闫守孟
Original assignee: Alipay Hangzhou Information Technology Co Ltd; Ant Blockchain Technology Shanghai Co Ltd
Current assignee: Alipay Hangzhou Information Technology Co Ltd; Ant Blockchain Technology Shanghai Co Ltd
Priority date: 2021-05-12
Filing date: 2021-05-12
Publication date: 2021-08-31
Anticipated expiration: 2041-05-12
Also published as: CN112989319A

Abstract

The present specification provides a method, an apparatus, an electronic device, and a storage medium for implementing trusted computing, where the method is applied to a trusted computing node, and a library operating system environment is encapsulated in a trusted execution environment deployed at the trusted computing node, and the method includes: receiving a remote authentication challenge sent by a calling party aiming at the trusted execution environment, and assisting the calling party to acquire a remote authentication report according to the remote authentication challenge; receiving a calculation request ciphertext sent by the caller, wherein the calculation request ciphertext is sent when the caller confirms that the trusted computing node is trusted according to the remote authentication report; and after the computing request ciphertext is decrypted in the library operating system environment to obtain a computing request, calling and executing a trusted computing program corresponding to the computing request in the library operating system environment.

Description

Method, device, electronic equipment and storage medium for realizing trusted computing

Technical Field

The present disclosure relates to the field of trusted computing technologies, and in particular, to a method and an apparatus for implementing trusted computing, an electronic device, and a storage medium.

Background

The implementation of Trusted computing requires that a computing program runs in a TEE (Trusted Execution Environment), in related technologies, an Intel SGX (Intel Software protection Extensions) is implemented as a mainstream TEE, and Trusted application Development based on this technology requires the use of an Intel SDK (Intel Software Development Kit) and program writing according to a specific Development paradigm, so that an existing program that is not written according to the specific Development paradigm needs to be greatly modified to run in the Intel SGX, and because the Intel SGX only supports C/C + +, this results in a greater modification difficulty for existing programs written in other languages.

Disclosure of Invention

To overcome the problems in the related art, the present specification provides a method, an apparatus, an electronic device, and a storage medium for implementing trusted computing.

According to a first aspect of embodiments of the present specification, there is provided a method for implementing trusted computing, the method being applied to a trusted computing node, a library operating system environment being encapsulated in a trusted execution environment deployed at the trusted computing node, the method comprising:

receiving a remote authentication challenge sent by a calling party aiming at the trusted execution environment, and assisting the calling party to acquire a remote authentication report according to the remote authentication challenge;

receiving a calculation request ciphertext sent by the caller, wherein the calculation request ciphertext is sent when the caller confirms that the trusted computing node is trusted according to the remote authentication report;

and after the computing request ciphertext is decrypted in the library operating system environment to obtain a computing request, calling and executing a trusted computing program corresponding to the computing request in the library operating system environment.

According to a second aspect of embodiments of the present specification, there is provided an apparatus for implementing trusted computing, the apparatus being applied to a trusted computing node, a library operating system environment being encapsulated in a trusted execution environment deployed at the trusted computing node, the apparatus comprising:

the remote authentication unit is used for receiving a remote authentication challenge sent by a calling party aiming at the trusted execution environment and assisting the calling party to acquire a remote authentication report according to the remote authentication challenge;

a request receiving unit, configured to receive a computation request ciphertext sent by the caller, where the computation request ciphertext is sent when the caller confirms that the trusted computing node is trusted according to the remote authentication report;

and the program calling unit is used for calling and executing a trusted computing program corresponding to the computing request in the library operating system environment after the computing request ciphertext is decrypted in the library operating system environment to obtain the computing request.

According to a third aspect of embodiments herein, there is provided an electronic apparatus including:

a processor; a memory for storing processor-executable instructions; wherein the processor is configured to implement the steps of implementing the trusted computing method described above.

According to a fourth aspect of embodiments herein, there is provided a computer-readable storage medium having stored thereon executable instructions; wherein the instructions, when executed by the processor, implement the steps of implementing the trusted computing method described above.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the specification.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present specification and together with the description, serve to explain the principles of the specification.

FIG. 1 is a diagram of a network architecture shown in accordance with an exemplary embodiment of the present description.

FIG. 2 is an architectural diagram of one type of LibOS shown in the present specification according to an exemplary embodiment.

FIG. 3 is a flow diagram illustrating a method for implementing trusted computing according to an exemplary embodiment.

FIG. 4 is an interactive flow diagram illustrating one method of implementing trusted computing in accordance with an exemplary embodiment of the present specification.

Fig. 5 is a schematic structural diagram of an apparatus according to an exemplary embodiment.

FIG. 6 is a block diagram of an apparatus implementing trusted computing, shown in accordance with an exemplary embodiment.

Detailed Description

For further explanation of this specification, the following examples are provided:

fig. 1 is a diagram of a network architecture according to an exemplary embodiment of the present specification, where the network architecture includes a trusted computing node and a caller node, where the trusted computing node and the caller node can communicate with each other via the internet, the trusted computing node is deployed with a trusted execution environment, and a library operating system environment is encapsulated in the trusted execution environment, and the library operating system environment includes an interface program for being called by the caller, and also includes a scheduler program and a trusted computing program;

the caller node runs an application program with trusted computing requirements and an external service program, and the external service program can communicate with an interface program in the trusted computing node through network connection, for example, an encryption channel can be established between the external service program and the interface program so as to realize encrypted communication. In another network architecture, only one node of the trusted computing node is included, and the application program and the external service program corresponding to the caller run on the trusted computing node, for example, the application program and the external service program may run outside a trusted execution environment of the trusted computing node, may run in a trusted execution environment encapsulated with a library operating system environment, or differ from other trusted execution environments encapsulated with a library operating system environment.

The trusted computing node and the caller node related to the embodiments of the present specification may be a block chain node, or may be other hardware/virtualization facilities that can run a computer program to implement any logic function. The Trusted Execution Environment (TEE) referred to in this specification may provide a secure execution environment for software, the TEE being a secure extension of CPU hardware based and completely isolated from the outside. TEE was originally proposed by Global Platform to address the secure isolation of resources on mobile devices, providing a trusted and secure execution environment for applications parallel to the operating system. The industry is concerned with TEE solutions, and almost all mainstream chip and software consortiums have their own TEE solutions, such as TPM (Trusted Platform Module) in software, and Intel SGX, ARM Trustzone (Trusted zone), AMD PSP (Platform Security Processor) in hardware.

The Intel SGX (hereinafter referred to as SGX) technology is taken as an example. The trusted computing node may create enclave (enclosure or enclave) based on SGX technology as a TEE for performing blockchain transactions. The block link point may allocate a partial area EPC (enclosure Page Cache, Enclave Page Cache, or Enclave Page Cache) in the memory by using a newly added processor instruction in the CPU, so as to reside the above-mentioned enclosure. The memory area corresponding to the EPC is encrypted by a memory Encryption engine mee (memory Encryption engine) inside the CPU, the contents (code and data in the enclave) in the memory area can be decrypted only in the CPU core, and a key for Encryption and decryption is generated and stored in the CPU only when the EPC is started. It can be seen that the security boundary of enclave only includes itself and the CPU, and no matter privileged or non-privileged software can not access enclave, even an operating system administrator and a VMM (virtual machine monitor, or called Hypervisor) can not affect code and data in enclave, so that the enclave has extremely high security.

The library operating system environment (LibOS) according to the embodiments of the present specification refers to a program execution environment operating in a trusted execution environment, and may be regarded as a container having an input/output interface and containing a plurality of sub programs. Fig. 2 is an architecture diagram of a LibOS according to an exemplary embodiment of the present specification, as shown in fig. 2, the LibOS includes an entrypoint program, a handler script program, a trusted computing program, and a root program, wherein the entrypoint program includes a communication service program with an open interface to the outside, a remote authentication service program, a key management program, an encryption/decryption program, a task scheduler program, and the like, the handler script program is used to schedule calls to the trusted computing program, and includes various computing programs that can be called and actually executed, such as an sql program, an xgbost (Extreme Gradient promotion) program, an Extreme Gradient promotion program, a root package, and the like, and a system file including an underlying system file, and providing a running environment for the upper-layer program. In the SGX technology, LibOS actually corresponds to enclave and conforms to the program development paradigm of SGX, so that programs contained in LibOS can be safely run in TEE without worrying about information leakage. Since the LibOS provides compatible system calls to the application programs, the application programs contained in the LibOS can be run in enclave as existing programs in any language, and therefore trusted computing programs contained in the LibOS can be directly transplanted into a TEE environment to run without any modification or with few modifications. The memory of any program running in the LibOS is protected by enclave, and the input and output interfaces of the file are automatically encrypted and decrypted by the LibOS, so that the confidentiality and integrity of data of the application program in the memory and the external memory can be simultaneously protected.

Fig. 3 is a flowchart illustrating a method for implementing trusted computing according to an exemplary embodiment, where the method is applied to the trusted computing node shown in fig. 1, and the trusted execution environment at the trusted computing node is packaged with a library operating system environment, and the method includes the following steps:

s301: and receiving a remote authentication challenge sent by a calling party aiming at the trusted execution environment, and assisting the calling party to acquire a remote authentication report according to the remote authentication challenge.

The caller related to the embodiment of the present specification may specifically be an external service program running in the caller node shown in fig. 1, or may also be another application program running on the trusted computing node, which is not limited in this specification. In this embodiment of the present specification, after receiving a remote authentication challenge sent by a caller, a trusted computing node is required to provide a remote authentication report to the caller, so as to prove to the caller that a library operating system environment running on the trusted computing node is not tampered and runs in a trusted execution environment, and the authenticity of a public key of the caller, and therefore, the trusted computing node obtains the remote authentication report through a remote authentication process.

The assisting the caller to obtain the remote authentication report according to the embodiments of the present specification may include: generating self-referral information, wherein the self-referral information comprises a first hash value corresponding to a program code contained in the library operating system environment and a second hash value corresponding to a called party public key maintained by the library operating system environment;

transmitting the remote authentication report returned by an authentication server after completing authentication of the self-referral information to the caller; or sending the self-referral information to the calling party so that the calling party sends the self-referral information to the authentication server, and receiving the remote authentication report returned by the authentication server after the authentication of the self-referral information is completed.

In particular, embodiments of the present specification relate to remote authentication reports resulting from a remote authentication process for a TEE on a trusted computing node. After the trusted computing node receives the remote authentication challenge sent by the caller, the trusted computing node will transmit the remote authentication challenge to the interface program in LibOS, so that the interface program can obtain and respond to the remote authentication challenge, and call the remote authentication service program to execute the remote authentication process, specifically, the remote authentication service program in the interface program will extract all the program codes contained in LibOS packaged in TEE, and these programs include the interface program, trusted computing program, etc. in LibOS, and obtain a program hash value (first hash value) by hash operation on these program codes, similarly, obtain a public key hash value (second hash value) by hash operation on the called public key maintained by LibOS, and finally package the program hash value and hash value to obtain self-recommendation information, which is verified by the authentication server, a remote authentication report of the self-referral information may be provided to the trusted computing node, which may be used to indicate that the TEE on the trusted computing node may be trusted. For example, taking the Intel SGX technology as an example, TEE is an enclave created on a trusted computing node for running LibOS, and the remote authentication process also involves another special enclave on the trusted computing node, namely, Quoting Enclave (QE), which is an architectural enclave (architecture enclave) provided and signed by Intel. The envelope running the LibOS first needs to generate a REPORT structure for local authentication, and the QE verifies whether the envelope is on the same platform as itself based on the REPORT structure, and then the QE packages the REPORT structure combining the program hash value and the public key hash value into a structure body quat (self-recommendation information), and uses an epid (enhanced private identification) key for signature. The EPID key not only represents a platform of the private computing node under the chain, but also represents the credibility of the bottom hardware of the credible computing node, and can bind information such as the version of processor firmware and the like, and only the QE can access the EPID key for signing the structure quad. In the SGX technology, the authentication server may be an IAS (intel authentication service) server provided by intel corporation, and the trusted computing node sends the signed structure body quite to the IAS server, so that the IAS server can verify the signature and return a corresponding remote authentication report to the trusted computing node.

After obtaining the remote authentication report, the trusted computing node may directly send the remote authentication report to the caller, so as to assist the caller in obtaining the remote authentication report, in this embodiment, remote authentication is performed on the remote authentication challenge of the caller, so as to prove to the caller that the library operating system environment is not tampered and operates in a trusted execution environment, and the called public key maintained by the library operating system environment is real, so as to achieve the technical requirement of trusted computing; in another embodiment, after obtaining the remote authentication challenge, the interface program only calculates the self-referral information according to the above-mentioned manner and does not send the self-referral information to the authentication server, but first sends the self-referral information to the caller, so that the caller completes the subsequent remote authentication process, sends the self-referral information to the authentication server, and receives the remote authentication report returned by the authentication server after completing the authentication of the self-referral information.

S302: and receiving a calculation request ciphertext sent by the caller, wherein the calculation request ciphertext is sent when the caller confirms that the trusted computing node is trusted according to the remote authentication report.

The method for determining the credibility of the trusted computing node according to the remote authentication report by the caller in the embodiment of the description specifically includes: after the caller acquires the remote authentication report, the signature of the remote authentication report is authenticated through the public key of the authentication server, and then the remote authentication report is confirmed to be issued by the authentication server, and further the program hash value and the public key hash value recorded in the authentication report are read out, and compared with the program standard hash value and the public key standard hash value stored by the caller, if the program hash value is consistent with the program standard hash value, the library operating system environment in the trusted computing node can be proved to be not tampered and operated under the trusted execution environment, if the public key hash value is consistent with the public key standard hash value, the called public key held by the caller can be proved to be the called public key maintained by the library operating system environment, and under the condition that the two comparisons are consistent, the trusted computing node can be confirmed to be trusted. The program standard hash value is obtained by performing hash operation on a program code under an environment of a library operating system which is externally disclosed, the public key standard hash value is obtained by performing hash operation on a public key which is regarded as a called party and is held by a current calling party, it is pointed out that a hash operation function for calculating the program standard hash value is consistent with a hash operation function for calculating the program hash value, and the hash operation function for calculating the public key standard hash value is consistent with the hash operation function for calculating the public key hash value.

S303: and after the computing request ciphertext is decrypted in the library operating system environment to obtain a computing request, calling and executing a trusted computing program corresponding to the computing request in the library operating system environment.

In the embodiment of the present specification, the trusted computing node transmits the computation request ciphertext sent from the caller to an interface program in the operating system environment, and the interface program decrypts the computation request ciphertext to obtain a computation request, and invokes and executes a corresponding trusted computing program according to the computation request.

In one embodiment, the calculation request ciphertext is obtained by encrypting the calculation request by using a called party public key through a calling party, and in this case, the interface program decrypts the calculation request ciphertext through a called party private key maintained by the interface program to obtain the calculation request; in another embodiment, the calculation request ciphertext is obtained by encrypting a symmetric key by a calling party, at the moment, the calling party also sends the symmetric key ciphertext when sending the calculation request ciphertext, the symmetric key ciphertext is obtained by encrypting the symmetric key by using a called party public key, the encryption mode is called a digital envelope mode, under the condition, an interface program decrypts the symmetric key ciphertext by using a called party private key maintained by the interface program to obtain the symmetric key, and then decrypts the calling request ciphertext by using the symmetric key to obtain a calling request, the encryption mode of the digital envelope combines symmetric encryption and asymmetric encryption, the information security is ensured, and meanwhile, the symmetric encryption is utilized to the maximum extent, and the encryption and decryption efficiency is improved.

It should be noted that, in this embodiment, S301 and S302 do not have a strict execution sequence, S301 only receives the remote authentication challenge sent by the caller and assists the caller to obtain the remote authentication report, so that the caller can verify whether the trusted computing node is trusted, and S302 only sends the computation request ciphertext to the trusted computing node when the caller confirms that the trusted computing node is trusted, although the caller must first obtain the remote authentication report in order to prove that the trusted computing node is trusted, since the caller can perform the remote authentication process at any time to verify whether the trusted computing node is trusted, the caller can decide whether to discard the trusted computing node at any time even after obtaining the execution result, which means that the caller can send the remote authentication challenge and the computation request ciphertext to the trusted computing node at the same time, or the computation request ciphertext is sent first, and then the remote authentication challenge is sent, in these cases, although the caller has a risk of exposing data in the computation request of the caller, the caller can obtain the execution result of the computation service in advance, and then judge whether the execution result is trusted through a subsequently obtained remote authentication report, so that obviously, changing the execution sequence of S301 and S302 in some computation requests without inputting data can increase the efficiency of trusted computation.

The technical scheme provided by the embodiment of the specification can have the following beneficial effects:

in the embodiment of the present specification, a library operating system environment is encapsulated in a trusted execution environment deployed at a trusted computing node, so that an existing program can directly run in the trusted execution environment without being modified or with being modified by a small amount, and a unified external encryption input/output interface and a remote authentication module are established to ensure the security of the trusted computing node, which is equivalent to a set of general application framework established by using the library operating system environment, so that the existing program can provide a confidential computing service externally without being modified.

Optionally, on the basis of the above exemplary embodiment, the calculation request includes a program identifier and input data; the invoking and executing of the trusted computing program corresponding to the computing request in the library operating system environment includes:

creating a sub-process of the trusted computing program corresponding to the program identification;

passing the input data into the sub-process to complete a computation by a respective trusted computing program.

Specifically, after decrypting the received calculation request ciphertext by the interface program in the LibOS to obtain a calculation request, the interface program in the LibOS reads a program identifier and input data for the calculation request from the calculation request. The interface program maintains a corresponding relationship between the program identifier and a call address of the trusted computing program, so that the interface program can call the corresponding trusted computing program through the obtained program identifier; the input data is used for assigning values to input parameters necessary for the trusted computing program corresponding to the program identifier, and when a caller constructs a computing request, the input format (including data type and data arrangement sequence) of the input data is arranged into an input format capable of being recognized by the trusted computing program corresponding to the program identifier, so that the input data can be smoothly provided for the trusted computing program and computation can be completed when the trusted computing program is called. The interface program provides a storage space for the input data aiming at the calculation request, the input data is stored in a context directory file of the encrypted file system corresponding to the calculation request, a corresponding handler script program is created aiming at the subprocess identified by the program, the handler script program analyzes and processes the context directory file, so that the input data aiming at the calculation request is obtained, a trusted calculation program corresponding to the subprocess calling program identification is further created, and meanwhile, the input data is transmitted to the subprocess of the trusted calculation program and calculation is completed. In another embodiment, LibOS already runs the subprocesses of each trusted computing program, so input data can be directly transferred into the created trusted computing program subprocesses to complete the computation.

The embodiment of the specification can add the program identification and the input data into the calculation request, so that the trusted calculation node can respond to confidential calculation services required by various trusted calculation programs and complete trusted calculation according to the input data provided by a calling party.

Optionally, on the basis of the foregoing exemplary embodiment, the calculation request includes a request sequence number; the method further comprises the following steps:

and sending an execution result of the trusted computing program corresponding to the computing request to the caller, wherein the execution result comprises the request sequence number.

In this embodiment of the present specification, when a caller constructs a computation request, a request sequence number for the computation request is added, and a corresponding relationship between the request sequence number and an execution result is maintained, so that after an interface program in LibOS decrypts a received computation request ciphertext to obtain the computation request, the request sequence number for the computation request is read from the computation request, and therefore, after a trusted computing program corresponding to the computation request completes computation and obtains an execution result, the request sequence number is encapsulated in the execution result, so that after the trusted computing node returns the execution result to the caller, the caller can know which computation request the execution result corresponds to through the request sequence number carried in the execution result, so that the caller can better maintain the execution result, and also enable the trusted computing node to provide unambiguous confidential computation service based on the computation request, for example, if the calculation request only includes the program identifier, when the same caller requests the confidential calculation service corresponding to the same program identifier multiple times, the returned execution results of multiple trusted calculation programs become indistinguishable, and by setting the request sequence number in the calculation request, different calculation requests can be distinguished by the caller identity and the request sequence number.

Optionally, on the basis of the foregoing exemplary embodiment, the remote authentication challenge sent by the caller may include a program identifier, where the program identifier is a program identifier carried in the calculation request subsequently constructed by the caller, so that when the trusted computing node performs a remote authentication process and generates self-recommended information, the first hash value in the program identifier is obtained by only performing a hash operation on program codes of trusted computing programs corresponding to the program identifier in the library operating system environment instead of performing a hash operation on all program codes contained in the library operating system environment, and therefore after the whole remote authentication process is completed, the remote authentication report obtained by the caller may only prove to the caller that the trusted computing program corresponding to the program identifier runs in the trusted execution environment and is not tampered, but in view of the fact that in most scenarios, the caller may verify the authenticity of the signature information of the remote authentication report and the public key of the callee, and thus, the caller may verify the signature information of the remote authentication report and the authenticity of the public key of the callee Judging whether the trusted computing node is a well-known trusted node or not, so that the calling security is ensured, and if the confidential computing service is requested each time, verifying whether all programs of a library operating system environment in the trusted computing node are tampered or not is not necessary for a calling party, because the calling party does not always call all trusted computing programs at one time, the embodiment realizes that the resource waste is reduced on the basis of ensuring the security by only verifying whether the trusted computing program to be called by the calling party is tampered or not.

Optionally, after the trusted computing node receives the remote authentication challenge sent by the caller, the called party public key is sent to the caller.

In the embodiment of the specification, the trusted computing node actively sends the called party public key of the trusted computing node to the caller based on the remote authentication challenge, so that the caller is ensured to be capable of obtaining the called party public key for encrypting the computing request without acquiring the called party public key in advance in other ways, and the called party public key is possibly dynamic, therefore, when the caller initiates the remote authentication challenge to the trusted computing node to prepare for requesting the secret computing service, the trusted computing node actively returns the called party public key, so that the real-time validity of the called party public key can be ensured, even if the authenticity of the called party public key needs to be proved through a remote authentication report subsequently, the possibility of error of the called party public key can be reduced to the greatest extent, and the caller is provided with more convenient secret computing service.

Optionally, the library operating system environment includes: the interface program and the scheduling program containing the scheduling script;

the interface program is used for receiving the remote authentication challenge, assisting the caller in obtaining the remote authentication report, and decrypting the calculation request ciphertext to obtain the calculation request; and

the interface program is also used for executing the scheduling program according to the computing request so as to call and execute the trusted computing program corresponding to the computing request through the scheduling script.

In the embodiments of the present specification, the interface program refers to an entrypoint program, the scheduler program refers to a handler script program, the interface program assists the caller in the process of obtaining the remote authentication report, and the interface program cooperates with the scheduler program to execute the trusted computing program corresponding to the computing request, which are described in detail with reference to the foregoing embodiments. The interface program can decrypt the calculation request ciphertext and encrypt an execution result of the trusted calculation program and send the encrypted execution result to the calling party.

Optionally, the library operating system environment maintains a called party public and private key pair;

the called party public and private key pair is a static public and private key pair, and the static public and private key pair is defined by a constant of program codes in the library operating system environment, or is fixedly generated by the library operating system environment in an initialization stage, or is fixedly distributed by a key management server;

or, the called party public and private key pair is a dynamic public and private key pair, and the dynamic public and private key pair is randomly generated by the library operating system environment in an initialization stage or randomly distributed by a key management server.

The called party public and private key pair related to the embodiment of the present specification includes a called party public key and a called party private key, these public keys are maintained by an interface program in the library operating system environment, for example, when an entrypoint program is initialized, the interface program therein may generate a random key pair as the called party public and private key pair, and at this time, the called party public and private key pair maintained by the library operating system environment is an attribute of a dynamic public and private key pair, and since a different called party public and private key pair is generated each time of restarting, even if a calling party has obtained the called party public key of the library operating system environment, a remote authentication process may need to be performed again to obtain a current called party public key, so that security of an encrypted channel may be ensured, and replay attack in a network may be prevented; for another example, the callee public-private Key maintained in the library operating system environment may be periodically randomly assigned by a KMS (Key Management Service) server, and the callee public-private Key pair at this time may also be a dynamic public-private Key pair.

Similarly, the called party public and private keys related to the embodiments of the present specification may also be static, and they are generated fixedly when the entrypoint program is initialized, or distributed fixedly by the KMS server, or directly defined in the program code in the library operating system environment, so as to ensure that the called party public and private key pair maintained by the library operating system environment does not change, so that the calling party does not need to repeatedly obtain the called party public key once it obtains the called party public key. It should be noted that, when the called public-private key pair is defined as a constant in the program code in the library operating system environment, since the program in the library operating system environment needs to ensure its legitimacy and unusurpose property, it is often open to the outside, and at this time, the called private key is exposed, so in the actual engineering, it is necessary to write the called private key in the program code in the form of a ciphertext after symmetrically encrypting it with a symmetric key maintained only by the library operating system environment, or write the called private key in the program code in the form of a ciphertext after asymmetrically encrypting it with a public key set at the time of shipment of a CPU under a trusted computing node or other public keys maintained only by the library operating system environment. For another example, in a case where the called party public-private key pair is stored in the trusted execution environment deployed by the trusted computing node, or the called party public-private key pair is stored in the encrypted memory of the trusted computing node in a form of a ciphertext, the called party public-private key maintained by the library operating system environment may be further obtained by reading from the trusted execution environment by the library operating system environment, or obtained by decrypting, by the library operating system environment, the ciphertext of the called party public-private key pair read from the encrypted memory.

Optionally, the development paradigm of the trusted computing program is different from the development paradigm used to develop programs that run directly in the trusted execution environment.

In the embodiment of the specification, since the program contained in the LibOS can be an existing program written in any programming language, the existing program is run in the TEE by the LibOS, and therefore the modification cost for migrating the existing program to the TEE environment for running can be greatly reduced.

Optionally, on the basis of the foregoing exemplary embodiment, the method further includes:

encrypting the execution result of the trusted computing program to obtain an execution result ciphertext;

and sending the execution result ciphertext to the caller so that the caller decrypts the execution result ciphertext to obtain the execution result.

Specifically, the encrypting the execution result of the trusted computing program to obtain an execution result ciphertext includes:

encrypting the execution result of the trusted computing program by using the caller public key to obtain the execution result ciphertext, wherein the caller public key can be carried in a computing request to enable a trusted computing node to obtain the execution result ciphertext; or

And under the condition that the calculation request ciphertext is obtained by encrypting the calculation request by the caller in a digital envelope mode, encrypting an execution result of the trusted calculation program by using a symmetric key related to the digital envelope to obtain the execution result ciphertext.

Correspondingly, after the caller obtains the execution result ciphertext, the caller further decrypts the execution result according to the caller private key to obtain the execution result; or

And under the condition that the calculation request ciphertext is obtained by encrypting the calculation request by the caller in a digital envelope mode, the caller decrypts the execution result ciphertext by using a symmetric key related to the digital envelope to obtain the execution result.

In the embodiment of the present specification, after a library operating system environment running in a trusted computing node calls and executes a trusted computing program corresponding to a computing request in the library operating system environment, an execution result of the computing program is encrypted and returned to a caller, so that the caller obtains the execution result corresponding to the computing request, and the execution result is encrypted in a network transmission process, so that a complete encryption channel is established together with transmission of a computing request ciphertext, and security of the system is ensured.

Optionally, the trusted computing node is a block chain node. At the moment, the execution logic on the trusted computing node is packaged in the intelligent contract, so that the execution result ciphertext can be written into a corresponding transaction event in the execution process of the intelligent contract and recorded on the block in a receipt form, and the stage result in the program calling process is subjected to consensus and evidence storage by using the block chain network.

The following describes a scheme of implementing trusted computing in this specification in detail, taking a process in which an application in a caller node requests a trusted computing node to provide a confidential computing service and obtain an execution result in fig. 1 as an example. Referring to fig. 4, a solution for implementing trusted computing according to this specification may be implemented based on cooperation between a caller node and a trusted computing node, where a trusted execution environment deployed by the trusted computing node is packaged with a library operating system environment, and a trusted computing program in the library operating system environment is an existing program that cannot be directly run in the trusted execution environment without any modification, and the method may include the following steps:

s401: and the application program in the calling party node constructs a calculation request according to the trusted calculation requirement of the application program, wherein the calculation request comprises a request sequence number, a program identifier and input data. The calling party node database stores a corresponding relationship between the trusted computing program and the program identifier and the input format thereof, and the corresponding relationship is stored in a key-value (key-value pair) form, as shown in table 1. The application program can determine the corresponding program identifier and the input data by searching the corresponding relation.

For example, an application program wants to execute an xgboost program, and therefore, a request is sent to the database, and the database returns a program identifier "2" and an input format "{ (x1, Y1), (x2, Y2) … (xn, yn), M, L (Y, f), (x), R }" corresponding to the xgboost program, where the terms "(x 1, Y1), (x2, Y2) … (xn, yn)" are an input data set, "M" is a maximum number of iterations, "L (Y, f (x))" is a specified loss function, and "R" is a regular term coefficient, and accordingly, the application program constructs a calculation request shape as:

"{ {192(220) }, {2}, { (2.7,1), (-1.5,0) … (3.6,1) }, {1000000}, { L _ m = \ sum { (i =1} { N } L (y _ i, f _ { m-1} (x _ i) + h _ m (x _ i)) + \\ gamma J + \ frac { \\ lambda } {2} \\ sum \ { J =1} { J \\\ omega _ { mj } {2, 0} }. Wherein "{ 192(220) }" and "{ 2 }" of the previous item 2 are a request number and a program identifier, respectively, and "192" in the request number represents an application ID, and "220" represents a request number inside the application.

S402: the application program sends a calculation request to an external service program.

S403: and the external service program determines a trusted computing node capable of executing the corresponding trusted computing program according to the program identifier in the computing request. The external service program can call a correspondence between each program identifier maintained in the database and a trusted computing node capable of executing a corresponding trusted computing program, and the correspondence is also stored in a key-value form, as shown in table 2:

in this embodiment of the present description, since the program identifier carried in the calculation request sent by the application program is "2", the external service program can determine that the trusted computing node B can execute the trusted computing program corresponding to the program identifier "2".

S404: the external service program in the calling party node firstly searches a network IP address corresponding to the trusted computing node B in a routing table maintained by the calling party node, and sends a remote authentication challenge to an interface program in the trusted computing node B according to the network IP address.

S405: after an interface program in the trusted computing node B receives a remote authentication challenge of an external service program, firstly, the remote authentication service program is called to generate self-recommendation information "{ 9e905e49, 94cb3900, sigB }", wherein "9 e905e 49" is obtained by carrying out hash operation on all program codes including the interface program, a scheduling program and the trusted computing program in a library operating system environment, "94 cb 3900" is obtained by carrying out hash operation on a called party public key maintained in the library operating system environment, sigB "is a digital signature (a private key set by a CPU factory) of the trusted computing node B, then the self-recommendation information is sent to an IAS server through a communication service program in the interface program, so that after the IAS server completes authentication, a remote authentication report" { {9e905e49, 94cb3900, sigB }, yes, and sigS } "returned by the IAS server is received, and" yes "represents the authenticity of the self-recommendation information authenticated by the IAS server, and the sigIAS is a digital signature of the IAS server, and finally, the remote authentication service program calls a key management program in the interface program to acquire a public key of the IAS server so as to verify whether the remote authentication report is credible.

S406: the interface program returns the remote authentication report and the callee public key to the caller node. The called party public key and the called party private key are maintained through a key management program, a remote authentication service program in the interface program can further call the key management program to obtain the called party public key after obtaining a remote authentication report, and finally the called party public key and the remote authentication report are returned to an external service program in the calling party node through a communication service program.

S407: and the external service program encrypts the calculation request by using the called party public key to obtain a calculation request ciphertext under the condition that the trusted execution environment is determined to be trusted according to the remote authentication report. After the external service program receives the remote authentication report, the public key of the IAS server is used to verify the authenticity of the remote authentication report, after the authenticity of the remote authentication report is successfully verified, the self-recommended information is judged to be sent by the trusted computing node B according to the authentication result "yes" of the self-recommended information in the remote authentication report, then the external service program calculates the hash value of the self-recommended information to be 9e905e49 "according to all program codes of the library operating system environment in the trusted computing node B which are stored in the database, similarly, the hash value of the called party public key is calculated to be 94cb 3900" according to the received called party public key, then the calculated hash value is compared with the hash value in the self-recommended information respectively, and the comparison results are consistent, so that all programs running in the library operating system environment in the trusted computing node B can be proved to be not tampered, and the called party public key of the trusted computing node B belongs to the trusted computing node B, namely the trusted computing node B can be proved to be trusted, and then the external service program encrypts the computing request by using the called party public key which is verified to be trusted to obtain a computing request ciphertext:

“{14f545738408c088987a33e440237d4bd03756485d0b8f6f}”。

s408: and the external service program in the caller node sends the calculation request ciphertext and the caller public key to the interface program in the trusted calculation node.

S409: and the interface program in the trusted computing node decrypts the computing request ciphertext by using the called party private key to obtain the computing request. The interface program decrypts a calculation request ciphertext received by the communication service program by calling the encryption and decryption program, the encryption and decryption program calls the key management program to request to obtain a called party private key, the called party private key is used for decrypting the calculation request ciphertext to obtain a calculation request, and then the calculation request is transmitted to the task scheduling program; on the other hand, the interface program directly calls the key management program to store the received caller public key.

S410: the interface program stores the input data contained in the calculation request in the encrypted file system, and calls a corresponding scheduling script according to the program identifier contained in the calculation request. After receiving the computing request, the task scheduling program extracts input data and a program identifier in the computing request, creates a special context directory file for storing the input data in the encrypted file system, and creates a scheduling script corresponding to the subprocess execution program identifier. Wherein, the task scheduler also maintains the corresponding relationship between the program identifier and the scheduling script, as shown in table 3:

as can be seen from the foregoing description, the program in the computation request is identified as "2", and thus the task scheduler will create a sub-process to call Jobs (2) for execution.

S411: and the scheduling script Jobs (2) analyzes and processes the input data searched by the encrypted file system, then takes the input data as an input parameter and calls a trusted computing program corresponding to the program identifier to complete computing. The scheduling scripts Jobs (2) analyze and process the created context directory file for storing the input data under the encrypted file system, so as to sort the input data, create sub-processes at the same time, and transmit the input data and execute the trusted computing program xgboost defined by the Job (2), it should be noted that, in this embodiment, although a direct correspondence exists between the program identifier and the scheduling scripts, each scheduling script defines a corresponding trusted computing program to be called, that is, a correspondence exists between each scheduling script and the trusted computing program, so that a correspondence also exists between the program identifier and the trusted computing program.

S412: and the scheduling script Jobs (2) obtains the execution result of the trusted computing program and returns the execution result to the interface program. Job (2) captures the calculation result of xgboost as a model file of ". h 5", returns the calculation result to the task scheduling script in the interface program, and the task scheduling program packages the calculation result and the calculation request and then returns the result to the communication service program.

S413: and the interface program further packages the corresponding request serial number into an execution result, and encrypts the execution result by using the caller public key to obtain an execution result ciphertext. The communication service program further packages the calculation result request and the number contained in the calculation request according to the received calculation result and the calculation request to obtain an execution result, {. h5, 192(220) }, then, the communication service program calls an encryption and decryption program to encrypt the execution result, the encryption and decryption program calls a key management program to request to obtain a caller public key, encrypts the execution result by using the caller public key to obtain an execution result ciphertext, and then returns the execution result ciphertext to the communication service program.

S414: and the interface program in the trusted computing node returns the execution result ciphertext to the external service program of the caller node.

S415: and the external service program decrypts the execution result ciphertext by using the calling party private key to obtain an execution result.

S416: and the external service program returns the execution result to the application program. The external service program analyzes the request number ' 192(220) included according to the execution result obtained by decryption, determines the ID of the application program to be returned according to the ' 192 ', returns the execution result to the application program with the application program ID of ' 192 ', and determines the calculation request corresponding to the execution result according to the ' 220 ' in the request sequence number included in the execution result after the application program receives the execution result, thereby realizing one-time calling of the credible calculation program.

The above-described embodiment of the specification describes in detail a call procedure that is initiated by an application program in a caller node and calls a corresponding trusted computing program in a trusted computing node, where the trusted computing program runs in a library operating system environment as an existing program, an encrypted channel is established between the caller node and the trusted computing node, and a remote authentication procedure is completed, thereby implementing a confidential computing service based on the existing program.

The present specification also provides embodiments of an apparatus, an electronic device, and a storage medium, corresponding to embodiments of the foregoing method.

FIG. 5 is a schematic block diagram of an apparatus provided in an exemplary embodiment. Referring to fig. 5, at the hardware level, the apparatus includes a processor 502, an internal bus 504, a network interface 506, a memory 508 and a non-volatile memory 510, but may also include hardware required for other services. One or more embodiments of the present description may be implemented in software, such as by processor 502 reading corresponding computer programs from non-volatile storage 510 into memory 508 and then running. Of course, besides software implementation, the one or more embodiments in this specification do not exclude other implementations, such as logic devices or combinations of software and hardware, and so on, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or logic devices.

Fig. 6 is a block diagram of an apparatus for implementing trusted computing according to an exemplary embodiment, which may be applied to the device shown in fig. 5 to implement the technical solution of the present specification, and is applied to a trusted computing node, where a library operating system environment is encapsulated in a trusted execution environment deployed at the trusted computing node, and the apparatus includes the following units:

a remote authentication unit 601, configured to receive a remote authentication challenge sent by a caller for the trusted execution environment, and assist the caller to obtain a remote authentication report according to the remote authentication challenge;

a request receiving unit 602, configured to receive a computation request ciphertext sent by the caller, where the computation request ciphertext is sent when the caller confirms that the trusted computing node is trusted according to the remote authentication report;

a program invoking unit 603, configured to, after the computing request ciphertext is decrypted in the library operating system environment to obtain a computing request, invoke and execute a trusted computing program corresponding to the computing request in the library operating system environment.

Optionally, the remote authentication unit 601 is specifically configured to:

generating self-referral information, wherein the self-referral information comprises a first hash value corresponding to a program code contained in the library operating system environment and a second hash value corresponding to a called party public key maintained by the library operating system environment;

Optionally, the calculation request includes a program identifier and input data; the program calling unit 603 is specifically configured to:

Optionally, the calculation request includes a request sequence number; the device further comprises:

an execution result sending unit 604, configured to send an execution result of the trusted computing program corresponding to the computing request to the caller, where the execution result includes the request sequence number.

Alternatively to this, the first and second parts may,

the calculation request ciphertext is obtained by encrypting the calculation request by using a called party public key by the calling party; alternatively, the first and second electrodes may be,

and the calculation request ciphertext is obtained by encrypting the calculation request by the caller in a digital envelope mode.

Optionally, the apparatus further comprises:

an execution result encryption unit 605, configured to encrypt an execution result of the trusted computing program to obtain an execution result ciphertext;

an encrypted result sending unit 606, configured to send the execution result ciphertext to the caller, so that the caller decrypts the execution result ciphertext to obtain the execution result.

Optionally, the execution result encryption unit 605 is specifically configured to:

encrypting the execution result of the trusted computing program by using the caller public key to obtain the execution result ciphertext; or

Optionally, the trusted computing node is a block chain node.

Correspondingly, the present specification also provides an apparatus comprising a processor; a memory for storing processor-executable instructions; wherein the processor is configured to implement the steps of implementing the trusted computing method provided by all of the above method embodiments.

Accordingly, the present specification also provides a computer readable storage medium having executable instructions stored thereon; wherein the instructions, when executed by the processor, implement the steps of implementing the trusted computing method provided by all of the above method embodiments.

For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution in the specification. One of ordinary skill in the art can understand and implement it without inventive effort.

In a typical configuration, a computer device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the specification, as detailed in the appended claims.

The terminology used in the description herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.

It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present specification. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.

The above description is only a preferred embodiment of the present disclosure, and should not be taken as limiting the present disclosure, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.

Claims

1. A method of implementing trusted computing, the method applied to a trusted computing node having a library operating system environment encapsulated in a trusted execution environment deployed at the trusted computing node, the method comprising:

receiving a remote authentication challenge sent by a calling party aiming at the trusted execution environment, and assisting the calling party to obtain a remote authentication report according to the remote authentication challenge, wherein the remote authentication challenge comprises a program identifier, so that the remote authentication report comprises a program hash value obtained by performing hash operation on a program code of a trusted computing program corresponding to the program identifier and a public key hash value corresponding to a public key of a called party;

receiving a computation request ciphertext sent by the caller, wherein the computation request ciphertext is sent when the caller confirms that the trusted computing node is trusted according to the remote authentication report, wherein the caller determines that the trusted computing node is trusted when determining that the callee public key held by the caller has authenticity according to the public key hash value in the remote authentication report, and determining that the trusted computing program corresponding to the program identifier in the library operating system environment runs in a trusted execution environment and is not tampered according to the program hash value in the remote authentication report;

and after the computing request ciphertext is decrypted in the library operating system environment to obtain a computing request, the computing request comprises the program identifier, and a trusted computing program corresponding to the program identifier in the computing request in the library operating system environment is called and executed.

2. The method of claim 1, the assisting the caller in obtaining a remote authentication report, comprising:

3. The method of claim 1, the computing request further comprising input data; the invoking and executing of the trusted computing program in the library operating system environment corresponding to the program identification in the computing request comprises:

4. The method of claim 1, the compute request comprising a request sequence number; the method further comprises the following steps:

5. The method of claim 1, the library operating system environment comprising: the interface program and the scheduling program containing the scheduling script;

6. The method of claim 1, wherein the first and second light sources are selected from the group consisting of,

7. The method of claim 1, the library operating system environment maintained with a callee public-private key pair;

8. The method of claim 1, the trusted computing program having a development paradigm that is distinct from a development paradigm used to develop programs that run directly in a trusted execution environment.

9. The method of claim 1, further comprising:

10. The method of claim 9, wherein encrypting the execution result of the trusted computing program to obtain an execution result ciphertext comprises:

11. The method of claim 1, the trusted computing node being a blockchain node.

12. An apparatus for implementing trusted computing, the apparatus being applied to a trusted computing node, a library operating system environment being encapsulated in a trusted execution environment deployed at the trusted computing node, the apparatus comprising:

the remote authentication unit is used for receiving a remote authentication challenge sent by a calling party aiming at the trusted execution environment and assisting the calling party to obtain a remote authentication report according to the remote authentication challenge, wherein the remote authentication challenge comprises a program identifier, so that the remote authentication report comprises a program hash value obtained by carrying out hash operation on a program code of a trusted computing program corresponding to the program identifier and a public key hash value corresponding to a public key of a called party;

a request receiving unit, configured to receive a computation request ciphertext sent by the caller, where the computation request ciphertext is sent when the caller confirms that the trusted computing node is trusted according to the remote authentication report, where the caller determines that the callee public key held by the caller has authenticity according to the public key hash value in the remote authentication report, and determines that the trusted computing node is trusted when the trusted computing program corresponding to the program identifier in the library operating system environment runs in a trusted execution environment and is not tampered according to the program hash value in the remote authentication report;

and the program calling unit is used for calling and executing a trusted computing program corresponding to the program identifier in the computing request in the library operating system environment after the computing request ciphertext is decrypted in the library operating system environment to obtain a computing request, wherein the computing request comprises the program identifier.

13. An electronic device, comprising:

a processor;

a memory for storing processor-executable instructions;

wherein the processor is configured to implement the method of any one of claims 1-11.

14. A computer readable storage medium having stored thereon computer instructions which, when executed by a processor, carry out the steps of the method according to any one of claims 1 to 11.