CN114189515A - Server cluster log obtaining method and device based on SGX - Google Patents

Abstract

The application relates to a server cluster log obtaining method and device based on SGX. The remote log obtaining and processing codes are arranged in a trusted execution environment, a log obtaining device program is connected with all BMCs in the cluster, and a DH key exchange protocol is respectively carried out with the BMCs in the cluster to respectively establish communication keys. The BMC proves that the log obtaining device program runs in the credible enclave through the remote certification function of the SGX, then the log obtaining device logs in all BMCs in the cluster, and obtains the log of the BMC in the cluster by using the communication key after the identity authentication is successful. The log data of the distributed server cluster are collected uniformly, and the correlation analysis function is realized; the security requirements of encryption in the log transmission process, encryption in the log processing process, encryption in the log storage process and the like are met; the method and the device realize classification and classification of the logs, realize classification and storage of the logs and improve the utilization rate of the logs.

Description

Server cluster log obtaining method and device based on SGX

Technical Field

The application relates to the technical field of cloud computing, in particular to a server cluster log obtaining method and device based on SGX.

Background

In the cloud computing era, the stable operation of a server in a cloud computing platform is a precondition for providing reliable cloud computing service. The traditional server system operation and maintenance management method generally comprises the step that system operation and maintenance personnel go to a machine room to patrol or use a remote desktop of an operating system to operate. The method has the defects of low efficiency and incapability of tracing the reason after the server is down. By using an Intelligent Platform Management Interface (IPMI) of the server, an administrator can access a remote server through a network at any place, analyze the state and the fault of the server system from the acquired event log and the acquired sensor data record and confirm the fault reason, realize the recovery of the server through related setting, and discover the hidden danger of the server system earlier through an early warning function, thereby ensuring the normal operation of the service. And BMC (Baseboard Management Controller) is an embedded Management chip of IPMI. The BMC on the server mainboard can detect a Sensor (a temperature Sensor, a fan speed Sensor, a voltage Sensor, a power consumption Sensor and the like) on the board, can also collect Sensor logs, system logs and the like, and meanwhile realizes operation control on the server.

Intel SGX is a new extension of the Intel architecture, and adds a new set of instruction sets and memory access mechanisms to the original architecture. These extensions allow applications to implement a container called enclave that partitions a protected area within the application's address space, providing protection of the code and data within the container from malicious software that has special permissions.

In the service management, the BMC can generate and record an event log in a System Event Log (SEL), a user or a technician can access the system event log through a log browser, the log browser extracts information from the SEL and displays the information in a hexadecimal or detailed manner, the server can be monitored through SEL information to find out warnings or potential serious problems, SEL data can also be stored together for analysis or a single file for later analysis or cleaning of the existing SEL data in the server, but the log of the whole content of the BMC cannot be obtained. Meanwhile, the remote control terminal accesses the BMC through the network function to obtain logs (system logs, management logs and weblogs) of the server.

In the latest version of IPMI, the security is improved because IPMI enhances authentication and encryption functions. The authentication comprises the message authentication based on the secure hash algorithm and the key hash algorithm, and the encryption mode comprises Arcfour and the like. The introduction of the encryption and authentication functions realizes the safe remote operation of a server administrator, but the encryption is also a clear text display at a remote control end.

In the case of a multi-node server system, in order to master the working conditions of each node and discover abnormal conditions in time, equipment maintenance personnel usually need to detect each node without bothering during operation. Although after the network appears, maintenance personnel can log on each node remotely through the network one by one, and each node is managed remotely. However, for the reasons of large quantity and multiple nodes, the maintenance work is extremely complicated and complex, the efficiency is low, and the problems in the operation process are not easy to find in time. No log association analysis function between server clusters is formed. The server clusters are usually coordinated, and when a certain server fails, other servers may be affected, so that the association analysis of the logs among the server clusters is required.

Disclosure of Invention

In view of the foregoing, it is necessary to provide a server cluster log obtaining method and apparatus based on SGX in order to solve the above technical problem.

In one aspect, a server cluster log obtaining method based on an SGX is provided, where the method includes:

creating a trusted execution environment based on SGX, and placing remote log acquisition and processing codes in the trusted execution environment based on SGX;

connecting a server substrate management controller in a server cluster through an IP network;

performing key exchange with each baseboard management controller in the cluster, respectively establishing communication keys, and generating quotations for remote certification for the baseboard management controllers in the cluster;

encrypting the quotation by using a communication key and sending the quotation to a baseboard management controller in the cluster so that the baseboard management controller decrypts the quotation after receiving the remote certification, verifying that a remote network control end program runs in a trusted execution environment through a remote certification function of the SGX, and initiating an identity authentication challenge after the remote certification is successful;

responding to an identity authentication challenge initiated by the baseboard management controller to perform login authentication of the baseboard management controller;

and after the identity authentication is successful, acquiring a log of the substrate management controller.

In one embodiment, obtaining the baseboard management controller log comprises at least one of:

actively initiating a log reading operation request to a baseboard management controller in the cluster to trigger the baseboard management controller to encrypt the log by using a communication key and return the encrypted log;

and passively receiving the log sent by the baseboard management controller due to the fact that the log records the triggering alarm threshold value, wherein the log is encrypted by the baseboard management controller through a communication key.

In one embodiment, the method further comprises:

decrypting the log of the substrate management controller by using the communication key to obtain the log information of a plaintext;

formatting the plaintext log;

classifying the formatted log to form a first type of log data according to different log categories; and classifying the logs according to time, and simultaneously performing correlation analysis on the logs in the same time period on different clusters to form second-class log data.

In one embodiment, the method further comprises:

analyzing and processing the first type of log data, and if a single server triggers an alarm threshold, sending a first type of alarm;

and performing cluster joint analysis processing on the second type log data, and sending out a second type alarm if an alarm threshold value is triggered by the cluster server according to the association degree.

In one embodiment, the method further comprises:

generating a root sealing key, and randomly generating a first class encryption key and a second class encryption key;

respectively encrypting a first class encryption key and a second class encryption key by using a root seal key, and storing the encrypted first class encryption key and the encrypted second class encryption key in a key database;

encrypting the first type of log data by using a first type of encryption key to form first type of log encryption data, and encrypting the second type of log data by using a second type of encryption key to form second type of log encryption data;

respectively storing the first type of log encrypted data and the second type of log encrypted data into a log database;

and acquiring the logs from the log database, and respectively decrypting the first-type logs and the second-type logs by using the first-type encryption key and the second-type encryption key.

In one embodiment, the method further comprises:

and updating the communication key in real time, and when a new communication key is generated, encrypting and sending the new communication key to the substrate management controller by using the old communication key, or generating a new key by reusing a key exchange protocol to realize the updating of the communication key.

In another aspect, an SGX-based server cluster log obtaining apparatus is provided, where the apparatus includes:

the log obtaining device creates a trusted execution environment based on SGX, places remote log obtaining and processing codes in the trusted execution environment based on SGX, and is connected with a server substrate management controller in a server cluster through an IP network, and comprises a communication encryption and decryption module, a remote certification module, an identity authentication module and a log obtaining module, wherein:

the communication encryption and decryption module is used for carrying out a key exchange protocol with each substrate management controller in the cluster and respectively establishing communication keys; encrypting the quote generated by the remote certification module by using the communication key and sending the encrypted quote to a baseboard management controller in the cluster, so that the baseboard management controller decrypts the quote after receiving the remote certification and verifies that the remote network control end program runs in a trusted execution environment through the remote certification function of the SGX; decrypting the log of the substrate management controller by using the communication key to obtain the log information of a plaintext;

a remote attestation module to generate a quote for remote attestation for a baseboard management controller in a cluster;

the identity authentication module is used for responding to identity authentication challenges initiated to the remote network control terminal after the substrate management controller is successfully remotely proved, and performing login authentication on the substrate management controller by using an identity authentication protocol;

and the log obtaining module is used for obtaining the logs of the substrate management controller after the identity authentication is successful.

In one embodiment, the log obtaining module includes a log active obtaining module and a log passive obtaining module, wherein:

the log active acquisition module is used for actively initiating a log reading operation request to a baseboard management controller in the cluster so as to trigger the baseboard management controller to encrypt the log by using a communication key and return the encrypted log;

and the log passive acquisition module is used for passively receiving a log sent by the baseboard management controller due to the fact that the log records and triggers the alarm threshold, wherein the log is encrypted by the baseboard management controller by using a communication key.

In one embodiment, the log obtaining apparatus further includes a log formatting module and a log classifying module, wherein:

the log formatting module is used for formatting the plaintext log;

the log classification module is used for classifying the formatted logs to form first log data which are classified according to different log categories; and classifying the logs according to time, and simultaneously performing correlation analysis on the logs in the same time period on different clusters to form second-class log data.

In one embodiment, the log obtaining apparatus further includes a log processing and analyzing module, a log alarming module, and a log encrypting and decrypting module, wherein:

the log processing and analyzing module is used for analyzing and processing the first type of log data, and if the single server triggers an alarm threshold, a first type of alarm instruction is sent to the log alarm module; performing cluster joint analysis processing on the second type of log data, and sending a second type of alarm instruction to a log alarm module if an alarm threshold value is triggered by a cluster server according to the association degree;

the log alarm module is used for sending an alarm instruction according to the alarm instruction of the log processing and analyzing module;

the log encryption and decryption module is used for generating a root seal secret key, randomly generating a first encryption key and a second encryption key, respectively encrypting the first encryption key and the second encryption key by using the root seal secret key, storing the encrypted first encryption key and the second encryption key in a key database, encrypting first log data by using the first encryption key to form first log encryption data, and encrypting second log data by using the second encryption key to form second log encryption data; the log encryption and decryption module is further used for decrypting the first type of log and the second type of log respectively by using the first type of encryption key and the second type of encryption key.

According to the server cluster log obtaining method and device based on the SGX, the problems of uniform collection of log data of a distributed server cluster and correlation analysis are solved; the security requirements of encryption in the log transmission process, encryption in the log processing process, encryption in the log storage process and the like are met; the method and the device realize classification and classification of the logs, realize classification and storage of the logs and improve the utilization rate of the logs.

Drawings

FIG. 1 is a schematic flowchart illustrating a server cluster log obtaining method based on SGX in an embodiment;

FIG. 2 is a block diagram of a server cluster log acquisition system based on SGX in an embodiment;

FIG. 3 is a diagram illustrating an internal structure of a computer device according to an embodiment.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.

The application provides a server cluster log obtaining method and device based on SGX. The remote network control end creates an SGX-based enclave (trusted execution environment), and places the remote log acquisition and processing code in the enclave. The remote network control end program is connected with all the BMCs in the cluster, and the remote network control end respectively carries out DH key exchange protocol with the BMCs in the cluster to respectively establish communication keys. The BMC proves that the remote network control end program runs in the credible enclave through the remote proving function of the SGX. And then the remote network control terminal logs in all the BMCs in the cluster and performs identity authentication. After the identity authentication is successful, the log of the BMC in the cluster is obtained by using the communication key, then the obtained encrypted log is decrypted in the trusted execution environment by the remote network control end, meanwhile, the whole cluster log is classified, and the first type log data is formed by classifying according to different log types (system log, management log and network log). And classifying the logs according to time, classifying the logs on the clusters according to time, and simultaneously performing association analysis on the logs in the same time period on different clusters, wherein the association levels comprise strong dependence, weak dependence, no association and the like to form second-class log data. The remote network control terminal utilizes the SGX to generate a root sealing key and then randomly generates a first type encryption key and a second type encryption key. The first type of log data is encrypted by the first type of encryption key to form first type of log encryption data, and the second type of log data is encrypted by the second type of encryption key to form second type of log encryption data. And respectively storing the first type of log encrypted data and the second type of log encrypted data into a log database. And respectively encrypting the first type encryption key and the second type encryption key by using the root sealing key generated by the SGX.

And the remote network control terminal acquires the log from the log database, decrypts the corresponding log by using the first-class encryption key and the second-class encryption key respectively, and audits the log.

FIG. 1 is a schematic flowchart illustrating a server cluster log obtaining method based on SGX in an embodiment; fig. 2 is a block diagram illustrating a structure of an SGX-based server cluster log obtaining system in an embodiment. The method and apparatus of the present application are described in detail below with reference to fig. 1 and 2.

The application provides a server cluster log obtaining method and device based on SGX. The remote network control end, namely the server cluster log obtaining device based on the SGX, is operated on a host supporting the intel SGX function, and is usually a server. The server cluster log obtaining device based on the SGX, namely a remote network control end, comprises a log classification module, a log formatting module, a log alarming module, a log obtaining module, a communication encryption and decryption module, a log processing and analyzing module, an identity authentication module and a remote certification module, wherein the log obtaining module comprises a log active obtaining module and a log passive obtaining module.

The server cluster log obtaining method based on the SGX comprises the following steps:

step 101, creating a trusted execution environment based on SGX, and placing a remote log acquisition and processing code in the trusted execution environment based on SGX.

Specifically, the remote network control end creates an SGX-based enclave, which is a trusted execution environment based on intel. The remote network control end places the remote log acquisition and processing code in enclave, and any person can not acquire the code and data in the enclave, and the data processing in the enclave is confidential. And the trusted execution environment of the remote network control end communicates with the infeasible execution environment through the ecall and ecall functions of the SGX. The remote network control end is connected with the BMC through a network and communicates by utilizing an IPMI protocol.

And 102, connecting the server substrate management controllers in the server cluster through an IP network.

Specifically, the remote network control end program is connected with all BMCs in the cluster through an IP network.

Step 103, exchanging keys with each baseboard management controller in the cluster, respectively establishing communication keys, and generating quotations for remote certification for the baseboard management controllers in the cluster.

Specifically, the communication encryption and decryption modules respectively perform a DH key exchange protocol with the BMCs in the cluster, and respectively establish communication keys. The remote attestation module then generates a QUOTE for remote attestation for the BMCs in the cluster.

And 104, encrypting the quote by using the communication key and sending the encrypted quote to a baseboard management controller in the cluster so that the baseboard management controller decrypts the quote after receiving the remote certification, verifying that the remote network control end program runs in a trusted execution environment through a remote certification function of the SGX, and initiating an identity authentication challenge after the remote certification is successful.

Specifically, the communication encryption and decryption module encrypts the queue by using the communication key and sends the queue to the BMC in the cluster. The BMC receives the remote certified QUOTE and decrypts it. And each BMC verifies that the remote network control end program runs in the trusted enclave through the remote certification function of the SGX.

And 105, responding to the identity authentication challenge initiated by the baseboard management controller to perform login authentication of the baseboard management controller.

And step 106, obtaining a base plate management controller log after the identity authentication is successful.

Specifically, after the remote certification is successful, an identity authentication challenge is initiated to a remote network control terminal program, and the remote network control terminal performs BMC login authentication by using an identity authentication protocol through an identity authentication module. And after the identity authentication is successful, the BMC log acquisition operation can be carried out.

In one embodiment, step 106 includes at least one of the following steps:

step 1061, actively initiating a log reading operation request to a baseboard management controller in the cluster to trigger the baseboard management controller to encrypt the log by using a communication key and return the encrypted log;

and step 1063, passively receiving the log sent by the baseboard management controller due to the fact that the log records the trigger alarm threshold, wherein the log is encrypted by the baseboard management controller by using the communication key.

Specifically, the BMC log obtaining operation includes active log obtaining and passive log obtaining. The active log acquisition is that a log active acquisition module of the remote network control terminal actively reads logs from a BMC in the cluster, and the BMC encrypts the logs by using a communication key and sends the encrypted logs to the remote network control terminal. The method comprises the steps that passive log acquisition triggers an alarm threshold value for log records in the BMC, the BMC encrypts the logs by using a communication key, the encrypted logs are sent to a remote network control terminal, and a log passive acquisition module of the remote network control terminal passively receives the BMC logs.

In one embodiment, the method further comprises:

step 107, decrypting the log of the substrate management controller by using the communication key to acquire the log information of the plaintext;

step 108, formatting the plain text log;

step 109, classifying the formatted log to form a first type of log data according to different log categories; and classifying the logs according to time, and simultaneously performing correlation analysis on the logs in the same time period on different clusters to form second-class log data.

Specifically, after the remote network control terminal obtains the encrypted log, the remote network control terminal decrypts the encrypted log by using the communication key to obtain the log information of the plaintext.

And the remote network control terminal formats the plain text log by using a log formatting module, wherein the formatting comprises adding a corresponding timestamp, a machine IP (Internet protocol), a log type and the like. The remote network control end classifies the formatted logs through a log classification module, and classifies the logs according to different log categories (system logs, management logs and weblogs) to form first-class log data. And classifying the logs according to time, and simultaneously performing association analysis on the logs in the same time period on different clusters, wherein the association levels comprise strong dependence, weak dependence, no association and the like to form second-class log data.

In one embodiment, the method further comprises:

step 110, analyzing and processing the first type log data, and if a single server triggers an alarm threshold, sending a first type alarm;

and step 111, performing cluster joint analysis processing on the second type log data, and sending out a second type alarm if an alarm threshold value is triggered by the cluster server according to the association degree.

Specifically, the log processing and analyzing module performs analysis processing on the first type of log data, and if the single server is found to trigger an alarm threshold, the log alarm module sends out a first type of alarm state and performs corresponding processing operation. And the log processing and analyzing module performs cluster joint analysis processing on the second type log data, and simultaneously sends out a second type alarm state through the log alarm module and performs corresponding processing operation if the cluster server triggers an alarm threshold value according to the association degree.

In one embodiment, the method further comprises:

step 112, generating a root sealing key, and randomly generating a first type encryption key and a second type encryption key;

113, respectively encrypting a first encryption key and a second encryption key by using the root seal key, and storing the encrypted first encryption key and the encrypted second encryption key in a key database;

step 114, encrypting the first type log data by using the first type encryption key to form first type log encrypted data, and encrypting the second type log data by using the second type encryption key to form second type log encrypted data;

step 115, storing the first type of log encrypted data and the second type of log encrypted data into a log database respectively;

and step 116, acquiring the log from the log database, and decrypting the first log and the second log respectively by using the first encryption key and the second encryption key.

Specifically, the remote network control end generates a root sealed key through the log encryption and decryption module (the root sealed key is generated through a hardware mechanism of the SGX and can be automatically re-derived when the program runs again). Then, a first type encryption key and a second type encryption key are randomly generated. And respectively storing the first class encryption key and the second class encryption key by the root seal key, and then storing the encrypted first class encryption key and the encrypted second class encryption key in a key database. The first type of log data is encrypted by the first type of encryption key to form first type of log encryption data, and the second type of log data is encrypted by the second type of encryption key to form second type of log encryption data. And respectively storing the first type of log encrypted data and the second type of log encrypted data into a log database. And the remote network control terminal acquires the log from the log database, decrypts the corresponding log by using the first-class encryption key and the second-class encryption key respectively, and audits the log.

In one embodiment, the method further comprises:

and step 117, updating the communication key in real time, and when a new communication key is generated, encrypting and sending the new communication key to the substrate management controller by using the old communication key, or generating a new key by using the key exchange protocol again to update the communication key.

Specifically, the communication encryption and decryption module updates the communication key in real time, generates a new communication key, and encrypts and sends the new communication key to the BMC by using the old communication key. Or to re-generate a new key using the DH key exchange protocol. And updating the communication key is realized.

By the method and the device, the following steps can be performed:

1. the method has the advantages of achieving the functions of collecting log data of the distributed server cluster in a unified mode and analyzing the log data in a correlated mode.

2. The security requirements of encryption in the log transmission process, encryption in the log processing process, encryption in the log storage process and the like are met

3. The classification and classification of the logs are realized, the classified storage of the logs is realized, and the log utilization rate is improved.

It should be understood that, although the steps in the flowchart of fig. 1 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of the steps in fig. 1 may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternately with other steps or at least a portion of the sub-steps or stages of other steps.

For specific limitations of the SGX-based server cluster log obtaining apparatus, reference may be made to the above limitations of the SGX-based server cluster log obtaining method, which is not described herein again. All or part of the modules in the SGX-based server cluster log obtaining apparatus may be implemented by software, hardware, or a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.

In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 3. The computer device includes a processor, a memory, a network interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a SGX-based server cluster log retrieval method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.

Those skilled in the art will appreciate that the architecture shown in fig. 3 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.

In one embodiment, a computer device is provided, comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:

creating a trusted execution environment based on SGX, and placing remote log acquisition and processing codes in the trusted execution environment based on SGX;

connecting a server substrate management controller in a server cluster through an IP network;

performing key exchange with each baseboard management controller in the cluster, respectively establishing communication keys, and generating quotations for remote certification for the baseboard management controllers in the cluster;

encrypting the quotation by using a communication key and sending the quotation to a baseboard management controller in the cluster so that the baseboard management controller decrypts the quotation after receiving the remote certification, verifying that a remote network control end program runs in a trusted execution environment through a remote certification function of the SGX, and initiating an identity authentication challenge after the remote certification is successful;

responding to an identity authentication challenge initiated by the baseboard management controller to perform login authentication of the baseboard management controller;

and after the identity authentication is successful, acquiring a log of the substrate management controller.

In one embodiment, the processor, when executing the computer program, further performs the steps of:

actively initiating a log reading operation request to a baseboard management controller in the cluster to trigger the baseboard management controller to encrypt the log by using a communication key and return the encrypted log;

and passively receiving the log sent by the baseboard management controller due to the fact that the log records the triggering alarm threshold value, wherein the log is encrypted by the baseboard management controller through a communication key.

In one embodiment, the processor, when executing the computer program, further performs the steps of:

decrypting the log of the substrate management controller by using the communication key to obtain the log information of a plaintext;

formatting the plaintext log;

classifying the formatted log to form a first type of log data according to different log categories; and classifying the logs according to time, and simultaneously performing correlation analysis on the logs in the same time period on different clusters to form second-class log data.

In one embodiment, the processor, when executing the computer program, further performs the steps of:

analyzing and processing the first type of log data, and if a single server triggers an alarm threshold, sending a first type of alarm;

and performing cluster joint analysis processing on the second type log data, and sending out a second type alarm if an alarm threshold value is triggered by the cluster server according to the association degree.

In one embodiment, the processor, when executing the computer program, further performs the steps of:

generating a root sealing key, and randomly generating a first class encryption key and a second class encryption key;

respectively encrypting a first class encryption key and a second class encryption key by using a root seal key, and storing the encrypted first class encryption key and the encrypted second class encryption key in a key database;

encrypting the first type of log data by using a first type of encryption key to form first type of log encryption data, and encrypting the second type of log data by using a second type of encryption key to form second type of log encryption data;

respectively storing the first type of log encrypted data and the second type of log encrypted data into a log database;

and acquiring the logs from the log database, and respectively decrypting the first-type logs and the second-type logs by using the first-type encryption key and the second-type encryption key.

In one embodiment, the processor, when executing the computer program, further performs the steps of:

and updating the communication key in real time, and when a new communication key is generated, encrypting and sending the new communication key to the substrate management controller by using the old communication key, or generating a new key by reusing a key exchange protocol to realize the updating of the communication key.

In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:

creating a trusted execution environment based on SGX, and placing remote log acquisition and processing codes in the trusted execution environment based on SGX;

connecting a server substrate management controller in a server cluster through an IP network;

performing key exchange with each baseboard management controller in the cluster, respectively establishing communication keys, and generating quotations for remote certification for the baseboard management controllers in the cluster;

encrypting the quotation by using a communication key and sending the quotation to a baseboard management controller in the cluster so that the baseboard management controller decrypts the quotation after receiving the remote certification, verifying that a remote network control end program runs in a trusted execution environment through a remote certification function of the SGX, and initiating an identity authentication challenge after the remote certification is successful;

responding to an identity authentication challenge initiated by the baseboard management controller to perform login authentication of the baseboard management controller;

and after the identity authentication is successful, acquiring a log of the substrate management controller.

In one embodiment, the computer program when executed by the processor further performs the steps of:

actively initiating a log reading operation request to a baseboard management controller in the cluster to trigger the baseboard management controller to encrypt the log by using a communication key and return the encrypted log;

and passively receiving the log sent by the baseboard management controller due to the fact that the log records the triggering alarm threshold value, wherein the log is encrypted by the baseboard management controller through a communication key.

In one embodiment, the computer program when executed by the processor further performs the steps of:

decrypting the log of the substrate management controller by using the communication key to obtain the log information of a plaintext;

formatting the plaintext log;

classifying the formatted log to form a first type of log data according to different log categories; and classifying the logs according to time, and simultaneously performing correlation analysis on the logs in the same time period on different clusters to form second-class log data.

In one embodiment, the computer program when executed by the processor further performs the steps of:

analyzing and processing the first type of log data, and if a single server triggers an alarm threshold, sending a first type of alarm;

and performing cluster joint analysis processing on the second type log data, and sending out a second type alarm if an alarm threshold value is triggered by the cluster server according to the association degree.

In one embodiment, the computer program when executed by the processor further performs the steps of:

generating a root sealing key, and randomly generating a first class encryption key and a second class encryption key;

respectively encrypting a first class encryption key and a second class encryption key by using a root seal key, and storing the encrypted first class encryption key and the encrypted second class encryption key in a key database;

encrypting the first type of log data by using a first type of encryption key to form first type of log encryption data, and encrypting the second type of log data by using a second type of encryption key to form second type of log encryption data;

respectively storing the first type of log encrypted data and the second type of log encrypted data into a log database;

and acquiring the logs from the log database, and respectively decrypting the first-type logs and the second-type logs by using the first-type encryption key and the second-type encryption key.

In one embodiment, the computer program when executed by the processor further performs the steps of:

and updating the communication key in real time, and when a new communication key is generated, encrypting and sending the new communication key to the substrate management controller by using the old communication key, or generating a new key by reusing a key exchange protocol to realize the updating of the communication key.

It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).

The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.

The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A server cluster log obtaining method based on SGX is characterized by comprising the following steps:

creating a trusted execution environment based on SGX, and placing remote log acquisition and processing codes in the trusted execution environment based on SGX;

connecting a server substrate management controller in a server cluster through an IP network;

performing key exchange with each baseboard management controller in the cluster, respectively establishing communication keys, and generating quotations for remote certification for the baseboard management controllers in the cluster;

encrypting the quotation by using a communication key and sending the quotation to a baseboard management controller in the cluster so that the baseboard management controller decrypts the quotation after receiving the remote certification, verifying that a remote network control end program runs in a trusted execution environment through a remote certification function of the SGX, and initiating an identity authentication challenge after the remote certification is successful;

responding to an identity authentication challenge initiated by the baseboard management controller to perform login authentication of the baseboard management controller;

and after the identity authentication is successful, acquiring a log of the substrate management controller.

2. The SGX-based server cluster log retrieving method of claim 1, wherein the retrieving a baseboard management controller log comprises at least one of:

actively initiating a log reading operation request to a baseboard management controller in the cluster to trigger the baseboard management controller to encrypt the log by using a communication key and return the encrypted log;

and passively receiving the log sent by the baseboard management controller due to the fact that the log records the triggering alarm threshold value, wherein the log is encrypted by the baseboard management controller through a communication key.

3. The SGX-based server cluster log retrieving method of claim 1, wherein the method further comprises:

decrypting the log of the substrate management controller by using the communication key to obtain the log information of a plaintext;

formatting the plaintext log;

classifying the formatted log to form a first type of log data according to different log categories; and classifying the logs according to time, and simultaneously performing correlation analysis on the logs in the same time period on different clusters to form second-class log data.

4. The SGX-based server cluster log retrieving method of claim 3, wherein the method further comprises:

analyzing and processing the first type of log data, and if a single server triggers an alarm threshold, sending a first type of alarm;

and performing cluster joint analysis processing on the second type log data, and sending out a second type alarm if an alarm threshold value is triggered by the cluster server according to the association degree.

5. The SGX-based server cluster log retrieving method of claim 3, wherein the method further comprises:

generating a root sealing key, and randomly generating a first class encryption key and a second class encryption key;

respectively encrypting a first class encryption key and a second class encryption key by using a root seal key, and storing the encrypted first class encryption key and the encrypted second class encryption key in a key database;

encrypting the first type of log data by using a first type of encryption key to form first type of log encryption data, and encrypting the second type of log data by using a second type of encryption key to form second type of log encryption data;

respectively storing the first type of log encrypted data and the second type of log encrypted data into a log database;

and acquiring the logs from the log database, and respectively decrypting the first-type logs and the second-type logs by using the first-type encryption key and the second-type encryption key.

6. The SGX-based server cluster log retrieving method of claim 1, wherein the method further comprises:

and updating the communication key in real time, and when a new communication key is generated, encrypting and sending the new communication key to the substrate management controller by using the old communication key, or generating a new key by reusing a key exchange protocol to realize the updating of the communication key.

7. The utility model provides a server cluster log acquisition device based on SGX, characterized by, the log acquisition device establishes the trusted execution environment based on SGX, places remote log acquisition and processing code in the trusted execution environment based on SGX to through the server baseboard management controller of IP network connection server cluster, the log acquisition device includes communication encryption module, remote certification module, authentication module, log acquisition module, wherein:

the communication encryption and decryption module is used for carrying out a key exchange protocol with each substrate management controller in the cluster and respectively establishing communication keys; encrypting the quote generated by the remote certification module by using the communication key and sending the encrypted quote to a baseboard management controller in the cluster, so that the baseboard management controller decrypts the quote after receiving the remote certification and verifies that the remote network control end program runs in a trusted execution environment through the remote certification function of the SGX; decrypting the log of the substrate management controller by using the communication key to obtain the log information of a plaintext;

a remote attestation module to generate a quote for remote attestation for a baseboard management controller in a cluster;

the identity authentication module is used for responding to identity authentication challenges initiated to the remote network control terminal after the substrate management controller is successfully remotely proved, and performing login authentication on the substrate management controller by using an identity authentication protocol;

and the log obtaining module is used for obtaining the logs of the substrate management controller after the identity authentication is successful.

8. The SGX-based server cluster log retrieving device of claim 7, wherein the log retrieving module comprises a log active retrieving module and a log passive retrieving module, wherein:

the log active acquisition module is used for actively initiating a log reading operation request to a baseboard management controller in the cluster so as to trigger the baseboard management controller to encrypt the log by using a communication key and return the encrypted log;

and the log passive acquisition module is used for passively receiving a log sent by the baseboard management controller due to the fact that the log records and triggers the alarm threshold, wherein the log is encrypted by the baseboard management controller by using a communication key.

9. The SGX-based server cluster log retrieval device of claim 7, wherein the log retrieval device further comprises a log formatting module and a log classification module, wherein:

the log formatting module is used for formatting the plaintext log;

the log classification module is used for classifying the formatted logs to form first log data which are classified according to different log categories; and classifying the logs according to time, and simultaneously performing correlation analysis on the logs in the same time period on different clusters to form second-class log data.

10. The SGX-based server cluster log obtaining apparatus according to claim 9, wherein the log obtaining apparatus further includes a log processing and analyzing module, a log alarm module, and a log encryption and decryption module, wherein:

the log processing and analyzing module is used for analyzing and processing the first type of log data, and if the single server triggers an alarm threshold, a first type of alarm instruction is sent to the log alarm module; performing cluster joint analysis processing on the second type of log data, and sending a second type of alarm instruction to a log alarm module if an alarm threshold value is triggered by a cluster server according to the association degree;

the log alarm module is used for sending an alarm instruction according to the alarm instruction of the log processing and analyzing module;

the log encryption and decryption module is used for generating a root seal secret key, randomly generating a first encryption key and a second encryption key, respectively encrypting the first encryption key and the second encryption key by using the root seal secret key, storing the encrypted first encryption key and the second encryption key in a key database, encrypting first log data by using the first encryption key to form first log encryption data, and encrypting second log data by using the second encryption key to form second log encryption data; the log encryption and decryption module is further used for decrypting the first type of log and the second type of log respectively by using the first type of encryption key and the second type of encryption key.

Images