CN113239347A - Starting method and device suitable for TEE security application example - Google Patents
Starting method and device suitable for TEE security application example Download PDFInfo
- Publication number
- CN113239347A CN113239347A CN202110680426.6A CN202110680426A CN113239347A CN 113239347 A CN113239347 A CN 113239347A CN 202110680426 A CN202110680426 A CN 202110680426A CN 113239347 A CN113239347 A CN 113239347A
- Authority
- CN
- China
- Prior art keywords
- instance
- plug
- host
- hash
- tee
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/572—Secure firmware programming, e.g. of basic input output system [BIOS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Stored Programmes (AREA)
Abstract
The invention provides a starting method and a starting device suitable for a TEE safety application example. The method divides the existing TEE instance into a host instance and a plug-in instance, the contents of all encrypted memory pages of the host instance are not allowed to be shared, the generated instance hash is kept unchanged all the time in a life cycle, the hash and the contents of the plug-in instance are not allowed to be updated after initialization is completed, but the plug-in instance is allowed to be added into the host instance by using a mapping primitive of hardware; the host instance multiplexes the contents and hashes of the plug-in instance, avoiding lengthy startup time. Compared with the prior art, the method has the advantages of low starting time delay, low memory occupancy rate and low running overhead, and simultaneously has good safety sharing characteristics.
Description
Technical Field
The invention relates to a starting process of a trusted execution environment, in particular to a starting method and a starting device suitable for a TEE safety application example.
Background
Among hardware security technologies with a trusted chip as a core, a trusted execution environment technology is one of important technologies. The trusted execution environment is a security sandbox isolation technology provided by hardware (usually a processor), which isolates the code of data concerned by a user from the external environment, and ensures the integrity of the execution process and the confidentiality of computing data. In recent years, with rapid development of data security and privacy computing demands, trusted execution environment technology has been used in the fields of cloud computing security, edge computing security, and the like.
From the perspective of the protected object, the protected object of the trusted execution technology is roughly divided into a user process level and a virtual machine level. Whether the former or the latter, an instance of a trusted execution environment starts up and must check the hash and signature of the loaded image. Only trusted images can be successfully started and receive the private data of the user to complete the calculation process. Since the security of the technology is realized by hardware, the hash calculation process and the signature verification process need to be performed by special hardware instructions. The trusted execution environment provides a special hardware register for storing a new hash value of a memory page of each measurement image, after the hash measurement of the memory content of the last page is completed, the hardware firstly checks whether the signature of the expected hash value in the image is trusted, and if so, the expected hash value is further compared with the hash value measured by the hardware.
Currently, trusted execution environment boot methods can be divided into two types: one approach is a pure hardware solution, where hash values are pre-determined at the mirror compilation stage and completely handed over to hardware to compute the hash at the startup stage. The method has the advantages that: the hash is completely calculated by hardware, and only the hardware needs to be trusted when the hash is remotely verified. But the disadvantages are: the hardware has a high cost for computing hash, the hardware instructions can only perform hash update with the granularity of a single memory page (page) each time, and the hash algorithm can only be executed serially, and any out-of-order acceleration may cause the hash value verification to fail.
The other solution is a method combining software and hardware, firstly defining a program loader, wherein the hardware is only responsible for generating hardware hash of the loader, then guiding the rest mirror image by the loader, and completing the generation of the rest software hash. The main benefits of this scheme are: the software hash can perform block calculation on the content, so that certain concurrency is realized; the loader allows the runtime to dynamically load new code and complete the verification. The second advantage is more prominent in high-level programming languages (e.g., Java, Python). The method has the disadvantages that newly generated code segments need to modify the page authority of the memory and still need the participation of a hardware instruction set, the authority modification of the code segments needs to be updated by hardware page by page (from readable and writable to executable), and the method of updating page by page causes poor starting expandability of the example. Thus, both hardware and software solutions face boot performance issues that are limited by the "page" granularity.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide a starting method and a starting device suitable for a TEE safety application example.
