CN114116026B - Cloud platform trust chain layered model construction method - Google Patents
Cloud platform trust chain layered model construction method Download PDFInfo
- Publication number
- CN114116026B CN114116026B CN202111340139.7A CN202111340139A CN114116026B CN 114116026 B CN114116026 B CN 114116026B CN 202111340139 A CN202111340139 A CN 202111340139A CN 114116026 B CN114116026 B CN 114116026B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- operating system
- vtpm
- trust chain
- measuring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000010276 construction Methods 0.000 title claims abstract description 9
- 238000004088 simulation Methods 0.000 claims abstract description 36
- 238000000034 method Methods 0.000 claims abstract description 18
- 239000000306 component Substances 0.000 claims description 36
- 238000005259 measurement Methods 0.000 claims description 31
- 238000012795 verification Methods 0.000 claims description 24
- 239000008358 core component Substances 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- 101100296683 Arabidopsis thaliana PCR11 gene Proteins 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 210000001503 joint Anatomy 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000003752 polymerase chain reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/4401—Bootstrapping
- G06F9/4411—Configuring for operating with peripheral devices; Loading of device drivers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention discloses a cloud platform trust chain layered model construction method, which comprises the following steps of: measuring an operating system based on a hardware TPM (trusted platform Module), ensuring the credibility of a computing node of a cloud platform, measuring a VMM (virtual machine monitor), measuring a virtual machine initialization simulation component by the VMM, and ensuring the safety and credibility of an initial starting environment of the virtual machine; establishing a self trust chain of the virtual machine: starting from the virtual machine initialization simulation component, measuring a virtual machine operating system to establish a self trust chain of the virtual machine; establishing the relation among the TPM, the vTPM instance and the VM: establishing one-to-one correspondence relation between each vTPM instance and the cloud platform virtual machine, and establishing the relation between the vTPM instance and the hardware TPM of the computing node host machine. According to the method, the cloud platform trust chain is divided into two levels of a virtual machine basic environment trust chain and a virtual machine self trust chain, the connection among the TPM, the vTPM instance and the VM is established, the independence of the virtual machine self trust chain is ensured, and meanwhile the virtual machine basic environment trust chain can support the virtual machine self trust chain in a trusted mode.
Description
Technical Field
The invention relates to the technical field of virtualization and trusted computing, in particular to a cloud platform trust chain hierarchical model construction method.
Background
At present, the safety problem of the running environment of the virtual machine on the cloud platform can be relieved by means of measures such as access control, data protection and vulnerability detection aiming at the cloud platform environment, but the problem that the cloud platform virtual machine lacks a safety foundation cannot be fundamentally solved. The Trusted computing technology can protect key components in the system from being modified by measuring, storing and reporting the integrity state of the key components through an unchangeable hardware TPM (Trusted Platform Module) chip.
The trusted computing technology can provide a physical trusted basis for the virtual machines, solve the problem of virtual machine security foundation loss, and create a virtual trusted root for each virtual machine through the virtual trusted computing technology to construct a virtual machine trusted environment. However, the virtual trusted root is a simulation of a hardware trusted root in a software manner, and the virtual trusted root is lack of a security foundation, so that a cloud platform trust chain extension mechanism needs to be researched to provide hardware trusted support for the virtual trusted root.
The existing cloud platform trust chain extension modes mainly include two types: firstly, a host trust chain is directly extended to an application program in a virtual machine, for example, management domain privileges are used for measuring kernels and the application program in the virtual machine on an xen platform, and a trust relationship is transmitted to the virtual machine; and secondly, the security of a vTPM (Virtual Trusted Platform Module) key and a certificate is ensured through the extension of a Trusted certificate chain and the certificate of a hardware TPM. However, the above extension method needs to establish a trust chain originating from a hardware TPM for the virtual machine application, which may cause problems of high maintenance cost, leakage of private information of the virtual machine, and the like due to the long trust chain.
Disclosure of Invention
Aiming at the problems, the invention aims to provide a cloud platform trust chain layered model construction method, which realizes the trusted support of a virtual machine basic environment trust chain on the virtual machine self trust chain while ensuring the independence of the virtual machine self trust chain, and provides a new solution for the construction of the cloud virtual machine trusted environment. The technical scheme is as follows:
a cloud platform trust chain layered model construction method comprises the following steps:
step 1: establishing a chain of trust for a virtual machine base environment
Starting from a hardware TPM, measuring an operating system when a host computer is started, and transmitting a trust chain from the hardware TPM to the operating system to ensure the credibility of the operating system of the host computer;
measuring a virtual machine monitor through an operating system, extending a trust range to the host machine virtual machine monitor, measuring a virtual machine initialization simulation component by the virtual machine monitor, wherein the virtual machine initialization simulation component comprises a BIOS simulation program, a vBIOS and vTPM simulation software, extending the trust range to the virtual machine initialization simulation component, and ensuring the safety and credibility of a core component in a virtual machine basic environment;
step 2: establishing virtual machine self trust chain
Measuring an operating system when the virtual machine is started by taking the virtual machine initialization simulation component as a credible basis, and transmitting a trust chain from the virtual machine initialization simulation component to the virtual machine operating system so as to establish the self trust chain of the virtual machine;
and step 3: and establishing the relation among the TPM, the vTPM instance and the VM.
Establishing one-to-one correspondence between each vTPM instance and the corresponding cloud platform virtual machine, and establishing the correspondence between the vTPM instance and the TPM to ensure that vTPM equipment simulated for the cloud platform virtual machine through vTPM simulation software has a trusted basis.
Further, the step 1 specifically comprises:
step 1.1: after the host machine is powered on, the core measurement trusted root guides the hardware TPM to start measurement and verification, measurement and verification are sequentially carried out according to the sequence of the core measurement trusted root, the BIOS, the operating system loader and the host machine operating system, and a trust chain from the hardware TPM to the host machine operating system is established;
step 1.2: the host operating system measures the virtual machine monitor and expands the trust range to the virtual machine monitor; before the virtual machine is started, measuring the virtual machine initialization simulation component by a virtual machine monitor, and verifying the integrity of the virtual machine initialization simulation component; and when the virtual machine initialization simulation component measurement is completed, the establishment work of the virtual machine basic environment trust chain is completed.
Further, the sequentially measuring and verifying according to the order of the core measurement trusted root, the BIOS, the operating system loader, and the host operating system specifically includes:
(1) When a host computer is electrified and starts, a core measurement credible root in a BIOS executes initial credible measurement, a TPM is guided to start working, the result obtained by measuring the BIOS is compared with a reference value of the BIOS in a platform configuration register of a hardware TPM to verify the integrity of the BIOS, and if the verification is passed, the control right is given to the BIOS;
(2) And when the BIOS obtains the control right and is started, measuring the operating system loader, comparing the measured operating system loader with a reference value of the operating system loader in a platform configuration register of the hardware TPM to verify the integrity of the operating system loader, and if the verification is passed, giving the control right to the operating system loader.
(3) And after the operating system loader obtains the control right, verifying the integrity of the operating system by measuring the operating system and comparing the operating system with an operating system reference value in a platform configuration register of the hardware TPM, and if the verification is passed, giving the control right to the host operating system.
Further, the step 2 specifically includes:
step 2.1: taking a virtual machine initialization simulation component as a credible basis, executing credibility measurement by a virtual core measurement root in a BIOS simulation program when the virtual machine is started, and reading starting information to guide the vTPM to work; comparing the result of measuring the vBIOS with a vBIOS reference value in a platform configuration register of the vTPM to verify the integrity of the vBIOS, and if the verification is passed, giving control to the vBIOS;
step 2.2: when the vBIOS obtains the control right and finishes starting, comparing a result obtained by measuring the virtual machine operating system loader with a reference value of the operating system loader in a platform configuration register of the vTPM to verify the integrity of the vBIOS, and after the verification is passed, handing the control right to the virtual machine operating system loader;
step 2.3: after the virtual machine operating system loader obtains the control right, comparing a result obtained by measuring the virtual machine operating system with a virtual machine operating system reference value in a platform configuration register of the vTPM to verify the integrity of the virtual machine operating system loader, and giving the control right to the virtual machine operating system after the verification is passed;
step 2.4: after the virtual machine operating system obtains the control right, comparing the application program on the measurement virtual machine with the application program reference value in the platform configuration register of the vTPM to verify the integrity of the application program, and expanding the trust range to the application program; and at this point, establishing the self trust chain of the virtual machine.
Further, the step 3 specifically includes:
step 3.1: when a cloud platform virtual machine is created, firstly, a vTPM instance with the virtual machine uuid is automatically established for the virtual machine to be created through a cloud platform, and one-to-one corresponding relation between the vTPM instance and the cloud platform virtual machine is established;
step 3.2: and encrypting the vTPM instance file created on the cloud platform computing node by using the RSA public key of the node, and expanding the encryption result into a platform configuration register (PCR 11) of the computing node hardware TPM.
The invention has the beneficial effects that: aiming at the problems of cost and safety caused by the fact that a virtual machine lacks a hardware trusted foundation and a trust chain from a hardware trusted root to an application program in the virtual machine is long, a cloud platform trust chain is divided into two layers of a virtual machine basic environment trust chain and a virtual machine self trust chain, the two layers of trust chains are connected in a butt joint mode by taking a virtual machine initialization simulation component as a link, the connection among a TPM, a vTPM instance and a VM is established, the independence of the virtual machine self trust chain is guaranteed, meanwhile, the virtual machine basic environment trust chain can support the virtual machine self trust chain, and a new solution is provided for the construction of the cloud virtual machine trusted environment.
Drawings
FIG. 1 is a schematic diagram of a cloud platform trust chain hierarchical model in the present invention.
FIG. 2 is a schematic diagram of a cloud platform trust chain hierarchical model according to the present invention.
Fig. 3 is a working schematic diagram of the association between the TPM, the vTPM instance, and the VM in the present invention.
Detailed Description
The invention is described in further detail below with reference to the figures and specific embodiments. FIG. 1 shows a schematic diagram of a cloud platform trust chain hierarchical model in the invention, which includes two layers of a virtual machine basic environment trust chain and a virtual machine self trust chain.
(1) The virtual machine basic environment trust chain establishment process comprises the following steps: measuring an operating system based on a hardware TPM when a host computer is started, establishing a trust chain from the hardware TPM to the operating system, and ensuring the credibility of the cloud platform computing node operating system; the host Machine operating system measures VMM (Virtual Machine Monitor) and extends the trust range to VMM; the VMM metrics the virtual machine initialization simulation component to pass trust to the virtual machine initialization simulation component. In this way, the security and the credibility of the core components in the virtual machine basic environment are ensured.
(2) The virtual machine self trust chain establishment process comprises the following steps: starting from the virtual machine initialization simulation component, measuring a virtual machine operating system based on vTPM when the virtual machine is started, and establishing a self trust chain of the virtual machine.
FIG. 2 shows a working principle diagram of a cloud platform trust chain hierarchical model in the invention, which comprises a virtual machine basic environment trust chain establishment process and a virtual machine self trust chain establishment process.
1. The key components in the process of establishing the trust chain of the basic environment of the virtual machine comprise a host machine operating system, a Virtual Machine Monitor (VMM) and a virtual machine initialization simulation component.
Starting from a hardware TPM, measuring an operating system when a host computer is started, and transmitting a trust chain from the hardware TPM to the operating system to ensure the credibility of the operating system of the host computer; the method comprises the steps of measuring a virtual machine monitor through an operating system, extending a trust range to the host machine virtual machine monitor, measuring virtual machine initialization simulation components including a BIOS simulation program, vBIOS and vTPM simulation software through the virtual machine monitor, extending the trust range to the virtual machine initialization simulation components, and ensuring the safety and the credibility of core components in a virtual machine basic environment.
The specific establishment process is as follows:
(1) When the host computer is electrified and started, a Core Measurement trusted Root CRTM (Core Root of Trust for Measurement) in the BIOS executes initial trusted Measurement, the TPM is guided to start working, the result obtained by measuring the BIOS is compared with a reference value of the BIOS in a PCR (Platform configuration Register) of the hardware TPM to verify the integrity of the BIOS, and if the verification is passed, the control right is given to the BIOS.
(2) And after the BIOS obtains the control right and finishes starting, measuring the OS Loader of the operating system, comparing the measured OS Loader with the reference value of the OS Loader in the PCR register of the hardware TPM to verify the integrity of the OS Loader, and if the verification is passed, giving the control right to the OS Loader.
(3) And after the OS Loader obtains the control right, verifying the integrity of the operating system by measuring the operating system and comparing the operating system with an operating system reference value in a PCR register of the hardware TPM, and if the verification is passed, giving the control right to the host operating system.
(4) And the host machine operating system measures the VMM (virtual machine monitor), compares the measured VMM with a reference value of the VMM in a PCR (polymerase chain reaction) register of the hardware TPM, and expands the trust range to the VMM when the verification is passed.
(5) Before the virtual machine is started, the virtual machine monitor VMM measures the virtual machine initialization simulation component, and compares the reference value with the reference value related to the virtual machine initialization simulation component stored in the PCR register of the hardware TPM to verify the integrity of the virtual machine initialization simulation component. And when the measurement of the virtual machine initialization simulation component is completed, the establishment of the virtual machine basic environment trust chain is completed.
2. The key component in the process of establishing the trust chain of the virtual machine is the operating system of the virtual machine. Measuring an operating system when the virtual machine is started by taking the virtual machine initialization simulation component as a credible basis, and transmitting a trust chain from the virtual machine initialization simulation component to the virtual machine operating system to establish the self trust chain of the virtual machine; the specific establishment process is as follows:
(1) The method comprises the steps of taking a virtual machine initialization simulation component as a credible basis, executing credible measurement by a virtual core measurement root vCRTM in a BIOS simulation program when the virtual machine is started, reading starting information to guide the vTPM to work, comparing a measurement vBIOS result with a vBIOS reference value in a PCR register of the vTPM to verify the integrity of the vBIOS, and if the verification is passed, giving control right to the vBIOS.
(2) And when the vBIOS obtains the control right and finishes starting, comparing a result obtained by measuring the OS Loader of the operating system of the virtual machine with a reference value of the OS Loader in a PCR register of the vTPM to verify the integrity of the vTPM, and giving the control right to the OS Loader of the virtual machine after the verification is passed.
(3) And when the OS Loader of the virtual machine obtains the control right, comparing a result obtained by measuring the operating system of the virtual machine with a reference value of the operating system of the virtual machine in a PCR register of the vTPM to verify the integrity of the operating system of the virtual machine, and giving the control right to the operating system of the virtual machine after the verification is passed.
(4) After the virtual machine operating system obtains the control right, the application program on the measurement virtual machine is compared with the application program reference value in the PCR register of the vTPM to verify the integrity of the application program, and the trust range is expanded to the application program. And at this point, establishing the self trust chain of the virtual machine.
In order to solve the problem of missing of the security foundation of the virtual machines, a virtual trusted root can be created for each virtual machine through a virtual trusted computing technology, but the virtual trusted root is a simulation of a hardware trusted root in a software mode and lacks the security foundation. The method binds the virtual machine uuid when the vTPM instance file is created, encrypts all the vTPM instance files of the node by using the RSA public key of the cloud platform computing node, expands the final result into the platform configuration register PCR11 of the TPM, and establishes the relation among the TPM, the vTPM instance and the VM. The trusted association of the hardware TPM and the vTPM instance is realized, the independence of the hardware TPM and the vTPM is kept, the problem that the vTPM lacks a security foundation is solved, and the method has the characteristics of loose coupling and high flexibility.
Fig. 3 shows a working schematic diagram of the association between the TPM, the vTPM instance, and the VM in the present invention. Because a plurality of instances exist in a vTPM instance resource pool of a cloud platform, one-to-one corresponding relation between vTPM instances and cloud platform virtual machines needs to be established; meanwhile, the vTPM equipment used by the cloud platform virtual machine is realized through software simulation, and the safety guarantee of physical hardware TPM equipment is lacked, so that the connection between the vTPM instance and the TPM needs to be established.
The one-to-one corresponding connection establishment process of the vTPM instance and the cloud platform virtual machine is as follows:
as shown in fig. 3, before the cloud platform creates a virtual machine, first, a vTPM instance file with a virtual machine uuid is automatically created; in the process of creating the virtual machine by the cloud platform, the vTPM instance file with the uuid of the virtual machine is specified by default, and one-to-one correspondence between the vTPM instance and the virtual machine of the cloud platform is ensured.
The process for establishing the connection between the vTPM instance and the TPM is as follows:
as shown in fig. 3, the RSA public key of the computing node is used to encrypt the vTPM instance file created by the node, and then the encryption result is extended into the platform configuration register PCR11 of the computing node hardware TPM.
Claims (2)
1. A cloud platform trust chain layered model construction method is characterized by comprising the following steps:
step 1: establishing a chain of trust for a virtual machine base environment
Starting from a hardware TPM, measuring an operating system when a host computer is started, and transmitting a trust chain from the hardware TPM to the operating system to ensure the credibility of the operating system of the host computer;
measuring a virtual machine monitor through an operating system, extending a trust range to the host machine virtual machine monitor, measuring a virtual machine initialization simulation component by the virtual machine monitor, wherein the virtual machine initialization simulation component comprises a BIOS simulation program, a vBIOS and vTPM simulation software, extending the trust range to the virtual machine initialization simulation component, and ensuring the safety and the credibility of a core component in a virtual machine basic environment;
step 2: establishing virtual machine self trust chain
Measuring an operating system when the virtual machine is started by taking the virtual machine initialization simulation component as a credible basis, and transmitting a trust chain from the virtual machine initialization simulation component to the virtual machine operating system so as to establish the self trust chain of the virtual machine;
and step 3: establishing connection among TPM, vTPM instance and VM
Establishing one-to-one correspondence between each vTPM instance and the corresponding cloud platform virtual machine, and establishing the correspondence between the vTPM instance and the TPM at the same time, so as to ensure that vTPM equipment simulated for the cloud platform virtual machine through vTPM simulation software has a trusted basis;
the step 1 specifically comprises the following steps:
step 1.1: after the host machine is powered on, the core measurement trusted root guides the hardware TPM to start measurement and verification, measurement and verification are sequentially carried out according to the sequence of the core measurement trusted root, the BIOS, the operating system loader and the host machine operating system, and a trust chain from the hardware TPM to the host machine operating system is established;
step 1.2: the host operating system measures the virtual machine monitor and expands the trust range to the virtual machine monitor; before the virtual machine is started, measuring the virtual machine initialization simulation component by a virtual machine monitor, and verifying the integrity of the virtual machine initialization simulation component; after the virtual machine initialization simulation component measurement is completed, the establishment work of the virtual machine basic environment trust chain is completed;
the step 2 specifically comprises the following steps:
step 2.1: taking a virtual machine initialization simulation component as a trusted basis, executing trusted measurement by a virtual core measurement root in a BIOS simulation program when the virtual machine is started, and reading starting information to guide vTPM to work; comparing the result of measuring the vBIOS with a vBIOS reference value in a platform configuration register of the vTPM to verify the integrity of the vBIOS, and if the verification is passed, giving control to the vBIOS;
step 2.2: when the vBIOS obtains the control right and finishes starting, comparing the result obtained by measuring the virtual machine operating system loader with the reference value of the operating system loader in the platform configuration register of the vTPM to verify the integrity of the vBIOS, and giving the control right to the virtual machine operating system loader after the verification is passed;
step 2.3: after the virtual machine operating system loader obtains the control right, comparing a result obtained by measuring the virtual machine operating system with a virtual machine operating system reference value in a platform configuration register of the vTPM to verify the integrity of the virtual machine operating system loader, and giving the control right to the virtual machine operating system after the verification is passed;
step 2.4: after the virtual machine operating system obtains the control right, comparing the application program on the measurement virtual machine with the application program reference value in the platform configuration register of the vTPM to verify the integrity of the application program, and expanding the trust range to the application program; at this point, the establishment of the trust chain of the virtual machine is completed;
the step 3 specifically comprises the following steps:
step 3.1: when a cloud platform virtual machine is created, firstly, a vTPM instance with the virtual machine uuid is automatically established for the virtual machine to be created through a cloud platform, and one-to-one corresponding relation between the vTPM instance and the cloud platform virtual machine is established;
step 3.2: and encrypting the vTPM instance file created on the cloud platform computing node by using the RSA public key of the node, and expanding the encryption result into a platform configuration register (PCR 11) of the computing node hardware TPM.
2. The cloud platform trust chain hierarchical model building method according to claim 1, wherein the sequentially performing measurement and verification according to the order of the core measurement trusted root, the BIOS, the operating system loader, and the host operating system specifically comprises:
(1) When a host computer is electrified and starts, a core measurement credible root in a BIOS executes initial credible measurement, a TPM is guided to start working, the result obtained by measuring the BIOS is compared with a reference value of the BIOS in a platform configuration register of a hardware TPM to verify the integrity of the BIOS, and if the verification is passed, the control right is given to the BIOS;
(2) When the BIOS obtains the control right and is started, the BIOS measures the operating system loader, compares the measured operating system loader with a reference value of the operating system loader in a platform configuration register of the hardware TPM to verify the integrity of the operating system loader, and if the verification is passed, the BIOS gives the control right to the operating system loader;
(3) And after the operating system loader obtains the control right, verifying the integrity of the operating system by measuring the operating system and comparing the operating system with an operating system reference value in a platform configuration register of the hardware TPM, and if the verification is passed, giving the control right to the host operating system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111340139.7A CN114116026B (en) | 2021-11-12 | 2021-11-12 | Cloud platform trust chain layered model construction method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111340139.7A CN114116026B (en) | 2021-11-12 | 2021-11-12 | Cloud platform trust chain layered model construction method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114116026A CN114116026A (en) | 2022-03-01 |
| CN114116026B true CN114116026B (en) | 2023-04-07 |
Family
ID=80379303
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111340139.7A Active CN114116026B (en) | 2021-11-12 | 2021-11-12 | Cloud platform trust chain layered model construction method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114116026B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114389824B (en) * | 2022-03-24 | 2022-07-12 | 湖南天河国云科技有限公司 | Verification updating method and device of trusted computing trust chain based on block chain |
| CN114756335A (en) * | 2022-06-15 | 2022-07-15 | 中电云数智科技有限公司 | Trust chain construction method of trusted cloud server of hybrid architecture and server |
| CN116049866A (en) * | 2022-06-27 | 2023-05-02 | 荣耀终端有限公司 | Data protection method, electronic equipment and chip system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103886259A (en) * | 2014-03-19 | 2014-06-25 | 四川大学 | Kernel-level rootkit detecting and processing method based on Xen virtualization environment |
| CN105095768A (en) * | 2015-08-20 | 2015-11-25 | 浪潮电子信息产业股份有限公司 | Virtualization-based credible server trust chain construction method |
| CN105956465A (en) * | 2016-05-04 | 2016-09-21 | 浪潮电子信息产业股份有限公司 | VTPM-based method for constructing virtual trusted platform |
| CN107545184A (en) * | 2017-08-17 | 2018-01-05 | 大唐高鸿信安(浙江)信息科技有限公司 | The credible measurement system and method for cloud main frame |
| CN109992972A (en) * | 2019-04-10 | 2019-07-09 | 北京可信华泰信息技术有限公司 | The method for building up and system of trust chain in a kind of cloud environment |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8032741B2 (en) * | 2007-08-22 | 2011-10-04 | Intel Corporation | Method and apparatus for virtualization of a multi-context hardware trusted platform module (TPM) |
| US9070251B2 (en) * | 2013-03-08 | 2015-06-30 | Igt | Multi-tiered static chain of trust |
| CN103995732B (en) * | 2014-05-26 | 2017-02-22 | 华为技术有限公司 | Virtual trusted platform module function implementation method and management equipment |
-
2021
- 2021-11-12 CN CN202111340139.7A patent/CN114116026B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103886259A (en) * | 2014-03-19 | 2014-06-25 | 四川大学 | Kernel-level rootkit detecting and processing method based on Xen virtualization environment |
| CN105095768A (en) * | 2015-08-20 | 2015-11-25 | 浪潮电子信息产业股份有限公司 | Virtualization-based credible server trust chain construction method |
| CN105956465A (en) * | 2016-05-04 | 2016-09-21 | 浪潮电子信息产业股份有限公司 | VTPM-based method for constructing virtual trusted platform |
| CN107545184A (en) * | 2017-08-17 | 2018-01-05 | 大唐高鸿信安(浙江)信息科技有限公司 | The credible measurement system and method for cloud main frame |
| CN109992972A (en) * | 2019-04-10 | 2019-07-09 | 北京可信华泰信息技术有限公司 | The method for building up and system of trust chain in a kind of cloud environment |
Non-Patent Citations (9)
| Title |
|---|
| Fucheng You.Multiway dynamic trust chain model on virtual machine for cloud computing.《China Communications》.2016,第第13卷卷(第第13卷期),第83-91页. * |
| He Rongyu, Wu Shaojie.A User-specific Trusted Virtual Environmental for Cloud Computin.《Information Technology Joutnal》.2013,第第12卷卷(第第12卷期),第1905-1913页. * |
| Jie Zhu ; Guoyuan Lin China University of Mining and Technology, Xuzhou, Jiangsu, CN * |
| 万鑫.云计算环境下可信虚拟数据中心构建及其关键技术研究.《中国博士学位论文全文数据库 (信息科技辑)》.2018,(第undefined期),I138-3. * |
| 张飞飞 ; 宋昕 ; 邢彬 ; .基于vTPM两阶段度量构建可信虚拟域.信息系统工程.2018,(第02期),第43-45页. * |
| 易平 ; 庄毅 ; .基于龙芯处理器的嵌入式可信解决方案.计算机技术与发展.2018,(第05期),第112-116页. * |
| 李海威 ; 范博 ; 李文锋 ; .一种可信虚拟平台构建方法的研究和改进.信息网络安全.2015,(第01期),第1-5页. * |
| 王晓 ; 张建标 ; 曾志强 ; .基于可信平台控制模块的可信虚拟执行环境构建方法.北京工业大学学报.2019,第45卷(第06期),第554-565页. * |
| 米秀明 ; 房超.基于Unikernel技术的移动通信网络虚拟可信管理技术研究.《信息与电脑(理论版)》.2019,第第31卷卷(第第31卷期),第168-169页. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114116026A (en) | 2022-03-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114116026B (en) | Cloud platform trust chain layered model construction method | |
| McCune et al. | Flicker: An execution infrastructure for TCB minimization | |
| US8850212B2 (en) | Extending an integrity measurement | |
| US8151262B2 (en) | System and method for reporting the trusted state of a virtual machine | |
| US9288155B2 (en) | Computer system and virtual computer management method | |
| US8516481B2 (en) | Virtual machine manager system and methods | |
| US9361462B2 (en) | Associating a signing key with a software component of a computing platform | |
| US20110246778A1 (en) | Providing security mechanisms for virtual machine images | |
| CN113886809A (en) | Computing device | |
| CN109165079B (en) | Cloud data center trusted platform based on virtualization and method for building trust chain | |
| CN102244684B (en) | EFI (Extensible Firmware Interface) trusted Cloud chain guiding method based on USBKey | |
| JP2009015818A (en) | Dynamic trust management | |
| KR20150105390A (en) | Roots-of-trust for measurement of virtual machines | |
| CN107704308B (en) | Virtual platform vTPM management system, trust chain construction method and device, and storage medium | |
| CN102214277B (en) | Method and device for establishing trusted environments for virtual machine system of multicore processor | |
| CN105354493A (en) | Virtualization technology based terminal trust enhancement method and system | |
| CN111158906A (en) | Credible cloud system for active immunization | |
| CN105718807A (en) | Android system based on software TCM and trusted software stack and trusted authentication system and method thereof | |
| CN112800429A (en) | Method for protecting driver in UEFI BIOS firmware system based on foundation | |
| CN111698091A (en) | Docker platform dynamic protection method based on trusted computing | |
| CN104268477A (en) | Safety control method and network device | |
| Bugiel et al. | Implementing an application-specific credential platform using late-launched mobile trusted module | |
| Toegl et al. | acTvSM: A dynamic virtualization platform for enforcement of application integrity | |
| Narayanan et al. | Remote attestation of SEV-SNP confidential VMs using e-vTPMs | |
| Yu et al. | Obtaining the integrity of your virtual machine in the cloud |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information |
Inventor after: Chen Xingshu Inventor after: Zhou Mingxing Inventor after: Wang Qixu Inventor after: Yang Miaomiao Inventor after: Gui Yanshuang Inventor after: Ruan Shuhua Inventor after: Liu Junwei Inventor after: Zhang Shengju Inventor before: Chen Xingshu Inventor before: Zhou Mingxing Inventor before: Wang Qixu Inventor before: Yang Miaomiao Inventor before: Gui Yanshuang Inventor before: Ruan Shuhua Inventor before: Liu Weijun Inventor before: Zhang Shengju |
|
| CB03 | Change of inventor or designer information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240102 Address after: 215163 Building 1, 58 Kunlunshan Road, high tech Zone, Suzhou City, Jiangsu Province Patentee after: CHINA MOBILE (SUZHOU) SOFTWARE TECHNOLOGY Co.,Ltd. Patentee after: SICHUAN University Address before: 610065, No. 24, south section of first ring road, Chengdu, Sichuan, Wuhou District Patentee before: SICHUAN University |
|
| TR01 | Transfer of patent right |