CN113239347B - Starting method and device suitable for TEE security application example - Google Patents

Starting method and device suitable for TEE security application example Download PDF

Info

Publication number
CN113239347B
CN113239347B CN202110680426.6A CN202110680426A CN113239347B CN 113239347 B CN113239347 B CN 113239347B CN 202110680426 A CN202110680426 A CN 202110680426A CN 113239347 B CN113239347 B CN 113239347B
Authority
CN
China
Prior art keywords
instance
plug
host
hash
tee
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110680426.6A
Other languages
Chinese (zh)
Other versions
CN113239347A (en
Inventor
李明煜
夏虞斌
陈海波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Jiaotong University
Original Assignee
Shanghai Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Jiaotong University filed Critical Shanghai Jiaotong University
Priority to CN202110680426.6A priority Critical patent/CN113239347B/en
Publication of CN113239347A publication Critical patent/CN113239347A/en
Application granted granted Critical
Publication of CN113239347B publication Critical patent/CN113239347B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/572Secure firmware programming, e.g. of basic input output system [BIOS]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Stored Programmes (AREA)

Abstract

The invention provides a starting method and a starting device suitable for a TEE safety application example. The method divides the existing TEE instance into a host instance and a plug-in instance, the contents of all encrypted memory pages of the host instance are not allowed to be shared, the generated instance hash is kept unchanged all the time in a life cycle, the hash and the contents of the plug-in instance are not allowed to be updated after initialization is completed, but the plug-in instance is allowed to be added into the host instance by using a mapping primitive of hardware; the host instance multiplexes the contents and hashes of the plug-in instance, avoiding lengthy startup time. Compared with the prior art, the method has the advantages of low starting time delay, low memory occupancy rate and low running overhead, and simultaneously has good safety sharing characteristics.

Description

Starting method and device suitable for TEE security application example
Technical Field
The invention relates to a starting process of a trusted execution environment, in particular to a starting method and a starting device suitable for a TEE safety application example.
Background
Among hardware security technologies with a trusted chip as a core, a trusted execution environment technology is one of important technologies. The trusted execution environment is a security sandbox isolation technology provided by hardware (usually a processor), which isolates the code of data concerned by a user from the external environment, and ensures the integrity of the execution process and the confidentiality of computing data. In recent years, with rapid development of data security and privacy computing demands, trusted execution environment technology has been used in the fields of cloud computing security, edge computing security, and the like.
From the perspective of the protected objects, the protected objects of the trusted execution technology are roughly divided into a user process level and a virtual machine level. Whether the former or the latter, the hash and signature of the loaded image must be checked for instance initiation by a trusted execution environment. Only trusted images can be successfully started and receive the private data of the user to complete the calculation process. Because the security of the technology is realized by hardware, the calculation process of the hash and the verification process of the signature need to be completed by special hardware instructions. The trusted execution environment provides a special hardware register for storing a new hash value of a memory page of each measurement image, after the hash measurement of the last page of memory content is completed, the hardware first checks whether the signature of the expected hash value in the image is trusted, and if so, the expected hash value is further compared with the hash value measured by the hardware.
Currently, the trusted execution environment booting method can be divided into two types: one approach is a pure hardware solution, where hash values are pre-determined at the mirror compilation stage and completely handed over to hardware at the startup stage to compute the hash. The method has the advantages that: the hash is calculated by hardware completely, and only the hardware needs to be trusted during remote verification. But the disadvantages are: the hardware has a high cost for computing hash, the hardware instructions can only perform hash update with the granularity of a single memory page (page) each time, and the hash algorithm can only be executed serially, and any out-of-order acceleration may cause the hash value verification to fail.
Another solution is a method combining software and hardware, firstly defining a program loader, the hardware is only responsible for generating hardware hash for the loader, then guiding the rest mirror image by the loader, and completing the generation of the software hash of the rest. The main benefits of this scheme are: the software hash can carry out block calculation on the content, thereby realizing certain concurrency; the loader allows the runtime to dynamically load new code and complete the check. The second advantage is more prominent in high-level programming languages (e.g., Java, Python). The method has the disadvantages that newly generated code segments need to modify the page authority of the memory and still need the participation of a hardware instruction set, the authority modification of the code segments needs to be updated by hardware page by page (from readable and writable to executable), and the method of updating page by page causes poor starting expandability of the example. Thus, both hardware and software solutions face boot performance issues that are limited by the "page" granularity.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide a starting method and a starting device suitable for a TEE safety application example.
According to the starting method applicable to the TEE safety application example, the existing TEE example is divided into a host example and a plug-in example, the contents of all encrypted memory pages of the host example are not allowed to be shared, the generated example Hash is always kept unchanged in a life cycle, the Hash and the content of the plug-in example are not allowed to be updated after initialization is completed, but the plug-in example is allowed to be added into the host example by using a mapping primitive of hardware; the host instance reuses the content and hash of the plug-in instance, and the starting and verification comprises the following steps:
step S1: starting the plug-in instance, wherein the hardware is responsible for calculating the Hash of the plug-in instance image, and forbidding to modify the content and the Hash of the plug-in instance after the loading is finished;
step S2: starting a host instance, wherein hardware is responsible for calculating the hash of the instance image, and forbidding the hash of the host instance to be modified after the loading is finished;
step S3: the host instance actively verifies the hash of the plug-in instance, and if the expected requirement is met, the plug-in instance is added into the address space of the host instance in the granularity of a domain through hardware mapping semantics;
step S4: directly calling the function of the plug-in embodiment by the host embodiment;
Step S5: the host instance performs write operation on the plug-in instance, triggers 'missing page interruption' of the operating system, and replaces a corresponding page of the host instance with a private page;
step S6: the host instance removes the plug-in instance; if successful, step S3 is performed to map in the new plug-in instance.
Preferably, the hash of the plug-in instance in step S1 and the hash of the host instance in step S2 are both obtained from the TEE instance standard verification process.
Preferably, the plugin instances and the host instances mapped in step S3 share the same address space, the mapping is performed in a linear sequential mapping manner, and the address coverage of the plugin instances do not overlap each other.
Preferably, in step S4, the call from the host instance to the plug-in instance is a normal function call, and the call overhead does not exceed 10 processor clock cycles.
Preferably, the step in step S5 requires the cooperation of processor security instructions to check whether the software correctly configures the corresponding page table.
Preferably, the demapping in step S6 and the mapping operation in step S3 allow swapping.
Preferably, the TEE technology includes a user process sandbox and a virtual machine sandbox.
The invention provides a starting device suitable for a TEE safety application example, which comprises: the system comprises a client, a server and a connection network; the client comprises a security chip, a plurality of external devices, a virtual machine monitor and an operating system, wherein the virtual machine monitor is responsible for resource allocation and scheduling of a cloud service provider, the operating system is responsible for allocation and management of the plurality of external devices, each TEE instance is connected with one client, and the clients and the server are connected through a wide area network to form a client/server mode.
Preferably, the lending device includes a storage medium and a network medium.
Compared with the prior art, the invention has the following beneficial effects:
1. the domain granularity is adopted to replace the original page granularity to carry out rapid mapping on the plug-in instance, so that the starting time delay of the TEE instance can be effectively reduced, and meanwhile, the mapping time is irrelevant to the instance size, so that the method has good expandability;
2. a single plug-in instance can be mapped to a plurality of host instances, so that the occupation cost of the memory is reduced, and the utilization rate of the memory is improved;
3. by adopting the design of the same address space, the mapped plug-in instance can directly call and access the function and content of the original host instance, thereby reducing the use expense in operation;
4. And a strong isolation model is adopted among the host instances, and the integrity of the plug-in instance is ensured by adopting copy-on-write, so that the safety of the plug-in instance mapped to a plurality of host instances is ensured.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments with reference to the following drawings:
FIG. 1 is a TEE instance mapping flow diagram in an embodiment of the invention;
fig. 2 is a schematic structural diagram of a hardware device according to an embodiment of the present invention.
Detailed Description
The present invention will be described in detail with reference to specific examples. The following examples will assist those skilled in the art in further understanding the invention, but are not intended to limit the invention in any way. It should be noted that it would be obvious to those skilled in the art that various changes and modifications can be made without departing from the spirit of the invention. All falling within the scope of the present invention.
A method suitable for TEE safe application example to start and verify, said method divides the existing TEE example into two kinds first, one keeps the characteristic of the original TEE example, namely the content of all encrypted memory pages is not allowed to share, the hash of example produced keeps unchanged all the time in its life cycle, we call as the host example; another example is the plug-in example proposed by the present invention, which still inherits the characteristics of the existing TEE example, and the example hash is not allowed to be updated after the initialization is completed, and the content is not allowed to be modified, but the plug-in example is allowed to be added to the host example by using the mapping primitive of the hardware. The host instance multiplexes the contents and hashes of the plug-in instance, thereby avoiding lengthy startup times. The starting and verifying comprises the following steps:
Step S1: and starting the plug-in instance, wherein the hardware is responsible for calculating the hash of the plug-in instance image, and forbidding the modification of the plug-in instance after the loading is finished. The hash of the plug-in instance is obtained from the TEE instance standard validation process.
Step S2: starting a host instance, wherein hardware is responsible for calculating the hash of the instance mirror image and forbidding to modify the host instance after loading is finished; the hash of the host example is obtained from the TEE example standard validation process.
Step S3: the host instance actively verifies the hash of the plug-in instance and, if the expected requirements are met, adds the plug-in instance to the host instance's address space at the granularity of a domain through hardware mapping semantics. The mapped plug-in instances and host instances share the same address space, the mapping mode is linear sequential mapping, and the address coverage ranges of the plug-in instances do not overlap with each other.
Step S4: directly calling the function of the plug-in embodiment by the host embodiment; the host instance calls the plug-in instance as a normal function call with a call overhead of no more than 10 processor clock cycles.
Step S5: the host instance performs write operation on the plug-in instance, triggers 'missing page interruption' of the operating system, and replaces a corresponding page of the host instance with a private page; this step requires the cooperation of processor security instructions to check whether the software has correctly configured the corresponding page table.
Step S6: removing the plug-in instance by the host instance; if successful, step S3 can be performed to map in the new plug-in instance. In this step, the demapping and mapping operation in step S3 allow exchange.
As shown in FIG. 1, the specific process for starting the TEE embodiment of the invention is to complete the rapid start of the TEE host embodiment. The following synchronization control steps are described in detail with reference to fig. 1, taking the life cycles of the plug-in instance and the host instance as an example:
in step 401, the hardware executes the "create" instruction, the state of the TEE instance is changed from "absent" to "in initialization" stage, at this time, the first page of the TEE instance exists in the memory, and then step 402 is executed;
in step 402, the hardware executes a "load mirror" instruction, copies the mirror data or code from the normal memory to the encrypted memory at the granularity of "page", and then executes step 403;
in step 403, the hardware executes the "compute hash" instruction, and if successful, executes step 402 to load the subsequent page into the TEE instance;
in step 403, it is determined whether mirror loading is completed, and if yes, go to step 404; otherwise, go to step 402;
in step 404, the hardware executes a "complete" instruction, and the external part can judge the credibility of the current TEE instance through the complete hash generated by the hardware;
In step 405, if the current instance is to be deleted, the hardware executes a "destroy" instruction, destroys the contents in the encrypted memory page by page, and finally completes the deletion of the whole instance;
in step 406, a host instance that has already been initialized can map in the plug-in instance that has also been initialized, and execute the "map" instruction by means of hardware;
in step 407, if a plug-in instance is no longer needed, the hardware executes a "unmap" instruction, which may remove the plug-in from the current address space.
The incoming plug-in instance "mapped" in step 406 can only be deleted by "unmapped" in step 407, but cannot be deleted by "destroyed" in step 405.
As shown in FIG. 2, the invention allows a plurality of plug-in instances to be mapped to different host instances, and by means of the mapping function provided by hardware, the quick and safe sharing of the same plug-in among different hosts can be realized. Each host instance is a separate sandbox module, sharing no content with each other. Once a host instance makes modifications to the plug-in instance, it only affects its own content. TEE technologies include user process sandboxes and virtual machine sandboxes.
The invention adopts a client/server (C/S) mode, each client corresponds to one host example, and the safe calculation of the private data is completed by means of strong isolation provided by the host examples. In the remote authentication phase, the hash of the hosting instance is authenticated by the user, and the hash check of the plug-in instance is done by the hosting instance, thereby reducing the need for the user to establish multiple remote channels. And the host instance only maps the credible plug-in instance, thereby ensuring the accuracy and confidentiality of the whole calculation.
It is well within the knowledge of a person skilled in the art to implement the system and its various devices, modules, units provided by the present invention in a purely computer readable program code means that the same functionality can be implemented by logically programming method steps in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Therefore, the system and various devices, modules and units thereof provided by the present invention can be regarded as a hardware component, and the devices, modules and units included therein for implementing various functions can also be regarded as structures within the hardware component; means, modules, units for realizing various functions can also be regarded as structures in both software modules and hardware components for realizing the methods.
The foregoing description of specific embodiments of the present invention has been presented. It is to be understood that the present invention is not limited to the specific embodiments described above, and that various changes or modifications may be made by one skilled in the art within the scope of the appended claims without departing from the spirit of the invention. The embodiments and features of the embodiments of the present application may be combined with each other arbitrarily without conflict.

Claims (9)

1. A starting method suitable for a TEE safety application example is characterized in that: dividing an existing TEE instance into a host instance and a plug-in instance, wherein the contents of all encrypted memory pages of the host instance are not allowed to be shared, the generated instance hash is kept unchanged all the time in a life cycle, the hash and the contents of the plug-in instance are not allowed to be updated after initialization is completed, but the plug-in instance is allowed to be added into the host instance by using a mapping primitive of hardware; the host instance reuses the content and hash of the plug-in instance, and the starting and verifying comprises the following steps:
step S1: starting the plug-in instance, wherein the hardware is responsible for calculating the Hash of the plug-in instance image, and forbidding to modify the content and the Hash of the plug-in instance after the loading is finished;
step S2: starting a host instance, wherein hardware is responsible for calculating the hash of the instance image, and forbidding the hash of the host instance to be modified after the loading is finished;
Step S3: the host instance actively verifies the hash of the plug-in instance, and if the expected requirement is met, the plug-in instance is added into the address space of the host instance in the granularity of a domain through hardware mapping semantics;
step S4: directly calling the function of the plug-in embodiment by the host embodiment;
step S5: the host instance performs write operation on the plug-in instance, triggers 'missing page interruption' of the operating system, and replaces a corresponding page of the host instance with a private page;
step S6: the host instance removes the plug-in instance; if successful, step S3 is performed to map in the new plug-in instance.
2. The method of claim 1, wherein the method comprises: the hash of the plug-in instance in step S1 and the hash of the host instance in step S2 are both obtained from the TEE instance standard verification process.
3. The method of claim 1, wherein the method comprises: the plugin instances and the host instances mapped in the step S3 share the same address space, and the mapping is performed in a linear sequential mapping manner, and the address coverage ranges of the plugin instances do not overlap with each other.
4. The method of claim 1, wherein the method comprises: in step S4, the call from the host instance to the plug-in instance is a normal function call, and the call overhead does not exceed 10 processor clock cycles.
5. The method of claim 1, wherein the method comprises: the step in step S5 requires the cooperation of processor security instructions to check whether the software has correctly configured the corresponding page table.
6. The method of claim 1, wherein the method comprises: the de-mapping in step S6 and the mapping operation in step S3 allow swapping.
7. The method of claim 1, wherein the method comprises: the TEE technique includes a user process sandbox and a virtual machine sandbox.
8. An apparatus for implementing the method for starting the TEE security application instance in claim 1, comprising: the system comprises a client, a server and a connecting network; the client comprises a security chip, a plurality of external devices, a virtual machine monitor and an operating system, wherein the virtual machine monitor is responsible for resource allocation and scheduling of a cloud service provider, the operating system is responsible for allocation and management of the plurality of external devices, each TEE instance is connected with one client, and the clients and the server are connected through a wide area network to form a client/server mode.
9. The starting apparatus suitable for the TEE security application instance according to claim 8, wherein the external device comprises a storage medium and a network medium.
CN202110680426.6A 2021-06-18 2021-06-18 Starting method and device suitable for TEE security application example Active CN113239347B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110680426.6A CN113239347B (en) 2021-06-18 2021-06-18 Starting method and device suitable for TEE security application example

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110680426.6A CN113239347B (en) 2021-06-18 2021-06-18 Starting method and device suitable for TEE security application example

Publications (2)

Publication Number Publication Date
CN113239347A CN113239347A (en) 2021-08-10
CN113239347B true CN113239347B (en) 2022-06-28

Family

ID=77140360

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110680426.6A Active CN113239347B (en) 2021-06-18 2021-06-18 Starting method and device suitable for TEE security application example

Country Status (1)

Country Link
CN (1) CN113239347B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107835185A (en) * 2017-11-21 2018-03-23 广州大学 A kind of mobile terminal safety method of servicing and device based on ARM TrustZone

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104392188B (en) * 2014-11-06 2017-10-27 三星电子(中国)研发中心 A kind of secure data store method and system
CN107608757B (en) * 2017-08-29 2021-01-08 华为技术有限公司 Container-based isolation processing method and related equipment
CN112817780B (en) * 2021-02-01 2022-03-11 上海交通大学 Method and system for realizing safety and high-performance interprocess communication

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107835185A (en) * 2017-11-21 2018-03-23 广州大学 A kind of mobile terminal safety method of servicing and device based on ARM TrustZone

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Colony: A Privileged Trusted Execution Environment With Extensibility;Yubin Xia;《IEEE》;20210129;全文 *

Also Published As

Publication number Publication date
CN113239347A (en) 2021-08-10

Similar Documents

Publication Publication Date Title
US11023589B2 (en) Secure booting of virtualization managers
US11068277B2 (en) Memory allocation techniques at partially-offloaded virtualization managers
Brandenburger et al. Rollback and forking detection for trusted execution environments using lightweight collective memory
CN111651778B (en) Physical memory isolation method based on RISC-V instruction architecture
US8397245B2 (en) Managing loading and unloading of shared kernel extensions in isolated virtual space
EP3479225B1 (en) Performance variability reduction using an opportunistic hypervisor
US8527989B2 (en) Tracking loading and unloading of kernel extensions in isolated virtual space
US10769272B2 (en) Technology to protect virtual machines from malicious virtual machine managers
CN112817780B (en) Method and system for realizing safety and high-performance interprocess communication
CN113239329B (en) System for realizing trusted execution environment of mobile terminal application program
CN112182560B (en) Efficient isolation method, system and medium for Intel SGX interior
US20120011502A1 (en) Managing unique electronic identification for kernel extensions in isolated virtual space
CN115344871A (en) Confidential computing environment construction method and system based on ARM architecture
CN113239347B (en) Starting method and device suitable for TEE security application example
WO2023196074A2 (en) Hosting dpu management operating system using dpu software stack
US10552168B2 (en) Dynamic microsystem reconfiguration with collaborative verification
WO2016184180A1 (en) Method and apparatus for safe startup of system
EP4191456A1 (en) Performance monitoring unit of a processor deterring tampering of counter configuration and enabling verifiable data sampling
Hansen Virtual machine mobility with self-migration
CN117473530A (en) Lightweight trusted measurement system and method based on trusted execution environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant