CN113239347A - Starting method and device suitable for TEE security application example - Google Patents

Starting method and device suitable for TEE security application example Download PDF

Info

Publication number
CN113239347A
CN113239347A CN202110680426.6A CN202110680426A CN113239347A CN 113239347 A CN113239347 A CN 113239347A CN 202110680426 A CN202110680426 A CN 202110680426A CN 113239347 A CN113239347 A CN 113239347A
Authority
CN
China
Prior art keywords
instance
plug
host
hash
tee
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110680426.6A
Other languages
Chinese (zh)
Other versions
CN113239347B (en
Inventor
李明煜
夏虞斌
陈海波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Jiaotong University
Original Assignee
Shanghai Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Jiaotong University filed Critical Shanghai Jiaotong University
Priority to CN202110680426.6A priority Critical patent/CN113239347B/en
Publication of CN113239347A publication Critical patent/CN113239347A/en
Application granted granted Critical
Publication of CN113239347B publication Critical patent/CN113239347B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/572Secure firmware programming, e.g. of basic input output system [BIOS]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Stored Programmes (AREA)

Abstract

The invention provides a starting method and a starting device suitable for a TEE safety application example. The method divides the existing TEE instance into a host instance and a plug-in instance, the contents of all encrypted memory pages of the host instance are not allowed to be shared, the generated instance hash is kept unchanged all the time in a life cycle, the hash and the contents of the plug-in instance are not allowed to be updated after initialization is completed, but the plug-in instance is allowed to be added into the host instance by using a mapping primitive of hardware; the host instance multiplexes the contents and hashes of the plug-in instance, avoiding lengthy startup time. Compared with the prior art, the method has the advantages of low starting time delay, low memory occupancy rate and low running overhead, and simultaneously has good safety sharing characteristics.

Description

Starting method and device suitable for TEE security application example
Technical Field
The invention relates to a starting process of a trusted execution environment, in particular to a starting method and a starting device suitable for a TEE safety application example.
Background
Among hardware security technologies with a trusted chip as a core, a trusted execution environment technology is one of important technologies. The trusted execution environment is a security sandbox isolation technology provided by hardware (usually a processor), which isolates the code of data concerned by a user from the external environment, and ensures the integrity of the execution process and the confidentiality of computing data. In recent years, with rapid development of data security and privacy computing demands, trusted execution environment technology has been used in the fields of cloud computing security, edge computing security, and the like.
From the perspective of the protected object, the protected object of the trusted execution technology is roughly divided into a user process level and a virtual machine level. Whether the former or the latter, an instance of a trusted execution environment starts up and must check the hash and signature of the loaded image. Only trusted images can be successfully started and receive the private data of the user to complete the calculation process. Since the security of the technology is realized by hardware, the hash calculation process and the signature verification process need to be performed by special hardware instructions. The trusted execution environment provides a special hardware register for storing a new hash value of a memory page of each measurement image, after the hash measurement of the memory content of the last page is completed, the hardware firstly checks whether the signature of the expected hash value in the image is trusted, and if so, the expected hash value is further compared with the hash value measured by the hardware.
Currently, trusted execution environment boot methods can be divided into two types: one approach is a pure hardware solution, where hash values are pre-determined at the mirror compilation stage and completely handed over to hardware to compute the hash at the startup stage. The method has the advantages that: the hash is completely calculated by hardware, and only the hardware needs to be trusted when the hash is remotely verified. But the disadvantages are: the hardware has a high cost for computing hash, the hardware instructions can only perform hash update with the granularity of a single memory page (page) each time, and the hash algorithm can only be executed serially, and any out-of-order acceleration may cause the hash value verification to fail.
The other solution is a method combining software and hardware, firstly defining a program loader, wherein the hardware is only responsible for generating hardware hash of the loader, then guiding the rest mirror image by the loader, and completing the generation of the rest software hash. The main benefits of this scheme are: the software hash can perform block calculation on the content, so that certain concurrency is realized; the loader allows the runtime to dynamically load new code and complete the verification. The second advantage is more prominent in high-level programming languages (e.g., Java, Python). The method has the disadvantages that newly generated code segments need to modify the page authority of the memory and still need the participation of a hardware instruction set, the authority modification of the code segments needs to be updated by hardware page by page (from readable and writable to executable), and the method of updating page by page causes poor starting expandability of the example. Thus, both hardware and software solutions face boot performance issues that are limited by the "page" granularity.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide a starting method and a starting device suitable for a TEE safety application example.
According to the starting method applicable to the TEE safety application example, the existing TEE example is divided into a host example and a plug-in example, the contents of all encrypted memory pages of the host example are not allowed to be shared, the generated example Hash is always kept unchanged in a life cycle, the Hash and the content of the plug-in example are not allowed to be updated after initialization is completed, but the plug-in example is allowed to be added into the host example by using a mapping primitive of hardware; the host instance reuses the content and hash of the plug-in instance, and the starting and verifying comprises the following steps:
step S1: starting the plug-in instance, wherein the hardware is responsible for calculating the Hash of the plug-in instance image, and forbidding to modify the content and the Hash of the plug-in instance after the loading is finished;
step S2: starting a host instance, wherein hardware is responsible for calculating the hash of the instance image, and forbidding the hash of the host instance to be modified after the loading is finished;
step S3: the host instance actively verifies the hash of the plug-in instance, and if the expected requirement is met, the plug-in instance is added into the address space of the host instance in the granularity of a domain through hardware mapping semantics;
step S4: directly calling the function of the plug-in embodiment by the host embodiment;
step S5: the host instance performs write operation on the plug-in instance, triggers 'missing page interruption' of the operating system, and replaces a corresponding page of the host instance with a private page;
step S6: the host instance removes the plug-in instance; if successful, step S3 is performed to map in the new plug-in instance.
Preferably, the hash of the plug-in instance in step S1 and the hash of the host instance in step S2 are both obtained from the TEE instance standard verification process.
Preferably, the plugin instances and the host instances mapped in step S3 share the same address space, the mapping is performed in a linear sequential mapping manner, and the address coverage of the plugin instances do not overlap each other.
Preferably, in step S4, the call from the host instance to the plug-in instance is a normal function call, and the call overhead does not exceed 10 processor clock cycles.
Preferably, the step in step S5 requires the cooperation of processor security instructions to check whether the software correctly configures the corresponding page table.
Preferably, the demapping in step S6 and the mapping operation in step S3 allow swapping.
Preferably, the TEE technology includes a user process sandbox and a virtual machine sandbox.
The invention provides a starting device suitable for a TEE safety application example, which comprises: the system comprises a client, a server and a connecting network; the client comprises a security chip, a plurality of external devices, a virtual machine monitor and an operating system, wherein the virtual machine monitor is responsible for resource allocation and scheduling of a cloud service provider, the operating system is responsible for allocation and management of the plurality of external devices, each TEE instance is connected with one client, and the clients and the server are connected through a wide area network to form a client/server mode.
Preferably, the lending device includes a storage medium and a network medium.
Compared with the prior art, the invention has the following beneficial effects:
1. the domain granularity is adopted to replace the original page granularity to carry out rapid mapping on the plug-in instance, so that the starting time delay of the TEE instance can be effectively reduced, and meanwhile, the mapping time is irrelevant to the instance size, so that the method has good expandability;
2. a single plug-in instance can be mapped to a plurality of host instances, so that the occupation cost of the memory is reduced, and the utilization rate of the memory is improved;
3. by adopting the design of the same address space, the mapped plug-in instance can directly call and access the function and content of the original host instance, thereby reducing the use expense in operation;
4. and a strong isolation model is adopted among host instances, and the integrity of the plug-in instance is ensured by adopting copy-on-write, so that the safety of the plug-in instance mapped to a plurality of host instances is ensured.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments with reference to the following drawings:
FIG. 1 is a flow chart of TEE instance mapping in an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a hardware device according to an embodiment of the present invention.
Detailed Description
The present invention will be described in detail with reference to specific examples. The following examples will assist those skilled in the art in further understanding the invention, but are not intended to limit the invention in any way. It should be noted that it would be obvious to those skilled in the art that various changes and modifications can be made without departing from the spirit of the invention. All falling within the scope of the present invention.
A method suitable for TEE safe application example to start and verify, said method divides the existing TEE example into two kinds first, one keeps the characteristic of the original TEE example, namely the content of all encrypted memory pages is not allowed to share, the hash of example produced keeps unchanged all the time in its life cycle, we call as the host example; another example is the plug-in example proposed by the present invention, which still inherits the characteristics of the existing TEE example, and the example hash is not allowed to be updated after the initialization is completed, and the content is not allowed to be modified, but the plug-in example is allowed to be added to the host example by using the mapping primitive of the hardware. The host instance multiplexes the contents and hashes of the plug-in instance, thereby avoiding lengthy startup times. The starting and verifying comprises the following steps:
step S1: and starting the plug-in instance, wherein the hardware is responsible for calculating the hash of the plug-in instance image, and forbidding the modification of the plug-in instance after the loading is finished. The hash of the plug-in instance is obtained from the TEE instance standard validation process.
Step S2: starting a host instance, wherein hardware is responsible for calculating the hash of the instance image, and forbidding to modify the host instance after loading is finished; the hash of the host instance is obtained from the TEE instance standard validation process.
Step S3: the host instance actively verifies the hash of the plug-in instance and, if the expected requirements are met, adds the plug-in instance to the host instance's address space at the granularity of a domain through hardware mapping semantics. The mapped plug-in instances and host instances share the same address space, the mapping mode is linear sequential mapping, and the address coverage ranges of the plug-in instances do not overlap with each other.
Step S4: directly calling the function of the plug-in embodiment by the host embodiment; the host instance calls the plug-in instance as a normal function call with a call overhead of no more than 10 processor clock cycles.
Step S5: the host instance performs write operation on the plug-in instance, triggers 'missing page interruption' of the operating system, and replaces a corresponding page of the host instance with a private page; this step requires the cooperation of processor security instructions to check whether the software has correctly configured the corresponding page table.
Step S6: the host instance removes the plug-in instance; if successful, step S3 may be performed to map in a new plug-in instance. In this step, the demapping and mapping operation in step S3 allows exchange.
FIG. 1 shows a specific process for starting the TEE embodiment of the present invention to complete the rapid start of the TEE host embodiment. The following synchronization control steps are described in detail with reference to fig. 1, taking the life cycles of the plug-in instance and the host instance as an example:
in step 401, the hardware executes the "create" instruction, the state of the TEE instance is changed from "absent" to "in initialization" stage, at this time, the first page of the TEE instance exists in the memory, and then step 402 is executed;
in step 402, the hardware executes a "load mirror" instruction, copies the mirror data or code from the normal memory to the encrypted memory at the granularity of "page", and then executes step 403;
in step 403, the hardware executes the "compute hash" instruction, and if successful, executes step 402 to load the subsequent page into the TEE instance;
in step 403, determining whether the mirror loading is completed, if so, entering step 404; otherwise, go to step 402;
in step 404, the hardware executes a "complete" instruction, and the external part can judge the credibility of the current TEE instance through the complete hash generated by the hardware;
in step 405, if the current instance is to be deleted, the hardware executes a "destroy" instruction, and destroys the contents in the encrypted memory page by page, and finally completes the deletion of the whole instance;
in step 406, an initialized host instance can map the plug-in instance that is initialized, and execute the "map" instruction by means of hardware;
in step 407, if a plug-in instance is no longer needed, the hardware executes a "unmap" instruction, which may remove the plug-in from the current address space.
The incoming plug-in instance "mapped" in step 406 can only be deleted by "unmap" in step 407, but not by "destroy" in step 405.
As shown in FIG. 2, the present invention allows multiple plug-in instances to be mapped to different host instances, and by means of the mapping function provided by hardware, the rapid and secure sharing of the same plug-in among different hosts can be realized. Each hosting instance is a separate sandbox module, sharing no content with each other. Once a host instance makes modifications to a plug-in instance, only its own content is affected. TEE technologies include user process sandboxes and virtual machine sandboxes.
The invention adopts a client/server (C/S) mode, each client corresponds to one host instance, and the safe calculation of the private data is completed by means of strong isolation provided by the host instance. In the remote authentication phase, the hash of the host instance is authenticated by the user and the hash check of the plug-in instance is done by the host instance, thereby reducing the need for the user to establish multiple remote channels. And the host instance only maps the credible plug-in instance, so that the accuracy and confidentiality of the overall calculation are ensured.
Those skilled in the art will appreciate that, in addition to implementing the system and its various devices, modules, units provided by the present invention as pure computer readable program code, the system and its various devices, modules, units provided by the present invention can be fully implemented by logically programming method steps in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Therefore, the system and various devices, modules and units thereof provided by the invention can be regarded as a hardware component, and the devices, modules and units included in the system for realizing various functions can also be regarded as structures in the hardware component; means, modules, units for performing the various functions may also be regarded as structures within both software modules and hardware components for performing the method.
The foregoing description of specific embodiments of the present invention has been presented. It is to be understood that the present invention is not limited to the specific embodiments described above, and that various changes or modifications may be made by one skilled in the art within the scope of the appended claims without departing from the spirit of the invention. The embodiments and features of the embodiments of the present application may be combined with each other arbitrarily without conflict.

Claims (9)

1. A starting method suitable for a TEE safety application example is characterized in that: dividing an existing TEE instance into a host instance and a plug-in instance, wherein the contents of all encrypted memory pages of the host instance are not allowed to be shared, the generated instance hash is kept unchanged all the time in a life cycle, the hash and the contents of the plug-in instance are not allowed to be updated after initialization is completed, but the plug-in instance is allowed to be added into the host instance by using a mapping primitive of hardware; the host instance reuses the content and hash of the plug-in instance, and the starting and verifying comprises the following steps:
step S1: starting the plug-in instance, wherein the hardware is responsible for calculating the Hash of the plug-in instance image, and forbidding to modify the content and the Hash of the plug-in instance after the loading is finished;
step S2: starting a host instance, wherein hardware is responsible for calculating the hash of the instance image, and forbidding the hash of the host instance to be modified after the loading is finished;
step S3: the host instance actively verifies the hash of the plug-in instance, and if the expected requirement is met, the plug-in instance is added into the address space of the host instance in the granularity of a domain through hardware mapping semantics;
step S4: directly calling the function of the plug-in embodiment by the host embodiment;
step S5: the host instance performs write operation on the plug-in instance, triggers 'missing page interruption' of the operating system, and replaces a corresponding page of the host instance with a private page;
step S6: the host instance removes the plug-in instance; if successful, step S3 is performed to map in the new plug-in instance.
2. The method of claim 1, wherein the method comprises: the hash of the plug-in instance in step S1 and the hash of the host instance in step S2 are both obtained from the TEE instance standard verification process.
3. The method of claim 1, wherein the method comprises: the plugin instances and the host instances mapped in the step S3 share the same address space, and the mapping is performed in a linear sequential mapping manner, and the address coverage ranges of the plugin instances do not overlap with each other.
4. The method of claim 1, wherein the method comprises: in step S4, the call from the host instance to the plug-in instance is a normal function call, and the call overhead does not exceed 10 processor clock cycles.
5. The method of claim 1, wherein the method comprises: the step in step S5 requires the cooperation of processor security instructions to check whether the software has correctly configured the corresponding page table.
6. The method of claim 1, wherein the method comprises: the de-mapping in step S6 and the mapping operation in step S3 allow swapping.
7. The method of claim 1, wherein the method comprises: the TEE technique includes a user process sandbox and a virtual machine sandbox.
8. An initiator device adapted for use with an instance of a TEE security application, comprising: the system comprises a client, a server and a connecting network; the client comprises a security chip, a plurality of external devices, a virtual machine monitor and an operating system, wherein the virtual machine monitor is responsible for resource allocation and scheduling of a cloud service provider, the operating system is responsible for allocation and management of the plurality of external devices, each TEE instance is connected with one client, and the clients and the server are connected through a wide area network to form a client/server mode.
9. The enabling apparatus for the TEE security application instance according to claim 8, wherein the lending device comprises a storage medium and a network medium.
CN202110680426.6A 2021-06-18 2021-06-18 Starting method and device suitable for TEE security application example Active CN113239347B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110680426.6A CN113239347B (en) 2021-06-18 2021-06-18 Starting method and device suitable for TEE security application example

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110680426.6A CN113239347B (en) 2021-06-18 2021-06-18 Starting method and device suitable for TEE security application example

Publications (2)

Publication Number Publication Date
CN113239347A true CN113239347A (en) 2021-08-10
CN113239347B CN113239347B (en) 2022-06-28

Family

ID=77140360

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110680426.6A Active CN113239347B (en) 2021-06-18 2021-06-18 Starting method and device suitable for TEE security application example

Country Status (1)

Country Link
CN (1) CN113239347B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104392188A (en) * 2014-11-06 2015-03-04 三星电子(中国)研发中心 Security data storage method and system
CN107608757A (en) * 2017-08-29 2018-01-19 华为技术有限公司 A kind of isolation processing method and relevant device based on container
CN107835185A (en) * 2017-11-21 2018-03-23 广州大学 A kind of mobile terminal safety method of servicing and device based on ARM TrustZone
CN112817780A (en) * 2021-02-01 2021-05-18 上海交通大学 Method and system for realizing safety and high-performance interprocess communication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104392188A (en) * 2014-11-06 2015-03-04 三星电子(中国)研发中心 Security data storage method and system
CN107608757A (en) * 2017-08-29 2018-01-19 华为技术有限公司 A kind of isolation processing method and relevant device based on container
CN107835185A (en) * 2017-11-21 2018-03-23 广州大学 A kind of mobile terminal safety method of servicing and device based on ARM TrustZone
CN112817780A (en) * 2021-02-01 2021-05-18 上海交通大学 Method and system for realizing safety and high-performance interprocess communication

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
MINGYU LI: "Aurora: Providing Trusted System Services for Enclaves On an Untrusted System", 《ARXIV》 *
MINGYU LI: "Establishing Trusted I/O Paths for SGX Client Systems With Aurora", 《IEEE》 *
MINGYU LI: "Toward Migration of SGX-Enabled Containers", 《IEEE》 *
YUBIN XIA: "Colony: A Privileged Trusted Execution Environment With Extensibility", 《IEEE》 *
夏虞斌: "基于TrustZone 技术的安全移动远程控制系统", 《计算机工程》 *

Also Published As

Publication number Publication date
CN113239347B (en) 2022-06-28

Similar Documents

Publication Publication Date Title
US11783081B2 (en) Secure public cloud
US11068277B2 (en) Memory allocation techniques at partially-offloaded virtualization managers
EP3479225B1 (en) Performance variability reduction using an opportunistic hypervisor
US11531750B2 (en) Installing and manipulating a secure virtual machine image through an untrusted hypervisor
US20180004954A1 (en) Secure booting of virtualization managers
US20150244559A1 (en) Migration of full-disk encrypted virtualized storage between blade servers
WO2019104988A1 (en) Plc security processing unit and bus arbitration method thereof
US8527989B2 (en) Tracking loading and unloading of kernel extensions in isolated virtual space
US20120011503A1 (en) Managing loading and unloading of shared kernel extensions in isolated virtual space
CN112182560B (en) Efficient isolation method, system and medium for Intel SGX interior
WO2017120812A1 (en) Secure communication channel for system management mode
CN112817780B (en) Method and system for realizing safety and high-performance interprocess communication
CN115344871A (en) Confidential computing environment construction method and system based on ARM architecture
CN114969713A (en) Equipment verification method, equipment and system
CN112287357B (en) Control flow verification method and system for embedded bare computer system
US10691356B2 (en) Operating a secure storage device
CN113239347B (en) Starting method and device suitable for TEE security application example
US10552168B2 (en) Dynamic microsystem reconfiguration with collaborative verification
WO2016184180A1 (en) Method and apparatus for safe startup of system
JP2021057043A (en) Processing system having trust anchor computing device and corresponding method
US20240160431A1 (en) Technologies to update firmware and microcode
EP4191456A1 (en) Performance monitoring unit of a processor deterring tampering of counter configuration and enabling verifiable data sampling
CN118277076A (en) Data processing method and device
CN117992960A (en) Safe starting method, device and equipment
CN118211225A (en) Security architecture system, method for realizing secure and trusted starting and computing device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant