CN113239347B - Starting method and device suitable for TEE security application example - Google Patents
Starting method and device suitable for TEE security application example Download PDFInfo
- Publication number
- CN113239347B CN113239347B CN202110680426.6A CN202110680426A CN113239347B CN 113239347 B CN113239347 B CN 113239347B CN 202110680426 A CN202110680426 A CN 202110680426A CN 113239347 B CN113239347 B CN 113239347B
- Authority
- CN
- China
- Prior art keywords
- instance
- plug
- host
- hash
- tee
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/572—Secure firmware programming, e.g. of basic input output system [BIOS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Stored Programmes (AREA)
Abstract
The invention provides a starting method and a starting device suitable for a TEE safety application example. The method divides the existing TEE instance into a host instance and a plug-in instance, the contents of all encrypted memory pages of the host instance are not allowed to be shared, the generated instance hash is kept unchanged all the time in a life cycle, the hash and the contents of the plug-in instance are not allowed to be updated after initialization is completed, but the plug-in instance is allowed to be added into the host instance by using a mapping primitive of hardware; the host instance multiplexes the contents and hashes of the plug-in instance, avoiding lengthy startup time. Compared with the prior art, the method has the advantages of low starting time delay, low memory occupancy rate and low running overhead, and simultaneously has good safety sharing characteristics.
Description
Technical Field
The invention relates to a starting process of a trusted execution environment, in particular to a starting method and a starting device suitable for a TEE safety application example.
Background
Among hardware security technologies with a trusted chip as a core, a trusted execution environment technology is one of important technologies. The trusted execution environment is a security sandbox isolation technology provided by hardware (usually a processor), which isolates the code of data concerned by a user from the external environment, and ensures the integrity of the execution process and the confidentiality of computing data. In recent years, with rapid development of data security and privacy computing demands, trusted execution environment technology has been used in the fields of cloud computing security, edge computing security, and the like.
From the perspective of the protected objects, the protected objects of the trusted execution technology are roughly divided into a user process level and a virtual machine level. Whether the former or the latter, the hash and signature of the loaded image must be checked for instance initiation by a trusted execution environment. Only trusted images can be successfully started and receive the private data of the user to complete the calculation process. Because the security of the technology is realized by hardware, the calculation process of the hash and the verification process of the signature need to be completed by special hardware instructions. The trusted execution environment provides a special hardware register for storing a new hash value of a memory page of each measurement image, after the hash measurement of the last page of memory content is completed, the hardware first checks whether the signature of the expected hash value in the image is trusted, and if so, the expected hash value is further compared with the hash value measured by the hardware.
Currently, the trusted execution environment booting method can be divided into two types: one approach is a pure hardware solution, where hash values are pre-determined at the mirror compilation stage and completely handed over to hardware at the startup stage to compute the hash. The method has the advantages that: the hash is calculated by hardware completely, and only the hardware needs to be trusted during remote verification. But the disadvantages are: the hardware has a high cost for computing hash, the hardware instructions can only perform hash update with the granularity of a single memory page (page) each time, and the hash algorithm can only be executed serially, and any out-of-order acceleration may cause the hash value verification to fail.
Another solution is a method combining software and hardware, firstly defining a program loader, the hardware is only responsible for generating hardware hash for the loader, then guiding the rest mirror image by the loader, and completing the generation of the software hash of the rest. The main benefits of this scheme are: the software hash can carry out block calculation on the content, thereby realizing certain concurrency; the loader allows the runtime to dynamically load new code and complete the check. The second advantage is more prominent in high-level programming languages (e.g., Java, Python). The method has the disadvantages that newly generated code segments need to modify the page authority of the memory and still need the participation of a hardware instruction set, the authority modification of the code segments needs to be updated by hardware page by page (from readable and writable to executable), and the method of updating page by page causes poor starting expandability of the example. Thus, both hardware and software solutions face boot performance issues that are limited by the "page" granularity.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide a starting method and a starting device suitable for a TEE safety application example.
According to the starting method applicable to the TEE safety application example, the existing TEE example is divided into a host example and a plug-in example, the contents of all encrypted memory pages of the host example are not allowed to be shared, the generated example Hash is always kept unchanged in a life cycle, the Hash and the content of the plug-in example are not allowed to be updated after initialization is completed, but the plug-in example is allowed to be added into the host example by using a mapping primitive of hardware; the host instance reuses the content and hash of the plug-in instance, and the starting and verification comprises the following steps:
step S1: starting the plug-in instance, wherein the hardware is responsible for calculating the Hash of the plug-in instance image, and forbidding to modify the content and the Hash of the plug-in instance after the loading is finished;
step S2: starting a host instance, wherein hardware is responsible for calculating the hash of the instance image, and forbidding the hash of the host instance to be modified after the loading is finished;
step S3: the host instance actively verifies the hash of the plug-in instance, and if the expected requirement is met, the plug-in instance is added into the address space of the host instance in the granularity of a domain through hardware mapping semantics;
step S4: directly calling the function of the plug-in embodiment by the host embodiment;
Step S5: the host instance performs write operation on the plug-in instance, triggers 'missing page interruption' of the operating system, and replaces a corresponding page of the host instance with a private page;
step S6: the host instance removes the plug-in instance; if successful, step S3 is performed to map in the new plug-in instance.
Preferably, the hash of the plug-in instance in step S1 and the hash of the host instance in step S2 are both obtained from the TEE instance standard verification process.
Preferably, the plugin instances and the host instances mapped in step S3 share the same address space, the mapping is performed in a linear sequential mapping manner, and the address coverage of the plugin instances do not overlap each other.
Preferably, in step S4, the call from the host instance to the plug-in instance is a normal function call, and the call overhead does not exceed 10 processor clock cycles.
Preferably, the step in step S5 requires the cooperation of processor security instructions to check whether the software correctly configures the corresponding page table.
Preferably, the demapping in step S6 and the mapping operation in step S3 allow swapping.
Preferably, the TEE technology includes a user process sandbox and a virtual machine sandbox.
The invention provides a starting device suitable for a TEE safety application example, which comprises: the system comprises a client, a server and a connection network; the client comprises a security chip, a plurality of external devices, a virtual machine monitor and an operating system, wherein the virtual machine monitor is responsible for resource allocation and scheduling of a cloud service provider, the operating system is responsible for allocation and management of the plurality of external devices, each TEE instance is connected with one client, and the clients and the server are connected through a wide area network to form a client/server mode.
Preferably, the lending device includes a storage medium and a network medium.
Compared with the prior art, the invention has the following beneficial effects:
1. the domain granularity is adopted to replace the original page granularity to carry out rapid mapping on the plug-in instance, so that the starting time delay of the TEE instance can be effectively reduced, and meanwhile, the mapping time is irrelevant to the instance size, so that the method has good expandability;
2. a single plug-in instance can be mapped to a plurality of host instances, so that the occupation cost of the memory is reduced, and the utilization rate of the memory is improved;
3. by adopting the design of the same address space, the mapped plug-in instance can directly call and access the function and content of the original host instance, thereby reducing the use expense in operation;
4. And a strong isolation model is adopted among the host instances, and the integrity of the plug-in instance is ensured by adopting copy-on-write, so that the safety of the plug-in instance mapped to a plurality of host instances is ensured.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments with reference to the following drawings:
FIG. 1 is a TEE instance mapping flow diagram in an embodiment of the invention;
fig. 2 is a schematic structural diagram of a hardware device according to an embodiment of the present invention.
Detailed Description
The present invention will be described in detail with reference to specific examples. The following examples will assist those skilled in the art in further understanding the invention, but are not intended to limit the invention in any way. It should be noted that it would be obvious to those skilled in the art that various changes and modifications can be made without departing from the spirit of the invention. All falling within the scope of the present invention.
A method suitable for TEE safe application example to start and verify, said method divides the existing TEE example into two kinds first, one keeps the characteristic of the original TEE example, namely the content of all encrypted memory pages is not allowed to share, the hash of example produced keeps unchanged all the time in its life cycle, we call as the host example; another example is the plug-in example proposed by the present invention, which still inherits the characteristics of the existing TEE example, and the example hash is not allowed to be updated after the initialization is completed, and the content is not allowed to be modified, but the plug-in example is allowed to be added to the host example by using the mapping primitive of the hardware. The host instance multiplexes the contents and hashes of the plug-in instance, thereby avoiding lengthy startup times. The starting and verifying comprises the following steps:
Step S1: and starting the plug-in instance, wherein the hardware is responsible for calculating the hash of the plug-in instance image, and forbidding the modification of the plug-in instance after the loading is finished. The hash of the plug-in instance is obtained from the TEE instance standard validation process.
Step S2: starting a host instance, wherein hardware is responsible for calculating the hash of the instance mirror image and forbidding to modify the host instance after loading is finished; the hash of the host example is obtained from the TEE example standard validation process.
Step S3: the host instance actively verifies the hash of the plug-in instance and, if the expected requirements are met, adds the plug-in instance to the host instance's address space at the granularity of a domain through hardware mapping semantics. The mapped plug-in instances and host instances share the same address space, the mapping mode is linear sequential mapping, and the address coverage ranges of the plug-in instances do not overlap with each other.
Step S4: directly calling the function of the plug-in embodiment by the host embodiment; the host instance calls the plug-in instance as a normal function call with a call overhead of no more than 10 processor clock cycles.
Step S5: the host instance performs write operation on the plug-in instance, triggers 'missing page interruption' of the operating system, and replaces a corresponding page of the host instance with a private page; this step requires the cooperation of processor security instructions to check whether the software has correctly configured the corresponding page table.
Step S6: removing the plug-in instance by the host instance; if successful, step S3 can be performed to map in the new plug-in instance. In this step, the demapping and mapping operation in step S3 allow exchange.
As shown in FIG. 1, the specific process for starting the TEE embodiment of the invention is to complete the rapid start of the TEE host embodiment. The following synchronization control steps are described in detail with reference to fig. 1, taking the life cycles of the plug-in instance and the host instance as an example:
in step 401, the hardware executes the "create" instruction, the state of the TEE instance is changed from "absent" to "in initialization" stage, at this time, the first page of the TEE instance exists in the memory, and then step 402 is executed;
in step 402, the hardware executes a "load mirror" instruction, copies the mirror data or code from the normal memory to the encrypted memory at the granularity of "page", and then executes step 403;
in step 403, the hardware executes the "compute hash" instruction, and if successful, executes step 402 to load the subsequent page into the TEE instance;
in step 403, it is determined whether mirror loading is completed, and if yes, go to step 404; otherwise, go to step 402;
in step 404, the hardware executes a "complete" instruction, and the external part can judge the credibility of the current TEE instance through the complete hash generated by the hardware;
In step 405, if the current instance is to be deleted, the hardware executes a "destroy" instruction, destroys the contents in the encrypted memory page by page, and finally completes the deletion of the whole instance;
in step 406, a host instance that has already been initialized can map in the plug-in instance that has also been initialized, and execute the "map" instruction by means of hardware;
in step 407, if a plug-in instance is no longer needed, the hardware executes a "unmap" instruction, which may remove the plug-in from the current address space.
The incoming plug-in instance "mapped" in step 406 can only be deleted by "unmapped" in step 407, but cannot be deleted by "destroyed" in step 405.
As shown in FIG. 2, the invention allows a plurality of plug-in instances to be mapped to different host instances, and by means of the mapping function provided by hardware, the quick and safe sharing of the same plug-in among different hosts can be realized. Each host instance is a separate sandbox module, sharing no content with each other. Once a host instance makes modifications to the plug-in instance, it only affects its own content. TEE technologies include user process sandboxes and virtual machine sandboxes.
The invention adopts a client/server (C/S) mode, each client corresponds to one host example, and the safe calculation of the private data is completed by means of strong isolation provided by the host examples. In the remote authentication phase, the hash of the hosting instance is authenticated by the user, and the hash check of the plug-in instance is done by the hosting instance, thereby reducing the need for the user to establish multiple remote channels. And the host instance only maps the credible plug-in instance, thereby ensuring the accuracy and confidentiality of the whole calculation.
It is well within the knowledge of a person skilled in the art to implement the system and its various devices, modules, units provided by the present invention in a purely computer readable program code means that the same functionality can be implemented by logically programming method steps in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Therefore, the system and various devices, modules and units thereof provided by the present invention can be regarded as a hardware component, and the devices, modules and units included therein for implementing various functions can also be regarded as structures within the hardware component; means, modules, units for realizing various functions can also be regarded as structures in both software modules and hardware components for realizing the methods.
The foregoing description of specific embodiments of the present invention has been presented. It is to be understood that the present invention is not limited to the specific embodiments described above, and that various changes or modifications may be made by one skilled in the art within the scope of the appended claims without departing from the spirit of the invention. The embodiments and features of the embodiments of the present application may be combined with each other arbitrarily without conflict.
Claims (9)
1. A starting method suitable for a TEE safety application example is characterized in that: dividing an existing TEE instance into a host instance and a plug-in instance, wherein the contents of all encrypted memory pages of the host instance are not allowed to be shared, the generated instance hash is kept unchanged all the time in a life cycle, the hash and the contents of the plug-in instance are not allowed to be updated after initialization is completed, but the plug-in instance is allowed to be added into the host instance by using a mapping primitive of hardware; the host instance reuses the content and hash of the plug-in instance, and the starting and verifying comprises the following steps:
step S1: starting the plug-in instance, wherein the hardware is responsible for calculating the Hash of the plug-in instance image, and forbidding to modify the content and the Hash of the plug-in instance after the loading is finished;
step S2: starting a host instance, wherein hardware is responsible for calculating the hash of the instance image, and forbidding the hash of the host instance to be modified after the loading is finished;
Step S3: the host instance actively verifies the hash of the plug-in instance, and if the expected requirement is met, the plug-in instance is added into the address space of the host instance in the granularity of a domain through hardware mapping semantics;
step S4: directly calling the function of the plug-in embodiment by the host embodiment;
step S5: the host instance performs write operation on the plug-in instance, triggers 'missing page interruption' of the operating system, and replaces a corresponding page of the host instance with a private page;
step S6: the host instance removes the plug-in instance; if successful, step S3 is performed to map in the new plug-in instance.
2. The method of claim 1, wherein the method comprises: the hash of the plug-in instance in step S1 and the hash of the host instance in step S2 are both obtained from the TEE instance standard verification process.
3. The method of claim 1, wherein the method comprises: the plugin instances and the host instances mapped in the step S3 share the same address space, and the mapping is performed in a linear sequential mapping manner, and the address coverage ranges of the plugin instances do not overlap with each other.
4. The method of claim 1, wherein the method comprises: in step S4, the call from the host instance to the plug-in instance is a normal function call, and the call overhead does not exceed 10 processor clock cycles.
5. The method of claim 1, wherein the method comprises: the step in step S5 requires the cooperation of processor security instructions to check whether the software has correctly configured the corresponding page table.
6. The method of claim 1, wherein the method comprises: the de-mapping in step S6 and the mapping operation in step S3 allow swapping.
7. The method of claim 1, wherein the method comprises: the TEE technique includes a user process sandbox and a virtual machine sandbox.
8. An apparatus for implementing the method for starting the TEE security application instance in claim 1, comprising: the system comprises a client, a server and a connecting network; the client comprises a security chip, a plurality of external devices, a virtual machine monitor and an operating system, wherein the virtual machine monitor is responsible for resource allocation and scheduling of a cloud service provider, the operating system is responsible for allocation and management of the plurality of external devices, each TEE instance is connected with one client, and the clients and the server are connected through a wide area network to form a client/server mode.
9. The starting apparatus suitable for the TEE security application instance according to claim 8, wherein the external device comprises a storage medium and a network medium.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110680426.6A CN113239347B (en) | 2021-06-18 | 2021-06-18 | Starting method and device suitable for TEE security application example |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110680426.6A CN113239347B (en) | 2021-06-18 | 2021-06-18 | Starting method and device suitable for TEE security application example |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113239347A CN113239347A (en) | 2021-08-10 |
CN113239347B true CN113239347B (en) | 2022-06-28 |
Family
ID=77140360
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110680426.6A Active CN113239347B (en) | 2021-06-18 | 2021-06-18 | Starting method and device suitable for TEE security application example |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113239347B (en) |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107835185A (en) * | 2017-11-21 | 2018-03-23 | 广州大学 | A kind of mobile terminal safety method of servicing and device based on ARM TrustZone |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104392188B (en) * | 2014-11-06 | 2017-10-27 | 三星电子(中国)研发中心 | A kind of secure data store method and system |
CN107608757B (en) * | 2017-08-29 | 2021-01-08 | 华为技术有限公司 | Container-based isolation processing method and related equipment |
CN112817780B (en) * | 2021-02-01 | 2022-03-11 | 上海交通大学 | Method and system for realizing safety and high-performance interprocess communication |
-
2021
- 2021-06-18 CN CN202110680426.6A patent/CN113239347B/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107835185A (en) * | 2017-11-21 | 2018-03-23 | 广州大学 | A kind of mobile terminal safety method of servicing and device based on ARM TrustZone |
Non-Patent Citations (1)
Title |
---|
Colony: A Privileged Trusted Execution Environment With Extensibility;Yubin Xia;《IEEE》;20210129;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN113239347A (en) | 2021-08-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11023589B2 (en) | Secure booting of virtualization managers | |
US11068277B2 (en) | Memory allocation techniques at partially-offloaded virtualization managers | |
Brandenburger et al. | Rollback and forking detection for trusted execution environments using lightweight collective memory | |
CN111651778B (en) | Physical memory isolation method based on RISC-V instruction architecture | |
US8397245B2 (en) | Managing loading and unloading of shared kernel extensions in isolated virtual space | |
EP3479225B1 (en) | Performance variability reduction using an opportunistic hypervisor | |
US8527989B2 (en) | Tracking loading and unloading of kernel extensions in isolated virtual space | |
US10769272B2 (en) | Technology to protect virtual machines from malicious virtual machine managers | |
CN112817780B (en) | Method and system for realizing safety and high-performance interprocess communication | |
CN113239329B (en) | System for realizing trusted execution environment of mobile terminal application program | |
CN112182560B (en) | Efficient isolation method, system and medium for Intel SGX interior | |
US20120011502A1 (en) | Managing unique electronic identification for kernel extensions in isolated virtual space | |
CN115344871A (en) | Confidential computing environment construction method and system based on ARM architecture | |
CN113239347B (en) | Starting method and device suitable for TEE security application example | |
WO2023196074A2 (en) | Hosting dpu management operating system using dpu software stack | |
US10552168B2 (en) | Dynamic microsystem reconfiguration with collaborative verification | |
WO2016184180A1 (en) | Method and apparatus for safe startup of system | |
EP4191456A1 (en) | Performance monitoring unit of a processor deterring tampering of counter configuration and enabling verifiable data sampling | |
Hansen | Virtual machine mobility with self-migration | |
CN117473530A (en) | Lightweight trusted measurement system and method based on trusted execution environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |