CN113448682B

CN113448682B - Virtual machine monitor loading method and device and electronic equipment

Info

Publication number: CN113448682B
Application number: CN202010231214.5A
Authority: CN
Inventors: 刘双; 闫守孟; 翟征德; 秦凯伦; 龙勤
Original assignee: Alipay Hangzhou Information Technology Co Ltd
Current assignee: Alipay Hangzhou Information Technology Co Ltd
Filing date: 2020-03-27
Publication date: 2024-04-19
Anticipated expiration: 2040-03-27

Abstract

The embodiment of the specification discloses a virtual machine monitor loading method, a device and an electronic device, wherein an operating system, a dynamic trusted module, a virtual machine and a virtual machine monitor for managing the virtual machine are configured on a host machine, and the method comprises the following steps: the method comprises the steps of calling a dynamic trusted module according to an operating system of a host, determining an integrity measurement value corresponding to a virtual machine monitor based on the dynamic trusted module, expanding the integrity measurement value in a PCR register of a TPM, loading the virtual machine monitor according to the integrity measurement value, degrading the operating system into a client mode based on the virtual machine monitor, and safely loading the virtual machine monitor.

Description

Virtual machine monitor loading method and device and electronic equipment

Technical Field

Embodiments of the present disclosure relate to the field of computer technologies, and in particular, to a method and an apparatus for loading a virtual machine monitor, and an electronic device.

Background

Currently, one or more virtual machines are typically created on a physical machine (or host machine) to achieve reasonable utilization of physical machine resources. A virtual machine, as used herein, refers to a complete physical machine system, emulated by software, having complete hardware system functionality, that operates in a completely isolated environment that can be used to run specific business applications (e.g., confidential applications).

In addition, operations such as creation, destruction, starting, restarting, closing, viewing, modification, suspension and the like can be performed on the virtual machine established on the host machine through the virtual machine monitor. However, if the virtual machine monitor is under security attack (e.g., is held illegally), secure operation of the virtual machine may also be affected.

Disclosure of Invention

In view of this, the embodiments of the present disclosure provide a method, an apparatus and an electronic device for loading a virtual machine monitor, which are used to at least solve the problem in the prior art that the security of service application and service sensitive data cannot be guaranteed due to security attack on the virtual machine monitor.

The embodiment of the specification adopts the following technical scheme:

The embodiment of the specification provides a virtual machine monitor loading method, wherein an operating system, a dynamic trusted module, a virtual machine and a virtual machine monitor for managing the virtual machine are configured on a host machine, and the virtual machine monitor loading method comprises the following steps: invoking the dynamic trusted module based on the operating system of the host; determining an integrity measurement value corresponding to the virtual machine monitor based on the dynamic trusted module, and expanding the integrity measurement value in a PCR register of a TPM; loading the virtual machine monitor based on the integrity metric value; and degrading the operating system into a client mode based on the virtual machine monitor.

The embodiment of the specification provides a virtual machine monitor loading device, which is configured with an operating system, a dynamic trusted module, a virtual machine and a virtual machine monitor for managing the virtual machine on a host, wherein the virtual machine monitor loading device comprises: a dynamic trusted root calling unit for calling the dynamic trusted module based on the operating system of the host; the dynamic trusted root execution unit is used for determining an integrity measurement value corresponding to the virtual machine monitor based on the dynamic trusted module and expanding the integrity measurement value in a PCR register of the TPM; the virtual machine monitor loading unit is used for loading the virtual machine monitor based on the integrity measurement value; and a system mode degrading unit for degrading the operating system into a client mode based on the virtual machine monitor.

The embodiment of the specification also provides an electronic device, including: at least one processor; and a memory storing instructions that, when executed by the at least one processor, cause the at least one processor to perform a method as described above.

The above-mentioned at least one technical scheme that this description embodiment adopted can reach following beneficial effect:

After the operating system is started, the virtual machine monitor is loaded, so that the virtual machine monitor does not need to process various hardware initialization operations, and lower deployment and maintenance cost can be realized. In addition, the dynamic trusted module is adopted to verify whether the virtual machine monitor is trusted, so that the virtual machine monitor can be loaded in an untrusted operating system environment in a trusted mode. In addition, after the virtual machine monitor is loaded, the operating system is degraded into a client mode, so that the operating authority of the operating system is reduced, and the security of the virtual machine monitor can be effectively protected.

Drawings

The accompanying drawings, which are included to provide a further understanding of the specification, illustrate and explain the exemplary embodiments of the present specification and their description, are not intended to limit the specification unduly. In the drawings:

FIG. 1 illustrates a system architecture diagram of an example of a virtual machine monitor loading method suitable for application of embodiments of the present description;

FIG. 2 illustrates a flowchart of an example of a virtual machine monitor loading method according to an embodiment of the present disclosure;

FIG. 3 illustrates a signal interaction diagram of an example of a virtual machine service process according to an embodiment of the present disclosure;

FIG. 4 illustrates a flowchart of one example of a process of determining an integrity metric value in accordance with an embodiment of the present description;

FIG. 5 illustrates a flowchart of one example of determining an integrity metric value for a virtual machine monitor in accordance with an embodiment of the present disclosure;

FIG. 6 illustrates a signal interaction diagram of an example of a virtual machine monitor loading method according to an embodiment of the present disclosure; and

FIG. 7 shows a block diagram of an example of a virtual machine monitor loading device according to an embodiment of the present disclosure.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present specification more apparent, the technical solutions of the present specification will be clearly and completely described below with reference to the specific embodiments of the present specification and the corresponding drawings. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present specification. All other embodiments, which can be made by one skilled in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the implementations herein.

As used herein, the term "comprising" and variations thereof mean open-ended terms, meaning "including, but not limited to. The term "based on" means "based at least in part on". The terms "one embodiment" and "an embodiment" mean "at least one embodiment. The term "another embodiment" means "at least one other embodiment". The terms "first," "second," and the like, may refer to different or the same object. Other definitions, whether explicit or implicit, may be included below. Unless the context clearly indicates otherwise, the definition of a term is consistent throughout this specification.

In this document, the term "virtual machine monitor" (Virtual Machine Monitor, VMM), also known as a hypervisor, may refer to a software system running on a physical host machine to create and manage virtual machines and to manage virtual environment operations.

It should be noted that virtualization is a basic supporting technology of cloud computing, and the virtual machine monitor is a core functional component in the virtualization architecture. Currently, in one example of a virtual machine monitor, the virtual machine monitor runs directly on the host's hardware to control the hardware and manage the virtual machine, typically representing Xen. Such virtual machine monitors have the advantage of high operating efficiency, but are costly to deploy and maintain due to the need to be responsible for a large amount of hardware initialization and management work. In another example of a virtual machine monitor, the virtual machine monitor operates in a traditional operating system environment, does not directly depend on hardware characteristics, and has good hardware adaptability, but generally has low operation efficiency.

The term "trusted execution environment" (Trust Excuse Environment, TEE) may represent an environment protected by hardware mechanisms. The term "trusted computing base" (Trusted computing base, TCB) refers to the collection of all security protection mechanisms that may be present in hardware, firmware, and software to achieve the security protection of a computer system. Once a program error or security hazard occurs in a certain component of the trusted computer base, the security of the entire system is compromised.

The term "TPM" (Trusted Platform Module ) may refer to a chip that is built into a computer to provide a trusted root for the computer. The term "PCR" (platform status register) is a register used to record the running state of a system, is a core device inside a TPM, and the TPM restricts the operation of the platform status register in order to prevent PCR values from being randomly tampered with or falsified by malicious code.

Furthermore, the term "dynamic trusted module" (or dynamic trusted root) (DRTM, dynamic Root of Trust for Measurements) may denote a functional module that provides dynamic trusted enablement on a CPU. Dynamic trusted root is a dynamic trusted boot technique standardized by the international TCG (Trusted Computing Group ) that allows a running system, possibly in an unsafe state, to complete the measurement of the TCB chain, and then by partially resetting the computer resources to bring the system into an initial safe state through the dynamic chain, trusted booting and measurement of other components is achieved. And, the term "integrity metric value" may refer to a value determined by a root of trust for a component's metrics to ensure that the integrity of the code to which the component corresponds is not compromised.

The term "static root of trust" (SRTM, static Root of Trust for Measurements) may refer to a trusted module that starts up at the boot-up stage of the operating system and establishes a static chain of trust based on the Core Root of Trust (CRTM).

In addition, the term "boot processor" (Boot Strap Processor, BSP) and the term "application processor" (Application processor, AP) may refer to two classes of processors defined by the MP (Multiple processors, multiprocessor) system initialization protocol, respectively, and upon power-up or reset of the MP system, the system hardware may dynamically select one of the processors on the system bus as the boot processor, while the remaining processors are designated as application processors.

In the related art, there are some trusted starting schemes based on a TPM, for example, a static trusted root starting scheme, to implement trusted loading of a virtual machine monitor. Specifically, the BIOS (Basic Input Output System ) measures the integrity of the boot loader when loading the boot loader, and expands the measurement value into the PCR. Boot Loader, when loading an Operating System (OS), will measure the integrity of the OS and extend the measurement into the PCR. When the OS needs to load the virtual machine monitor, the OS firstly measures the integrity of the virtual machine monitor, expands the measurement value into a PCR register of the TPM, then loads the virtual machine monitor and hands over the control right. This leaves an integrity measure of the platform startup chain in the PCR registers of the TPM, recording the integrity of each platform component on the startup chain when loaded.

Further, when a remote server or software is required to request services (e.g., secure computing applications or user sensitive data) from a virtual machine, the remote server or software may obtain an integrity report (Quote) from the virtual machine that is signed (or signed) with the AK private key of the TPM, and any person knowing the AK public key may verify the Quote. In addition, the queue typically contains a set of values of the TPM registers and a challenge number (challenge) from a remote verifier, which may be used to remotely verify the integrity of the boot process that proves the virtual machine monitor.

However, the above-described prior art solutions have at least the following drawbacks:

In one aspect, the integrity metrics of the boot process of the virtual machine monitor are windowed for security attacks. Because the loading times of the OS and the virtual machine monitor are inconsistent (e.g., in the case of loading the virtual machine monitor after loading the operating system), the trusted boot technique can only measure the integrity of the OS itself at the time when it is loaded, and cannot provide integrity information of the OS at the time when the virtual machine monitor is loaded. Thus, after the OS itself is loaded and before the virtual machine monitor is loaded, the OS may be controlled by an attacker because of the vulnerability, at this time, the invaded OS may start a malicious or vulnerability-containing virtual machine monitor, and extend a measurement value of the complete and good-state virtual machine monitor into the PCR of the TPM, so as to realize spoofing of a verifier (e.g., a remote server or software), which leads to data theft in the user's secure computing application. Therefore, the static trusted root can ensure the trust of the operating system in the starting-up stage, the probability of hacking and hijacking is larger and larger along with the increase of the service time of the operating system, and the operating system can be recovered only by restarting after the trust chain is broken.

On the other hand, TCBs in TPM-based trusted boot technologies are too large. Specifically, TPM-based trusted boot techniques require that a bulky OS be also contained in the TCB. Since the security of a virtual machine is directly dependent on the integrity of the virtual machine monitor, the integrity of the virtual machine monitor boot process is in turn dependent on the integrity of the OS. The OS is typically bulky, containing millions or even tens of millions of lines of code, and such large-scale code typically contains many security vulnerabilities that can result in the vulnerability of the TEE.

FIG. 1 illustrates a system architecture diagram of an example of a virtual machine monitor loading method suitable for application of embodiments of the present description.

As shown in fig. 1, one or more virtual machines (e.g., virtual machines 121, 123..12n) may be configured in the host 110, and a virtual machine monitor 130 for managing the virtual machines is also configured in the host. An operating system 140, such as Windows, android, IOS operating system, is also provided on host 110, which may be used without limitation. A dynamic trusted module 150 is also configured on host 110 to provide for trusted loading of software modules at any time (e.g., non-operating system initialization phase).

It should be appreciated that hardware modules, such as a processor 160, memory (not shown) and disk (not shown), may also be provided on host 110 for supporting the normal operation of one or more of the software or configurations described above. In some examples of embodiments of the present description, the structure of processor 160 may conform to MP system configurations and may include a boot processor and an application processor.

In some application scenarios, after the virtual machine is started, when the virtual machine interacts with the remote server 190 to request a service (e.g., run a user application or access confidential data), the virtual machine needs to send an integrity report (e.g., the integrity report may contain relevant metric information for the virtual machine monitor) to the remote server 190 for verification and provide the service if the verification passes, and not provide the service if the verification does not pass.

It should be understood that the structure as depicted in fig. 1 is for illustration only and not for limitation of the scope of the present description, e.g., portions of the structure in remote server 190 or host 110 may not be preserved in some cases.

FIG. 2 illustrates a flowchart of an example of a virtual machine monitor loading method according to an embodiment of the present description.

As shown in fig. 2, in step 210, a dynamic trusted module is invoked based on the operating system of the host.

It should be noted that, in the embodiments of the present disclosure, the virtual machine monitor is loaded by the operating system, rather than directly managing the virtual machine on the hardware of the host (such as some types of virtual machine monitors described above), and the low deployment and maintenance costs can be achieved without processing various hardware initialization operations.

In step 220, an integrity metric value corresponding to the virtual machine monitor is determined based on the dynamic trusted module and the integrity measurement value is extended in the PCR register of the TPM.

In the embodiment of the specification, the virtual machine monitor is measured through the dynamic trusted module, compared with the static trusted starting module, the method realizes that the trusted measurement can be performed at any time (for example, when the system is started or when the service requirement exists), the method is not limited to the system starting stage, and the method can be directly invoked when the service requirement exists, and the restarting process of the operating system is not required.

In step 230, the virtual machine monitor is loaded based on the integrity metric value. Illustratively, a load operation for the virtual machine monitor is automatically triggered when a metrics operation for the virtual machine monitor is completed (or when an integrity metrics value is generated).

In step 240, the operating system is degraded to a client mode based on the virtual machine monitor. Therefore, the operating system is degraded into a client mode, so that the operating authority of the operating system is reduced, and the security of the virtual machine monitor can be effectively protected.

It should be noted that, the current process of starting the virtual machine based on the dynamic trusted root is performed independently from the operating system (for example, AWS product), for example, starting the virtual machine through the dynamic trusted root, and restarting the operating system by using the virtual machine. Thus, virtual machines need to handle various initialization operations of the hardware platform, resulting in high deployment and maintenance costs. In contrast, in the embodiment of the present specification, hardware initialization at the time of system startup is handed to the operating system, and the virtual machine monitor is loaded by the operating system, so that there are advantages in that the code size is relatively small, deployment is convenient, and maintenance cost is low.

In addition, the dynamic trusted module excludes the OS from the TCB of the TEE, and even if the operating system is controlled by an attacker to be in an untrusted state, the trusted loading of the virtual machine monitor can still be realized. Furthermore, the dynamic trusted module can maintain a small size TCB while greatly improving TEE security and robustness.

In addition, the integrity measurement value obtained by the dynamic trusted module can reliably reflect the integrity of the virtual machine monitor in the starting process, and can provide reliable certification for remote verification.

There may be a variety of trigger conditions for step 210 described above, and in one example of an embodiment of the present disclosure, the method further includes: and starting an operating system to initialize the hardware of the host. Then, based on the starting of the operating system, the operating system based on the host machine is triggered to call the dynamic trusted module. Thus, the loading of the virtual machine monitor can be automatically triggered when the operating system is started.

In another example of an embodiment of the present specification, the method further comprises: and obtaining a virtual machine operation request. Then, judging that the obtained virtual machine operation request meets the preset virtual machine operation condition, and triggering the host-based operation system to call the dynamic trusted module when the obtained virtual machine operation request meets the preset virtual machine operation condition. For example, when there is an operation request to create a new virtual machine, or there is an operation request to start a virtual machine involving a sensitive application, the virtual machine monitor needs to be loaded, at which time the dynamic trusted module may be invoked directly without performing a restart operation. It should be understood that the preset virtual machine operation conditions may be formulated according to different service requirements, so as to meet the personalized requirements of the service.

As a further disclosed and optimized implementation of the embodiments of the present specification, after degrading the operating system to the client mode, a trusted execution environment may also be built based on the virtual machine monitor, such that the virtual machine is able to run in the built trusted execution environment.

Fig. 3 shows a signal interaction diagram of an example of a virtual machine service process according to an embodiment of the present specification.

As shown in FIG. 3, in step 311, operating system 310 passes the call instruction to the dynamic trusted module.

In step 313, the run-time dynamic trust module 320 determines an integrity metric value corresponding to the virtual machine monitor. Here, a potential or existing dynamic trusted module may be used, such as intel TXT or AMD Secure Execution Mode, etc.

In step 315, the dynamic trusted module 320 expands the integrity measurement in the PCR registers of the TPM. As described above, the PCR register of the TPM has high security and can avoid being tampered with or counterfeited maliciously, and the integrity measurement value corresponding to the virtual machine monitor can extend the value of the corresponding PCR register in the PCR register.

In some embodiments, the TPM may sign the value of the PCR register using AK, vouching for the authenticity of the PCR register contents, and in turn generating an integrity report for remote verification. It should be understood that other information not described herein may also be included in the integrity report and are within the scope of the implementations of the present description.

In step 317, the dynamic trusted module 320 communicates the load instruction to the virtual machine monitor 330, which may be automatically communicated, for example, after the dynamic trusted module 320 completes the metrics.

In step 319, virtual machine monitor 330 performs a load operation and obtains an integrity report. As described above, the integrity report may be obtained from the TPM.

In step 3211, virtual machine monitor 330 communicates the load instruction to virtual machine 340. Here, the load instruction may also include an integrity report.

In step 3213, virtual machine monitor 330 passes the virtualized operation instructions to operating system 310. Here, based on the virtualized operation instruction, the operating system enters a client mode and continues to run, so as to ensure the security of the virtual machine monitor itself.

In step 323, virtual machine 340 may perform a load operation and receive an integrity report.

In step 325, the virtual machine 340 sends a service request containing the integrity report to the remote server 350. Here, the integrity report is used as a security credential for verification when the virtual machine requests a service from the remote server.

In step 327, the remote server 350 verifies whether the virtual machine monitor is trusted based on the integrity report. Illustratively, information about integrity metric information, PCR values, etc. of the virtual machine monitor is registered in advance on the remote server 350, and thus whether the virtual machine monitor is trusted can be verified through an information comparison operation.

If the determination in step 327 indicates trusted, then the process jumps to step 331. If the determination in step 327 indicates that it is not trusted, then the process jumps to step 329.

In step 331, the remote server 350 provides services to the virtual machine 340.

In addition, in step 329, the remote server 350 denies the provision of the service. Therefore, the service provided to the un-trusted virtual machine can be avoided, and the security of confidential application and user sensitive data can be ensured.

In the embodiment of the specification, the dynamic trusted root is enabled under the operating system, the virtual machine monitor is loaded, the deployment is convenient, the maintenance cost is reduced, and the reliability of the measurement result can be ensured by loading the virtual machine monitor after the trusted execution environment is recovered from the untrusted environment by enabling the dynamic trusted root under the operating system. In addition, after the virtual machine monitor is loaded, the virtual machine monitor dynamically takes over hardware, and reduces the operating system to a client mode, so that malicious operation of the operating system on the virtual machine monitor can be prevented, and the safety of the virtual machine monitor is ensured.

Fig. 4 shows a flowchart of an example of a process of determining an integrity metric value in accordance with an embodiment of the present description.

As shown in fig. 4, in step 410, the virtual machine monitor and the image of the dynamic trusted module are loaded into the secure memory area based on the operating system. Here, the secure memory area prohibits the read and write operations of the DMA (Direct Memory Access ) mode, thereby preventing the physical device from accessing through the DMA mode.

In step 420, mirroring of the dynamic trusted module is performed, and the memory mirror of the virtual machine monitor is measured to determine a corresponding integrity metric value.

In the embodiment of the specification, a dynamic trusted module and a virtual machine monitor are loaded into a secure memory area, and a trusted root metric is executed in the secure memory area. And the virtual machine monitor and the dynamic trusted module are directly read or measured from the disk, so that malicious tampering in the process of loading the disk into the memory can be avoided, and the safety of the measurement process is further ensured.

It should be noted that, when the dynamic trusted module measures the virtual machine monitor, all physical memories of the virtual machine need to be accessed. Because the size of the virtual machine monitor is typically large and may not be continuously distributed in physical memory, the metrology process may slow or even be impossible. In view of this, the present embodiment can also perform the following operations: and constructing a page table corresponding to the memory mirror image of the virtual machine monitor. Furthermore, when the integrity measurement operation is executed, the mirror image of the dynamic trusted module can be executed, and the memory mirror image of the virtual machine monitor is accessed and measured through the page table to determine the corresponding integrity measurement value.

Therefore, the memory mirror image of the virtual machine monitor is continuously measured through the page table, so that measurement operation can be reliably and continuously performed, and the efficiency of integrity measurement and the reliability of measurement results are ensured.

FIG. 5 illustrates a flowchart of one example of determining an integrity metric value for a virtual machine monitor according to an embodiment of the present disclosure. Here, the processor has an MP system configuration, that is, a boot processor and at least one application processor are configured in the host.

In step 510, the boot processor is restarted based on the dynamic trusted module and the respective application processor is stopped running.

In step 520, a dynamic trusted module is invoked based on the boot processor to determine an integrity metric value corresponding to the virtual machine monitor. In some examples of embodiments of the present description, the dynamic trusted root may be a piece of code provided by the CPU vendor with a signature that the CPU will check upon loading the dynamic trusted root to ensure that it is a correct and authentic dynamic trusted root.

In the embodiment of the present disclosure, the dynamic trusted root stops the running state of the CPU, stops the running state of the main CPU (i.e., the boot processor) and other non-main CPUs (i.e., the application processor) outside the main CPU, and restarts the running state of the main CPU, so that a clean hardware execution environment is reestablished, which can get rid of the interference of the current OS untrusted execution environment, and ensure the security of the environment for measuring the virtual machine monitor. Therefore, after the dynamic trusted root is loaded, the integrity of the virtual machine monitor is measured in a clean CPU state and expanded to the PCR register, so that the authenticity of the integrity measurement value of the virtual machine monitor is ensured.

In some application scenarios, when the operating system is running normally, for example, some external business applications are already running on the operating system of the cloud server. However, when a clean CPU state is built by the above operations, a brief deactivation of the business application may result. Thereafter, after the operating system is degraded to the client mode (e.g., virtualization mode is enabled on each CPU in turn), if the operating system is reloaded using a normal virtual machine boot mode, the entire boot process may last longer (even up to the order of minutes), which is unacceptable at the cloud server.

In view of this, the virtual machine monitor loading method in the embodiment of the present specification may further include the following operations: the operating system based on the host saves the running state of each processor in the host before the dynamic trusted module is invoked by the host based operating system. And after the operating system is degraded to a client mode, each application processor is respectively restored to the saved corresponding running state based on the virtual machine monitor. In this way, by directly restoring the saved CPU running state, the operating system can be effectively restored to the previous service running state, and the loading process of the virtual machine monitor is faster (for example, in the millisecond level), so that the interrupt process of the cloud server is not obviously perceived by the user, and the normal service of the host (for example, the cloud server) is not influenced while the virtual machine monitor is loaded.

The virtual machine monitor used in some examples of embodiments of the present description may be referred to as a Type 1.5hypervisor (also referred to as a Type 3hypervisor or Type 1.5 hypervisor), which is responsible for loading by the OS, but once running can take over the system hardware and can fully virtualize the OS. In addition, the type 1.5hypervisor has the advantages that hardware initialization work is handed to an operating system when the system is started, so that the code scale is smaller, the deployment is convenient, and the maintenance cost is low. In addition, type 1.5hypervisor may be used to build a trusted computing environment (TEE) that may ensure that an application or a portion of an application is running in a secure computing environment to avoid threats from OS security vulnerabilities or other applications containing security vulnerabilities above the OS.

In building a TEE based on type 1.5 hypervisors, the integrity of the hypervisors startup process is critical, as the security of both user applications and data in the TEE depends on the hypervisors.

When building a TEE based on a type1.5 hypervisor, the OS will load the hypervisor image from disk to specified memory when needed, and then jump to the hypervisor entry function. And after the hypervisor starts to execute, the hardware is connected, the hardware is operated in a highest-authority hardware mode, and the operating system is degraded into a virtual machine operating system.

But the process of loading hypervisors may be subject to multiple attacks. Under one form of attack, an OS that is malicious or controlled by an attacker because of the vulnerability is controlled by modifying a type 1.5hypervisor memory image, injecting malicious code, and thus controlling the hypervisor. Under another attack form, a malicious OS can deliberately load the old version of hypervisor, and then further control the hypervisor by utilizing the software loopholes on the old version, thereby achieving the purpose of attack. In these attacks, the attacker may be a hacker from the network, or a malicious internal employee.

In view of this, in some examples of embodiments of the present disclosure, secure loading of Type 1.5Hypervisor (or Type 1.5 Hypervisor) in an untrusted OS environment is implemented by a dynamic trusted root, and metric values are generated by measuring Hypervisor memory images, providing a trusted basis for remote authentication. It should be noted that dynamic trusted eradication can achieve trusted loading of software modules (such as hypervisors, OS, etc.) at any time, and another significant advantage is that the trusted computing base is small, and OS that is bulky and contains many potential vulnerabilities can be excluded from TCB, etc. Also, dynamic trusted roots may require special hardware support, such as intel's trusted execution technology (Trusted Execution Technology, TXT), and corresponding hardware may be present in some intel-based architecture chipsets.

Fig. 6 shows a signal interaction diagram of an example of a virtual machine monitor loading method according to an embodiment of the present disclosure. Here, the operating system 610 may manage hardware and system resources, be responsible for completing hardware initialization, and load virtual machine monitors when needed. The dynamic trust module 620 (or dynamic trust root) is a functional module on the CPU that provides dynamic trusted boot. After being started, the virtual machine monitor 630 is responsible for building a trusted computing environment, running security-sensitive user applications, processing sensitive user data, and the like.

As shown in fig. 6, in step 601, an operating system 610 is started to initialize platform hardware.

In step 603, the operating system 610 loads the virtual machine monitor image and the dynamic root of trust image into the protected memory region upon the occurrence of a business need to create a virtual machine. Here, the protected memory area specifically refers to preventing the physical device from reading and writing the protected memory area through a DMA mode.

The operating system 610 then initiates a dynamic root of trust 620.

In step 605, the dynamic trusted module 620 restarts the running state of the main CPU and stops other non-main CPUs except the main CPU, and reestablishes a clean execution environment by controlling the running state of the CPUs.

In step 607, the dynamic trusted module 620 measures the virtual machine monitor image and expands the measurement value to the PCR register of the TPM. Here, the metric value may be pre-registered with a remote authentication server, and during the remote authentication process, the PCR register value and the metric value therein for the virtual machine monitor may be included in a remote authentication report, proving the trustworthiness of the virtual machine monitor.

When the dynamic trusted module measures Type 1.5hypervisor, all physical memory in which the hypervisor resides needs to be accessed. Since the Type 1.5hypervisor size typically exceeds one 4KB physical page frame (PAGE FRAME), it is not necessarily contiguous to be distributed in physical memory. It is therefore necessary to provide the dynamic trusted module with a page table (page table) containing all the physical memory areas of the Hypervisor.

Specifically, the dynamic trusted module may be invoked based on the page table by: the page table format may be chosen to be paex86_32 bits, and the page table is compiled to the Type 1.5hypervisor mirror header by the link script, and the virtual address of the Type 1.5hypervisor load is specified. Here, the page table contains only the mapping of code and read-only segments, and not data and read-write segments. Furthermore, it is possible to define code and read-only segment sizes not exceeding 2MB, with the last stage page table entries all concentrated in one 4KB physical page frame, with the entire page table requiring only 3 consecutive physical pages. Furthermore, the starting physical address of the page table is informed to the dynamic trusted module through a shared memory method.

The dynamic trust module 620 may then launch the virtual machine monitor 630.

In step 609, virtual machine monitor 630 begins running, and may take over system hardware.

In step 611, virtual machine monitor 630 resumes other non-master CPUs that were disabled by dynamic trusted module 620.

In step 613, virtual machine monitor 630 downgrade the operating system to client mode.

It should be noted that, before the virtual machine monitor is loaded, the operating system runs in the high-authority mode (e.g., vmx root mode) of the CPU, and after the client mode is degraded, the operating system runs in the low-authority mode (e.g., CPU vmx non-root mode), so that the virtual machine monitor can be ensured to comprehensively take over the control of the whole system.

Here, if the operating system virtual machine starts from BIOS and then reloads the operating system, the entire start-up process lasts for seconds or even minutes. In the application scenario combined with the scheme, before the Type 1.5hypervisor is started, the operating system may be running an application providing external services. However, the normal way of starting up virtual machines results in these services being in an unavailable state for a longer period of time, which is not acceptable at the cloud server.

In some examples of embodiments of the present disclosure, before the dynamic trusted module is started, the operating system may save all the CPU running states in the shared memory with Type1.5hypervisor, and when the Type1.5hypervisor starts the virtual machine, restore the virtual machine CPU state by the state saved in the shared memory.

Specifically, this can be achieved by: the BIOS reserves a block of shared memory in advance, saves the initial physical address of the memory into a register (BASE), and saves the SIZE of the memory into a register (SIZE). Then, the operating system reads the BIOS BASE and SIZE registers to obtain the initial physical address and SIZE of the shared memory, maps to the operating system address space, and initializes. The operating system then saves each CPU running state (including stack pointer, current Instruction (IP), various segment registers (GDTR, CS, DS, ES, FS, GS), interrupt vector table (IDTR), status registers (CR 0, CR3, CR 4), other registers (TSS, EFER, LSTAR)) to shared memory at this point. Thereafter, the Type1.5Hypervisor reads the BIOS BASE and SIZE registers to get the shared memory starting physical address and SIZE. Therefore, the CPU state saved in the shared memory is read before the operating system virtual machine is started to fill the client virtual machine control structure body (Virtual machine control structure), so that the operating system virtual machine is directly returned to the state before the dynamic trusted module is loaded.

In step 615, operating system 610 continues with subsequent operations in client mode.

In some examples of embodiments of the present disclosure, in an untrusted execution environment of an operating system, a dynamic trusted root may be used to load a type 1.5hypervisor, extend an integrity metric value of the type 1.5hypervisor to a PCR register of a TPM, and degrade the operating system to a client mode after the virtual machine monitor finishes loading, so as to ensure security of the virtual machine monitor itself in a subsequent running process of a host.

FIG. 7 shows a block diagram of an example of a virtual machine monitor loading device according to an embodiment of the present disclosure. In connection with the example above as in fig. 1, an operating system, a dynamic trusted module, a virtual machine, and a virtual machine monitor for managing the virtual machine may be configured on the host machine.

As shown in fig. 7, the virtual machine monitor loading apparatus 700 includes a dynamic root of trust calling unit 710, a dynamic root of trust executing unit 720, a virtual machine monitor loading unit 730, a system mode degrading unit 740, a CPU state saving unit 750, a CPU state restoring unit 760, a page table constructing unit 770, a system starting unit 780, and a virtual machine request acquiring unit 790.

The dynamic trusted root invoking unit 710 is configured to invoke the dynamic trusted module based on the operating system of the host.

The dynamic trusted root execution unit 720 is configured to determine an integrity measurement value corresponding to the virtual machine monitor based on the dynamic trusted module and extend the integrity measurement value in a PCR register of the TPM.

In some implementations, the dynamic root of trust execution unit 720 includes a processor configuration module (not shown) and a dynamic root of trust invocation module (not shown). Here, the processor configuration module is configured to restart the boot processor based on the dynamic trusted module and to stop running each of the application processors. The dynamic trusted root invocation module is configured to invoke the dynamic trusted module based on the boot processor to determine an integrity metric value corresponding to the virtual machine monitor.

The virtual machine monitor loading unit 730 is configured to load the virtual machine monitor based on the integrity metric value.

The system mode degradation unit 740 is configured to degrade the operating system to a guest mode based on the virtual machine monitor.

The CPU state saving unit 750 is configured to save the running states of the respective processors in the host based on the operating system before the dynamic trusted module is invoked based on the operating system of the host.

The CPU state recovery unit 760 is configured to recover the respective application processors to the saved respective running states based on the virtual machine monitor after the operating system is degraded to the client mode.

In some embodiments, the CPU state saving unit 750 is configured to save the running states of the respective processors in the host machine into a shared memory for the virtual machine monitor based on the operating system, and the CPU state restoring unit 760 is configured to restore the respective application processors to the respective running states saved in the shared memory based on the virtual machine monitor, respectively.

In some examples of embodiments of the present description, dynamic root of trust invocation unit 710 includes a protected memory load module (not shown) and a memory mirror measurement module (not shown). Here, the protected memory loading module is configured to load the mirror images of the virtual machine monitor and the dynamic trusted module to a secure memory area based on the operating system, wherein the secure memory area inhibits DMA-mode read and write operations. And the memory mirror image measurement module is configured to execute the mirror image of the dynamic trusted module, and measure the memory mirror image of the virtual machine monitor so as to determine the corresponding integrity measurement value.

The page table construction unit 770 is configured to construct a page table corresponding to a memory image of the virtual machine monitor. Accordingly, the memory mirror measurement module executes the mirror of the dynamic trusted module, and accesses and measures the memory mirror of the virtual machine monitor through the page table to determine the corresponding integrity measurement value.

The system start-up unit 780 is configured to start up the operating system to perform an initialization operation on the hardware of the host. Accordingly, the dynamic root of trust invocation unit 710 includes: a first call triggering module (not shown) triggers the operating system based host to call the dynamic trusted module based on the start-up of the operating system.

The virtual machine request acquisition unit 790 is configured to acquire a virtual machine operation request. Accordingly, the dynamic root of trust invocation unit 710 includes: and a second call triggering module (not shown) for triggering the operating system based on the host to call the dynamic trusted module when the acquired virtual machine operation request meets the preset virtual machine operation condition.

It should be noted that some of the units in the apparatus 700 described above are not necessary or optional in some application scenarios. Illustratively, in some embodiments, the CPU state save unit 750, the CPU state restore unit 760, the page table construction unit 770, the system start unit 780, and the virtual machine request acquisition unit 790 may not be reserved. It should be appreciated that when the apparatus 700 is provided with the CPU state recovery unit 760, the apparatus 700 should further include the CPU state saving unit 750.

Embodiments of a virtual machine monitor loading method and apparatus according to embodiments of the present disclosure are described above with reference to fig. 1 to 7. The details mentioned in the above description of the method embodiments apply equally to the embodiments of the device according to the present description. The above virtual machine monitor loading device may be implemented in hardware, or may be implemented in software, or a combination of hardware and software.

In the 90 s of the 20 th century, improvements to one technology could clearly be distinguished as improvements in hardware (e.g., improvements to circuit structures such as diodes, transistors, switches, etc.) or software (improvements to the process flow). However, with the development of technology, many improvements of the current method flows can be regarded as direct improvements of hardware circuit structures. Designers almost always obtain corresponding hardware circuit structures by programming improved method flows into hardware circuits. Therefore, an improvement of a method flow cannot be said to be realized by a hardware entity module. For example, a programmable logic device (Programmable Logic Device, PLD) (e.g., field programmable gate array (Field Programmable GATE ARRAY, FPGA)) is an integrated circuit whose logic functions are determined by user programming of the device. A designer programs to "integrate" a digital system onto a PLD without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Moreover, nowadays, instead of manually manufacturing integrated circuit chips, such programming is mostly implemented with "logic compiler (logic compiler)" software, which is similar to the software compiler used in program development and writing, and the original code before being compiled is also written in a specific programming language, which is called hardware description language (Hardware Description Language, HDL), but HDL is not just one, but a plurality of kinds, such as ABEL(Advanced Boolean Expression Language)、AHDL(Altera Hardware Description Language)、Confluence、CUPL(Cornell University Programming Language)、HDCal、JHDL(Java Hardware Description Language)、Lava、Lola、MyHDL、PALASM、RHDL(Ruby Hardware Description Language), and VHDL (very-high-SPEED INTEGRATED Circuit Hardware Description Language) and verilog are currently most commonly used. It will also be apparent to those skilled in the art that a hardware circuit implementing the logic method flow can be readily obtained by merely slightly programming the method flow into an integrated circuit using several of the hardware description languages described above.

The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer readable medium storing computer readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, application SPECIFIC INTEGRATED Circuits (ASICs), programmable logic controllers, and embedded microcontrollers, examples of controllers include, but are not limited to, the following microcontrollers: ARC 625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic of the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in a pure computer readable program code, it is well possible to implement the same functionality by logically programming the method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers, etc. Such a controller may thus be regarded as a kind of hardware component, and means for performing various functions included therein may also be regarded as structures within the hardware component. Or even means for achieving the various functions may be regarded as either software modules implementing the methods or structures within hardware components.

The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. One typical implementation is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of each element may be implemented in one or more software and/or hardware elements when implemented in the present specification.

It will be appreciated by those skilled in the art that embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, the present specification may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present description embodiments may take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

The present specification embodiments are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the specification. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.

Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.

The present embodiments may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The embodiments of the specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.

The foregoing is merely exemplary of the present disclosure and is not intended to limit the disclosure. Various modifications and alterations to this specification will become apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.

Claims

1. A loading method of a virtual machine monitor is provided, wherein an operating system, a dynamic trusted module, a virtual machine and the virtual machine monitor for managing the virtual machine are configured on a host machine, and the loading method of the virtual machine monitor comprises the following steps:

Invoking the dynamic trusted module based on the operating system of the host;

Determining an integrity metric value corresponding to the virtual machine monitor based on the dynamic trusted module, and expanding the integrity metric value in a PCR register of a TPM;

Loading the virtual machine monitor based on the integrity metric value;

And degrading the operating system into a client mode based on the virtual machine monitor.

2. The virtual machine monitor loading method of claim 1, wherein a boot processor and at least one application processor are configured in the host,

The method for determining the integrity measurement value corresponding to the virtual machine monitor based on the dynamic trusted module specifically comprises the following steps:

restarting the boot processor based on the dynamic trusted module and stopping running each of the application processors; and

The dynamic trusted module is invoked based on the boot processor to determine an integrity metric value corresponding to the virtual machine monitor.

3. The virtual machine monitor loading method of claim 2, wherein prior to invoking the dynamic trusted module based on the operating system of the host, the method further comprises:

based on the operating system, storing the running state of each processor in the host;

Wherein after the operating system is degraded into a client mode, the method further comprises:

And respectively restoring each application processor to the saved corresponding running state based on the virtual machine monitor.

4. The virtual machine monitor loading method according to claim 3, wherein based on the operating system, saving the running state of each processor in the host specifically includes:

based on the operating system, storing the running states of all processors in the host machine into a shared memory aiming at the virtual machine monitor;

Based on the virtual machine monitor, restoring each application processor to the saved corresponding running state respectively, specifically including:

And based on the virtual machine monitor, respectively recovering each application processor to the corresponding running state stored in the shared memory.

5. The virtual machine monitor loading method of claim 1, wherein invoking the dynamic trusted module based on the operating system of the host specifically comprises:

Based on the operating system, loading mirror images of the virtual machine monitor and the dynamic trusted module into a safe memory area, wherein the safe memory area prohibits read-write operation in a DMA mode;

and executing the mirror image of the dynamic trusted module, and measuring the memory mirror image of the virtual machine monitor to determine the corresponding integrity measurement value.

6. The virtual machine monitor loading method of claim 5, further comprising:

Constructing a page table corresponding to a memory mirror image of the virtual machine monitor;

executing the mirror image of the dynamic trusted module, and measuring the memory mirror image of the virtual machine monitor to determine the corresponding integrity measurement value, wherein the method specifically comprises the following steps:

And executing the mirror image of the dynamic trusted module, and accessing and measuring the memory mirror image of the virtual machine monitor through the page table to determine the corresponding integrity measurement value.

7. The virtual machine monitor loading method of claim 1, further comprising:

starting the operating system to initialize the hardware of the host;

the method specifically comprises the steps of calling the dynamic trusted module based on the operating system of the host machine:

triggering the operating system based on the host to call the dynamic trusted module based on the starting of the operating system.

8. The virtual machine monitor loading method of claim 1, further comprising:

obtaining a virtual machine operation request;

When the obtained virtual machine operation request meets the preset virtual machine operation condition, triggering the operation system based on the host machine to call the dynamic trusted module.

9. The virtual machine monitor loading method of claim 1, after degrading the operating system to client mode, the method further comprising:

and constructing a trusted execution environment based on the virtual machine monitor, so that the virtual machine can run in the constructed trusted execution environment.

10. A virtual machine monitor loading device configured with an operating system, a dynamic trusted module, a virtual machine, and a virtual machine monitor for managing the virtual machine on a host machine, wherein the virtual machine monitor loading device comprises:

A dynamic trusted root calling unit for calling the dynamic trusted module based on the operating system of the host;

The dynamic trusted root execution unit is used for determining an integrity measurement value corresponding to the virtual machine monitor based on the dynamic trusted module and expanding the integrity measurement value in a PCR register of the TPM;

the virtual machine monitor loading unit is used for loading the virtual machine monitor based on the integrity measurement value;

and a system mode degrading unit for degrading the operating system into a client mode based on the virtual machine monitor.

11. The virtual machine monitor loading device of claim 10, wherein a boot processor and at least one application processor are configured in the host, wherein the dynamic trusted root execution unit comprises:

A processor configuration module that restarts the boot processor based on the dynamic trusted module and stops running each of the application processors; and

And the dynamic trusted root calling module is used for calling the dynamic trusted root calling module based on the boot processor to determine an integrity measurement value corresponding to the virtual machine monitor.

12. The virtual machine monitor loading apparatus of claim 11, further comprising:

A CPU state saving unit for saving the running state of each processor in the host based on the operating system before the dynamic trusted module is called based on the operating system of the host;

and the CPU state recovery unit is used for recovering each application processor to the saved corresponding running state based on the virtual machine monitor after the operating system is degraded to a client mode.

13. The virtual machine monitor loading device according to claim 12, wherein the CPU state saving unit saves the running states of the respective processors in the host machine into a shared memory for the virtual machine monitor based on the operating system; and

And the CPU state recovery unit is used for recovering each application processor to the corresponding running state stored in the shared memory based on the virtual machine monitor.

14. The virtual machine monitor loading apparatus of claim 10, wherein the dynamic root of trust calling unit comprises:

The protected memory loading module loads mirror images of the virtual machine monitor and the dynamic trusted module to a safe memory area based on the operating system, wherein the safe memory area prohibits read-write operation of a DMA mode;

Wherein the dynamic root of trust execution unit includes:

And the memory mirror image measurement module is used for executing the mirror image of the dynamic trusted module and measuring the memory mirror image of the virtual machine monitor so as to determine the corresponding integrity measurement value.

15. The virtual machine monitor loading apparatus of claim 14, further comprising:

a page table construction unit for constructing a page table corresponding to the memory mirror image of the virtual machine monitor;

The memory mirror measurement module executes the mirror of the dynamic trusted module, accesses and measures the memory mirror of the virtual machine monitor through the page table to determine the corresponding integrity measurement value.

16. The virtual machine monitor loading apparatus of claim 10, further comprising:

The system starting unit starts the operating system to initialize the hardware of the host;

wherein the dynamic trusted root call unit comprises:

And the first calling triggering module is used for triggering the operating system based on the host to call the dynamic trusted module based on the starting of the operating system.

17. The virtual machine monitor loading apparatus of claim 10, further comprising:

The virtual machine request acquisition unit acquires a virtual machine operation request;

wherein the dynamic trusted root call unit comprises:

and the second calling triggering module triggers the operating system based on the host to call the dynamic trusted module when the acquired virtual machine operation request accords with a preset virtual machine operation condition.

18. An electronic device, comprising:

At least one processor; and

A memory storing instructions that, when executed by the at least one processor, cause the at least one processor to perform the method of any of claims 1 to 9.