According to the starting method applicable to the TEE safety application example, the existing TEE example is divided into a host example and a plug-in example, the contents of all encrypted memory pages of the host example are not allowed to be shared, the generated example Hash is always kept unchanged in a life cycle, the Hash and the content of the plug-in example are not allowed to be updated after initialization is completed, but the plug-in example is allowed to be added into the host example by using a mapping primitive of hardware; the host instance reuses the content and hash of the plug-in instance, and the starting and verifying comprises the following steps:
step S1: starting the plug-in instance, wherein the hardware is responsible for calculating the Hash of the plug-in instance image, and forbidding to modify the content and the Hash of the plug-in instance after the loading is finished;
step S2: starting a host instance, wherein hardware is responsible for calculating the hash of the instance image, and forbidding the hash of the host instance to be modified after the loading is finished;
step S3: the host instance actively verifies the hash of the plug-in instance, and if the expected requirement is met, the plug-in instance is added into the address space of the host instance in the granularity of a domain through hardware mapping semantics;
step S4: directly calling the function of the plug-in embodiment by the host embodiment;
step S5: the host instance performs write operation on the plug-in instance, triggers 'missing page interruption' of the operating system, and replaces a corresponding page of the host instance with a private page;
step S6: the host instance removes the plug-in instance; if successful, step S3 is performed to map in the new plug-in instance.
Preferably, the hash of the plug-in instance in step S1 and the hash of the host instance in step S2 are both obtained from the TEE instance standard verification process.
Preferably, the plugin instances and the host instances mapped in step S3 share the same address space, the mapping is performed in a linear sequential mapping manner, and the address coverage of the plugin instances do not overlap each other.
Preferably, in step S4, the call from the host instance to the plug-in instance is a normal function call, and the call overhead does not exceed 10 processor clock cycles.
Preferably, the step in step S5 requires the cooperation of processor security instructions to check whether the software correctly configures the corresponding page table.
Preferably, the demapping in step S6 and the mapping operation in step S3 allow swapping.
Preferably, the TEE technology includes a user process sandbox and a virtual machine sandbox.
The invention provides a starting device suitable for a TEE safety application example, which comprises: the system comprises a client, a server and a connecting network; the client comprises a security chip, a plurality of external devices, a virtual machine monitor and an operating system, wherein the virtual machine monitor is responsible for resource allocation and scheduling of a cloud service provider, the operating system is responsible for allocation and management of the plurality of external devices, each TEE instance is connected with one client, and the clients and the server are connected through a wide area network to form a client/server mode.
Preferably, the lending device includes a storage medium and a network medium.
Compared with the prior art, the invention has the following beneficial effects:
1. the domain granularity is adopted to replace the original page granularity to carry out rapid mapping on the plug-in instance, so that the starting time delay of the TEE instance can be effectively reduced, and meanwhile, the mapping time is irrelevant to the instance size, so that the method has good expandability;
2. a single plug-in instance can be mapped to a plurality of host instances, so that the occupation cost of the memory is reduced, and the utilization rate of the memory is improved;
3. by adopting the design of the same address space, the mapped plug-in instance can directly call and access the function and content of the original host instance, thereby reducing the use expense in operation;
4. and a strong isolation model is adopted among host instances, and the integrity of the plug-in instance is ensured by adopting copy-on-write, so that the safety of the plug-in instance mapped to a plurality of host instances is ensured.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments with reference to the following drawings:
FIG. 1 is a flow chart of TEE instance mapping in an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a hardware device according to an embodiment of the present invention.
Detailed Description
The present invention will be described in detail with reference to specific examples. The following examples will assist those skilled in the art in further understanding the invention, but are not intended to limit the invention in any way. It should be noted that it would be obvious to those skilled in the art that various changes and modifications can be made without departing from the spirit of the invention. All falling within the scope of the present invention.
A method suitable for TEE safe application example to start and verify, said method divides the existing TEE example into two kinds first, one keeps the characteristic of the original TEE example, namely the content of all encrypted memory pages is not allowed to share, the hash of example produced keeps unchanged all the time in its life cycle, we call as the host example; another example is the plug-in example proposed by the present invention, which still inherits the characteristics of the existing TEE example, and the example hash is not allowed to be updated after the initialization is completed, and the content is not allowed to be modified, but the plug-in example is allowed to be added to the host example by using the mapping primitive of the hardware. The host instance multiplexes the contents and hashes of the plug-in instance, thereby avoiding lengthy startup times. The starting and verifying comprises the following steps:
step S1: and starting the plug-in instance, wherein the hardware is responsible for calculating the hash of the plug-in instance image, and forbidding the modification of the plug-in instance after the loading is finished. The hash of the plug-in instance is obtained from the TEE instance standard validation process.
Step S2: starting a host instance, wherein hardware is responsible for calculating the hash of the instance image, and forbidding to modify the host instance after loading is finished; the hash of the host instance is obtained from the TEE instance standard validation process.
Step S3: the host instance actively verifies the hash of the plug-in instance and, if the expected requirements are met, adds the plug-in instance to the host instance's address space at the granularity of a domain through hardware mapping semantics. The mapped plug-in instances and host instances share the same address space, the mapping mode is linear sequential mapping, and the address coverage ranges of the plug-in instances do not overlap with each other.
Step S4: directly calling the function of the plug-in embodiment by the host embodiment; the host instance calls the plug-in instance as a normal function call with a call overhead of no more than 10 processor clock cycles.
Step S5: the host instance performs write operation on the plug-in instance, triggers 'missing page interruption' of the operating system, and replaces a corresponding page of the host instance with a private page; this step requires the cooperation of processor security instructions to check whether the software has correctly configured the corresponding page table.
Step S6: the host instance removes the plug-in instance; if successful, step S3 may be performed to map in a new plug-in instance. In this step, the demapping and mapping operation in step S3 allows exchange.
FIG. 1 shows a specific process for starting the TEE embodiment of the present invention to complete the rapid start of the TEE host embodiment. The following synchronization control steps are described in detail with reference to fig. 1, taking the life cycles of the plug-in instance and the host instance as an example:
in step 401, the hardware executes the "create" instruction, the state of the TEE instance is changed from "absent" to "in initialization" stage, at this time, the first page of the TEE instance exists in the memory, and then step 402 is executed;
in step 402, the hardware executes a "load mirror" instruction, copies the mirror data or code from the normal memory to the encrypted memory at the granularity of "page", and then executes step 403;
in step 403, the hardware executes the "compute hash" instruction, and if successful, executes step 402 to load the subsequent page into the TEE instance;
in step 403, determining whether the mirror loading is completed, if so, entering step 404; otherwise, go to step 402;
in step 404, the hardware executes a "complete" instruction, and the external part can judge the credibility of the current TEE instance through the complete hash generated by the hardware;
in step 405, if the current instance is to be deleted, the hardware executes a "destroy" instruction, and destroys the contents in the encrypted memory page by page, and finally completes the deletion of the whole instance;
in step 406, an initialized host instance can map the plug-in instance that is initialized, and execute the "map" instruction by means of hardware;
in step 407, if a plug-in instance is no longer needed, the hardware executes a "unmap" instruction, which may remove the plug-in from the current address space.
The incoming plug-in instance "mapped" in step 406 can only be deleted by "unmap" in step 407, but not by "destroy" in step 405.
As shown in FIG. 2, the present invention allows multiple plug-in instances to be mapped to different host instances, and by means of the mapping function provided by hardware, the rapid and secure sharing of the same plug-in among different hosts can be realized. Each hosting instance is a separate sandbox module, sharing no content with each other. Once a host instance makes modifications to a plug-in instance, only its own content is affected. TEE technologies include user process sandboxes and virtual machine sandboxes.
The invention adopts a client/server (C/S) mode, each client corresponds to one host instance, and the safe calculation of the private data is completed by means of strong isolation provided by the host instance. In the remote authentication phase, the hash of the host instance is authenticated by the user and the hash check of the plug-in instance is done by the host instance, thereby reducing the need for the user to establish multiple remote channels. And the host instance only maps the credible plug-in instance, so that the accuracy and confidentiality of the overall calculation are ensured.
Those skilled in the art will appreciate that, in addition to implementing the system and its various devices, modules, units provided by the present invention as pure computer readable program code, the system and its various devices, modules, units provided by the present invention can be fully implemented by logically programming method steps in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Therefore, the system and various devices, modules and units thereof provided by the invention can be regarded as a hardware component, and the devices, modules and units included in the system for realizing various functions can also be regarded as structures in the hardware component; means, modules, units for performing the various functions may also be regarded as structures within both software modules and hardware components for performing the method.
The foregoing description of specific embodiments of the present invention has been presented. It is to be understood that the present invention is not limited to the specific embodiments described above, and that various changes or modifications may be made by one skilled in the art within the scope of the appended claims without departing from the spirit of the invention. The embodiments and features of the embodiments of the present application may be combined with each other arbitrarily without conflict.
Claims (9)
1. A starting method suitable for a TEE safety application example is characterized in that: dividing an existing TEE instance into a host instance and a plug-in instance, wherein the contents of all encrypted memory pages of the host instance are not allowed to be shared, the generated instance hash is kept unchanged all the time in a life cycle, the hash and the contents of the plug-in instance are not allowed to be updated after initialization is completed, but the plug-in instance is allowed to be added into the host instance by using a mapping primitive of hardware; the host instance reuses the content and hash of the plug-in instance, and the starting and verifying comprises the following steps:
step S1: starting the plug-in instance, wherein the hardware is responsible for calculating the Hash of the plug-in instance image, and forbidding to modify the content and the Hash of the plug-in instance after the loading is finished;
step S2: starting a host instance, wherein hardware is responsible for calculating the hash of the instance image, and forbidding the hash of the host instance to be modified after the loading is finished;
step S3: the host instance actively verifies the hash of the plug-in instance, and if the expected requirement is met, the plug-in instance is added into the address space of the host instance in the granularity of a domain through hardware mapping semantics;
step S4: directly calling the function of the plug-in embodiment by the host embodiment;
step S5: the host instance performs write operation on the plug-in instance, triggers 'missing page interruption' of the operating system, and replaces a corresponding page of the host instance with a private page;
step S6: the host instance removes the plug-in instance; if successful, step S3 is performed to map in the new plug-in instance.
2. The method of claim 1, wherein the method comprises: the hash of the plug-in instance in step S1 and the hash of the host instance in step S2 are both obtained from the TEE instance standard verification process.
3. The method of claim 1, wherein the method comprises: the plugin instances and the host instances mapped in the step S3 share the same address space, and the mapping is performed in a linear sequential mapping manner, and the address coverage ranges of the plugin instances do not overlap with each other.
4. The method of claim 1, wherein the method comprises: in step S4, the call from the host instance to the plug-in instance is a normal function call, and the call overhead does not exceed 10 processor clock cycles.
5. The method of claim 1, wherein the method comprises: the step in step S5 requires the cooperation of processor security instructions to check whether the software has correctly configured the corresponding page table.
6. The method of claim 1, wherein the method comprises: the de-mapping in step S6 and the mapping operation in step S3 allow swapping.
7. The method of claim 1, wherein the method comprises: the TEE technique includes a user process sandbox and a virtual machine sandbox.
8. An initiator device adapted for use with an instance of a TEE security application, comprising: the system comprises a client, a server and a connecting network; the client comprises a security chip, a plurality of external devices, a virtual machine monitor and an operating system, wherein the virtual machine monitor is responsible for resource allocation and scheduling of a cloud service provider, the operating system is responsible for allocation and management of the plurality of external devices, each TEE instance is connected with one client, and the clients and the server are connected through a wide area network to form a client/server mode.
9. The enabling apparatus for the TEE security application instance according to claim 8, wherein the lending device comprises a storage medium and a network medium.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110680426.6A CN113239347B (en) | 2021-06-18 | 2021-06-18 | Starting method and device suitable for TEE security application example |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110680426.6A CN113239347B (en) | 2021-06-18 | 2021-06-18 | Starting method and device suitable for TEE security application example |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113239347A true CN113239347A (en) | 2021-08-10 |
CN113239347B CN113239347B (en) | 2022-06-28 |
Family
ID=77140360
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110680426.6A Active CN113239347B (en) | 2021-06-18 | 2021-06-18 | Starting method and device suitable for TEE security application example |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113239347B (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104392188A (en) * | 2014-11-06 | 2015-03-04 | 三星电子(中国)研发中心 | Security data storage method and system |
CN107608757A (en) * | 2017-08-29 | 2018-01-19 | 华为技术有限公司 | A kind of isolation processing method and relevant device based on container |
CN107835185A (en) * | 2017-11-21 | 2018-03-23 | 广州大学 | A kind of mobile terminal safety method of servicing and device based on ARM TrustZone |
CN112817780A (en) * | 2021-02-01 | 2021-05-18 | 上海交通大学 | Method and system for realizing safety and high-performance interprocess communication |
-
2021
- 2021-06-18 CN CN202110680426.6A patent/CN113239347B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104392188A (en) * | 2014-11-06 | 2015-03-04 | 三星电子(中国)研发中心 | Security data storage method and system |
CN107608757A (en) * | 2017-08-29 | 2018-01-19 | 华为技术有限公司 | A kind of isolation processing method and relevant device based on container |
CN107835185A (en) * | 2017-11-21 | 2018-03-23 | 广州大学 | A kind of mobile terminal safety method of servicing and device based on ARM TrustZone |
CN112817780A (en) * | 2021-02-01 | 2021-05-18 | 上海交通大学 | Method and system for realizing safety and high-performance interprocess communication |
Non-Patent Citations (5)
Title |
---|
MINGYU LI: "Aurora: Providing Trusted System Services for Enclaves On an Untrusted System", 《ARXIV》 * |
MINGYU LI: "Establishing Trusted I/O Paths for SGX Client Systems With Aurora", 《IEEE》 * |
MINGYU LI: "Toward Migration of SGX-Enabled Containers", 《IEEE》 * |
YUBIN XIA: "Colony: A Privileged Trusted Execution Environment With Extensibility", 《IEEE》 * |
夏虞斌: "基于TrustZone 技术的安全移动远程控制系统", 《计算机工程》 * |
Also Published As
Publication number | Publication date |
---|---|
CN113239347B (en) | 2022-06-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11783081B2 (en) | Secure public cloud | |
US11068277B2 (en) | Memory allocation techniques at partially-offloaded virtualization managers | |
EP3479225B1 (en) | Performance variability reduction using an opportunistic hypervisor | |
US11531750B2 (en) | Installing and manipulating a secure virtual machine image through an untrusted hypervisor | |
US20180004954A1 (en) | Secure booting of virtualization managers | |
US20150244559A1 (en) | Migration of full-disk encrypted virtualized storage between blade servers | |
WO2019104988A1 (en) | Plc security processing unit and bus arbitration method thereof | |
US8527989B2 (en) | Tracking loading and unloading of kernel extensions in isolated virtual space | |
US20120011503A1 (en) | Managing loading and unloading of shared kernel extensions in isolated virtual space | |
CN112182560B (en) | Efficient isolation method, system and medium for Intel SGX interior | |
WO2017120812A1 (en) | Secure communication channel for system management mode | |
CN112817780B (en) | Method and system for realizing safety and high-performance interprocess communication | |
CN115344871A (en) | Confidential computing environment construction method and system based on ARM architecture | |
CN114969713A (en) | Equipment verification method, equipment and system | |
CN112287357B (en) | Control flow verification method and system for embedded bare computer system | |
US10691356B2 (en) | Operating a secure storage device | |
CN113239347B (en) | Starting method and device suitable for TEE security application example | |
US10552168B2 (en) | Dynamic microsystem reconfiguration with collaborative verification | |
WO2016184180A1 (en) | Method and apparatus for safe startup of system | |
JP2021057043A (en) | Processing system having trust anchor computing device and corresponding method | |
US20240160431A1 (en) | Technologies to update firmware and microcode | |
EP4191456A1 (en) | Performance monitoring unit of a processor deterring tampering of counter configuration and enabling verifiable data sampling | |
CN118277076A (en) | Data processing method and device | |
CN117992960A (en) | Safe starting method, device and equipment | |
CN118211225A (en) | Security architecture system, method for realizing secure and trusted starting and computing device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |