CN114189515B

CN114189515B - SGX-based server cluster log acquisition method and device

Info

Publication number: CN114189515B
Application number: CN202111341369.5A
Authority: CN
Inventors: 麻付强
Original assignee: Suzhou Inspur Intelligent Technology Co Ltd
Current assignee: Suzhou Inspur Intelligent Technology Co Ltd
Priority date: 2021-11-12
Filing date: 2021-11-12
Publication date: 2023-08-04
Anticipated expiration: 2041-11-12
Also published as: CN114189515A

Abstract

The application relates to a server cluster log acquisition method and device based on SGX. And the remote log acquisition and processing code is placed in a trusted execution environment, the log acquisition device is connected with all BMCs in the cluster by a program, DH key exchange protocols are respectively carried out with the BMCs in the cluster, and communication keys are respectively established. The BMC proves that the program of the log obtaining device runs in the trusted enclave through the remote proving function of the SGX, then the log obtaining device logs in all BMCs in the cluster, and after the identity authentication is successful, the log of the BMCs in the cluster is obtained through the communication key. The log data of the distributed server cluster is uniformly collected, and the correlation analysis function is realized; the security requirements of encrypting the log transmission process, encrypting the log processing process, encrypting the log storage process and the like are realized; the method realizes classification and grading of the logs, realizes classification and storage of the logs and improves the utilization rate of the logs.

Description

SGX-based server cluster log acquisition method and device

Technical Field

The present disclosure relates to the field of cloud computing technologies, and in particular, to a method and an apparatus for obtaining a server cluster log based on SGX.

Background

In the cloud computing era, stable operation of a server in a cloud computing platform is a precondition for providing reliable cloud computing services. Conventional server system operation and maintenance management methods generally use a remote desktop of an operating system to make a patrol to a machine room by system operation and maintenance personnel. The method has the defects of low efficiency and incapability of searching for reasons after downtime of the server. And by utilizing an Intelligent Platform Management Interface (IPMI) of the server, an administrator can access a remote server through a network at any place, analyze the state and fault of the server system from the acquired event log and sensor data record and confirm the cause of the fault, realize the recovery of the server through relevant settings, and discover the hidden trouble of the server system earlier through an early warning function, thereby ensuring the normal operation of the service. And BMC (Baseboard Management Controller, motherboard management controller) is an embedded management chip of IPMI. The BMC on the server main board can detect the Sensor (temperature Sensor, fan speed, voltage Sensor, power consumption Sensor and the like) on the board, collect the Sensor log, the system log and the like, and simultaneously realize the operation control of the server.

Intel sgx is a new extension of Intel architecture, adding a new set of instruction sets and memory access mechanisms to the original architecture. These extensions allow an application to implement a container called enclave, which partitions a protected area in the application's address space, providing confidentiality and integrity protection for code and data within the container from malware that has special rights.

In server management, the BMC can generate and record in a System Event Log (SEL) that a user or technician can access through a log browser that extracts information from the SEL and presents it in hexadecimal or detailed fashion, through which the server can be monitored for alerts or potentially significant problems, or the SEL data can be saved together for analysis or a single file for later analysis or removal of existing SEL data in the server, but no log of the BMC's entire content can be obtained. Meanwhile, the remote control end accesses the BMC through a network function to acquire logs (system logs, management logs and network logs) of the server.

In the latest version of IPMI, security is improved because IPMI enhances authentication and encryption functions. The authentication comprises authentication based on a secure hash algorithm and authentication based on a key hash message, and the encryption mode includes arcfar and the like. It is the introduction of these encryption and authentication functions that enables the server administrator to operate remotely securely, but these encryption is also shown in plain text at the remote control end.

In order to master the working conditions of each node, equipment maintenance personnel find abnormal conditions in time and usually need to detect each node without being bothersome during operation. Although maintenance personnel can remotely log on to each node one by one through the network after the network appears, each node is remotely managed. However, in the case of a large number of nodes, the maintenance work is extremely complicated and complex, and the efficiency is low, so that the problems in the running process are not found in time. Log association analysis functions between server clusters are not formed. The server clusters are usually coordinated, and when one server fails, other servers can be affected, so that association analysis needs to be performed on logs among the server clusters.

Disclosure of Invention

Based on the foregoing, it is necessary to provide a server cluster log obtaining method and device based on SGX.

In one aspect, a method for obtaining a server cluster log based on SGX is provided, where the method includes:

creating a trusted execution environment based on SGX, and placing remote log acquisition and processing codes in the trusted execution environment based on SGX;

connecting a server baseboard management controller in a server cluster through an IP network;

performing key exchange with each baseboard management controller in the cluster, respectively establishing communication keys, and generating introduction for remote certification for the baseboard management controllers in the cluster;

encrypting the quote by using a communication key and sending the encrypted quote to a baseboard management controller in the cluster so that the baseboard management controller can decrypt the quote after receiving the quote of the remote certification, verify that a remote network control end program runs in a trusted execution environment through a remote certification function of SGX, and initiate an identity authentication challenge after the remote certification is successful;

responding to the identity authentication challenge initiated by the baseboard management controller to perform login authentication of the baseboard management controller;

and after the identity authentication is successful, acquiring a log of the baseboard management controller.

In one embodiment, obtaining the baseboard management controller log includes at least one of:

actively initiating a log reading operation request to a baseboard management controller in the cluster to trigger the baseboard management controller to encrypt a log by using a communication key and return the encrypted log;

the method comprises the steps that a log sent by a baseboard management controller due to triggering of an alarm threshold value by log record is passively received, and the log is encrypted by the baseboard management controller through a communication key.

In one embodiment, the method further comprises:

decrypting the base plate management controller log by using the communication key to obtain the log information of the plaintext;

formatting the plaintext log;

classifying the formatted logs to form log data of a first type classified according to different log categories; and classifying the logs according to time, and performing association analysis on the logs in the same time period on different clusters to form second-class log data.

In one embodiment, the method further comprises:

analyzing and processing the first type log data, and if a single server trigger alarm threshold exists, sending out a first type alarm;

and carrying out cluster joint analysis processing on the second-class log data, and sending out a second-class alarm if the cluster server triggers an alarm threshold according to the association degree.

In one embodiment, the method further comprises:

generating a root sealing key, and randomly generating a first type encryption key and a second type encryption key;

respectively encrypting the first type encryption key and the second type encryption key by using the root sealing key, and storing the encrypted first type encryption key and second type encryption key into a key database;

encrypting the first type of log data by using the first type of encryption key to form first type of log encrypted data, and encrypting the second type of log data by using the second type of encryption key to form second type of log encrypted data;

storing the first type log encrypted data and the second type log encrypted data into a log database respectively;

and obtaining logs from the log database, and decrypting the first type of logs and the second type of logs respectively by using the first type of encryption keys and the second type of encryption keys.

In one embodiment, the method further comprises:

and updating the communication key in real time, and encrypting and transmitting the communication key to the baseboard management controller by using the old communication key when generating a new communication key, or generating the new key by using the key interaction protocol again to realize the updating of the communication key.

In another aspect, there is provided a server cluster log obtaining device based on SGX, the device including:

the log acquisition device creates a trusted execution environment based on SGX, places remote log acquisition and processing codes in the trusted execution environment based on SGX, and is connected with a server baseboard management controller in a server cluster through an IP network, and the log acquisition device comprises a communication encryption and decryption module, a remote proving module, an identity authentication module and a log acquisition module, wherein:

the communication encryption and decryption module is used for carrying out a key exchange protocol with each baseboard management controller in the cluster and respectively establishing communication keys; encrypting the quote generated by the remote certification module by using the communication key and transmitting the encrypted quote to the baseboard management controller in the cluster so that the baseboard management controller can decrypt the quote after receiving the remote certification and verify that the remote network control terminal program runs in a trusted execution environment through the remote certification function of the SGX; decrypting the base plate management controller log by using the communication key to obtain the log information of the plaintext;

a remote attestation module for generating a quote for remote attestation for a baseboard management controller in a cluster;

the identity authentication module is used for responding to an identity authentication challenge initiated by the remote network control end after the remote authentication of the substrate management controller is successful, and performing login authentication of the substrate management controller by using an identity authentication protocol;

and the log acquisition module is used for carrying out log acquisition operation of the baseboard management controller after the identity authentication is successful.

In one embodiment, the log obtaining module includes a log active obtaining module and a log passive obtaining module, where:

the log active acquisition module is used for actively initiating a log reading operation request to a baseboard management controller in the cluster so as to trigger the baseboard management controller to encrypt a log by using a communication key and return the encrypted log;

and the log passive acquisition module is used for passively receiving the log sent by the baseboard management controller due to the triggering of the alarm threshold value by the log record, wherein the log is encrypted by the baseboard management controller by using the communication key.

In one embodiment, the log obtaining device further includes a log formatting module and a log classifying module, wherein:

the log formatting module is used for formatting the plaintext log;

the log classification module is used for classifying the formatted logs to form first-class log data which are classified according to different log categories; and classifying the logs according to time, and performing association analysis on the logs in the same time period on different clusters to form second-class log data.

In one embodiment, the log obtaining device further includes a log processing analysis module, a log alarm module, and a log encrypting and decrypting module, where:

the log processing analysis module is used for analyzing and processing the first type of log data, and if a single server trigger alarm threshold exists, a first type of alarm instruction is sent to the log alarm module; performing cluster joint analysis processing on the second-class log data, and sending a second-class alarm instruction to the log alarm module if a cluster server triggers an alarm threshold according to the association degree;

the log alarm module is used for sending out alarm instructions according to the alarm instructions of the log processing analysis module;

the log encryption and decryption module is used for generating a root sealing key, randomly generating a first type encryption key and a second type encryption key, respectively encrypting the first type encryption key and the second type encryption key by using the root sealing key, storing the encrypted first type encryption key and second type encryption key into a key database, encrypting first type log data by using the first type encryption key to form first type log encrypted data, and encrypting second type log data by using the second type encryption key to form second type log encrypted data; the log encrypting and decrypting module is also used for decrypting the first type log and the second type log by using the first type encryption key and the second type encryption key respectively.

The SGX-based server cluster log obtaining method and the SGX-based server cluster log obtaining device solve the problem that log data of a distributed server cluster are collected uniformly and are associated with an analysis function; the security requirements of encrypting the log transmission process, encrypting the log processing process, encrypting the log storage process and the like are realized; the method realizes classification and grading of the logs, realizes classification and storage of the logs and improves the utilization rate of the logs.

Drawings

FIG. 1 is a flow chart of a method for obtaining server cluster logs based on SGX in one embodiment;

FIG. 2 is a block diagram of a server cluster log acquisition system based on SGX in one embodiment;

FIG. 3 is an internal block diagram of a computer device in one embodiment.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.

The application provides a server cluster log acquisition method and device based on SGX. The remote network control end creates an enclave (trusted execution environment) based on SGX, and places remote log acquisition and processing codes in the enclave. The remote network control end is connected with all BMCs in the cluster by programs, and the remote network control end respectively carries out DH key exchange protocols with the BMCs in the cluster and respectively establishes communication keys. The BMC proves that the remote network control end program runs in the trusted enclave through the remote attestation function of the SGX. And the remote network control end logs in all BMCs in the cluster and performs identity authentication. After the identity authentication is successful, the log of the BMC in the cluster is obtained by using the communication key, then the remote network control end decrypts the obtained encrypted log in the trusted execution environment, and meanwhile, the whole cluster log is classified according to different log types (system log, management log and network log) to form first-class log data. The logs are classified according to time, the logs on the clusters are classified according to time, meanwhile, the logs in the same time period on different clusters are subjected to association analysis, and association levels comprise strong dependence, weak dependence, no association and the like, so that second-class log data are formed. The remote network control terminal generates a root sealing key by utilizing SGX, and then randomly generates a first type encryption key and a second type encryption key. Encrypting the first-class log data by using the first-class encryption key to form first-class log encrypted data, and encrypting the second-class log data by using the second-class encryption key to form second-class log encrypted data. And storing the first type log encrypted data and the second type log encrypted data into a log database respectively. And respectively encrypting the first type encryption key and the second type encryption key by utilizing the root sealing key generated by the SGX.

The remote network control end obtains the log from the log database, and then decrypts the corresponding log by using the first type encryption key and the second type encryption key respectively, and audits the log.

FIG. 1 is a flow chart of a method for obtaining server cluster logs based on SGX in one embodiment; fig. 2 is a block diagram of a server cluster log acquisition system based on SGX in one embodiment. The method and apparatus of the present application are described in detail below in conjunction with fig. 1 and 2.

SGX-based server cluster log acquisition method and device provided by the application. The remote network control end, i.e. the server cluster log obtaining device based on SGX, operates on a host supporting the SGX function of intel, and is usually a server. The server cluster log obtaining device based on SGX, namely a remote network control end, comprises a log classifying module, a log formatting module, a log alarming module, a log obtaining module, a communication encryption and decryption module, a log processing analysis module, an identity authentication module and a remote proving module, wherein the log obtaining module comprises a log active obtaining module and a log passive obtaining module.

The invention provides a server cluster log acquisition method based on SGX, which comprises the following steps:

step 101, creating a trusted execution environment based on SGX, and placing remote log acquisition and processing codes in the trusted execution environment based on SGX.

Specifically, the remote network control end creates an enave based on SGX, which is a trusted execution environment based on intel. The remote network control end places the remote log acquisition and processing codes in the enclave, any person cannot acquire the codes and data in the enclave, and the data processing in the enclave is confidential. The trusted execution environment of the remote network control end communicates with the infeasible execution environment through the ocall and ecall functions of the SGX. The remote network control terminal is connected with the BMC through a network and communicates by utilizing an IPMI protocol.

Step 102, connecting a server baseboard management controller in a server cluster through an IP network.

Specifically, the remote network control end program is connected with all BMCs in the cluster through an IP network.

Step 103, performing key exchange with each baseboard management controller in the cluster, respectively establishing a communication key, and generating introduction for remote certification for the baseboard management controllers in the cluster.

Specifically, the communication encryption and decryption modules respectively perform DH key exchange protocols with BMCs in the cluster, and respectively establish communication keys. The remote attestation module then generates a QUOTE for the BMCs in the cluster for remote attestation.

And 104, encrypting the quote by using the communication key and sending the encrypted quote to a baseboard management controller in the cluster so that the baseboard management controller can decrypt the quote after receiving the remote attestation, verifying that the remote network control end program runs in a trusted execution environment through the remote attestation function of the SGX, and initiating an identity authentication challenge after the remote attestation is successful.

Specifically, the communication encryption and decryption module encrypts the QUOTE by using the communication key and sends the encrypted QUOTE to the BMCs in the cluster. The BMC receives the remotely certified QUOTE and decrypts it. Each BMC verifies that the remote network control end program runs in a trusted enclave through the remote attestation function of the SGX.

Step 105, performing baseboard management controller login authentication in response to the identity authentication challenge initiated by the baseboard management controller.

And 106, after the identity authentication is successful, acquiring a log of the baseboard management controller.

Specifically, after the remote certification is successful, an identity authentication challenge is initiated to a remote network control end program, and the remote network control end performs BMC login authentication by using an identity authentication protocol through an identity authentication module. After the identity authentication is successful, BMC log obtaining operation can be performed.

In one embodiment, step 106 includes at least one of the following steps:

step 1061, actively initiating a log reading operation request to the baseboard management controller in the cluster to trigger the baseboard management controller to encrypt the log by using the communication key and return the encrypted log;

in step 1063, the log sent by the baseboard management controller due to the log record triggering alarm threshold is passively accepted, where the log is encrypted by the baseboard management controller using the communication key.

Specifically, the BMC log obtaining operation includes active log obtaining and passive log obtaining. The active log acquisition is that a log active acquisition module of the remote network control end actively carries out log reading operation to BMCs in the cluster, the BMCs encrypt the log by using a communication key, and the encrypted log is sent to the remote network control end. The passive log acquisition triggers an alarm threshold for log records in the BMC, the BMC encrypts the log by using a communication key, the encrypted log is sent to a remote network control end, and a log passive acquisition module of the remote network control end passively receives the BMC log.

In one embodiment, the method further comprises:

step 107, decrypting the baseboard management controller log by using the communication key to obtain the plain text log information;

step 108, formatting the plaintext log;

step 109, classifying the formatted logs to form log data of a first type by classifying according to different log categories; and classifying the logs according to time, and performing association analysis on the logs in the same time period on different clusters to form second-class log data.

Specifically, after the remote network control end obtains the encrypted log, the encrypted log is decrypted by using the communication key, and the plaintext log information is obtained.

The remote network control end formats the plaintext log by using a log formatting module, including adding a corresponding time stamp, machine IP, log type, etc. The remote network control end classifies the formatted logs through a log classification module and classifies the formatted logs according to different log types (system logs, management logs and network logs) to form first-type log data. The logs are classified according to time, meanwhile, the logs in the same time period on different clusters are subjected to association analysis, and association levels comprise strong dependence, weak dependence, no association and the like, so that second-class log data are formed.

In one embodiment, the method further comprises:

step 110, analyzing and processing the first type log data, and if a single server trigger alarm threshold exists, sending out a first type alarm;

and step 111, performing cluster joint analysis processing on the second-class log data, and sending out a second-class alarm if the cluster server triggers an alarm threshold according to the association degree.

Specifically, the log processing analysis module analyzes and processes the first type of log data, and if a single server is found to trigger an alarm threshold, the first type of alarm state is sent out through the log alarm module, and corresponding processing operation is performed. And the log processing analysis module performs cluster joint analysis processing on the second-class log data, and simultaneously sends out a second-class alarm state through the log alarm module and performs corresponding processing operation if the cluster server is found to trigger an alarm threshold according to the association degree.

In one embodiment, the method further comprises:

step 112, generating a root sealing key, and randomly generating a first type encryption key and a second type encryption key;

step 113, the first type encryption key and the second type encryption key are encrypted respectively by utilizing the root sealing key, and the encrypted first type encryption key and second type encryption key are stored in a key database;

step 114, encrypting the first type log data by using the first type encryption key to form first type log encrypted data, and encrypting the second type log data by using the second type encryption key to form second type log encrypted data;

step 115, storing the first type log encrypted data and the second type log encrypted data into a log database respectively;

step 116, obtaining the log from the log database, and decrypting the first-type log and the second-type log by using the first-type encryption key and the second-type encryption key, respectively.

Specifically, the remote network control end generates a root sealing key through the log encryption and decryption module (the root sealing key is generated through a hardware mechanism of the SGX and can be automatically exported again when the program runs again). The first type encryption key and the second type encryption key are then randomly generated. The root sealing secret key is used for respectively storing the first type of encryption secret key and the second type of encryption secret key, and then storing the encrypted first type of encryption secret key and the encrypted second type of encryption secret key into a secret key database. Encrypting the first-class log data by using the first-class encryption key to form first-class log encrypted data, and encrypting the second-class log data by using the second-class encryption key to form second-class log encrypted data. And storing the first type log encrypted data and the second type log encrypted data into a log database respectively. The remote network control end obtains the log from the log database, and then decrypts the corresponding log by using the first type encryption key and the second type encryption key respectively, and audits the log.

In one embodiment, the method further comprises:

in step 117, the communication key is updated in real time, and when a new communication key is generated, the old communication key is used for encrypting and transmitting to the baseboard management controller, or the new key is generated again by using the key interaction protocol, so that the update of the communication key is realized.

Specifically, the communication encryption and decryption module updates the communication key in real time, generates a new communication key, encrypts and sends the new communication key to the BMC by using the old communication key. Or re-use the DH key exchange protocol to generate new keys. And updating the communication key is realized.

By the method and the device, the following steps are achieved:

1. the method solves the problem of unified collection of log data of the distributed server cluster and the correlation analysis function.

2. Realize security requirements such as encryption in the log transmission process, encryption in the log processing process, encryption in the log storage process and the like

3. The method realizes classification and grading of the logs, realizes classification and storage of the logs, and improves the utilization rate of the logs.

It should be understood that, although the steps in the flowchart of fig. 1 are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in fig. 1 may include multiple sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor do the order in which the sub-steps or stages are performed necessarily performed in sequence, but may be performed alternately or alternately with at least a portion of other steps or sub-steps of other steps.

For specific limitations regarding the SGX-based server cluster log obtaining apparatus, reference may be made to the above limitation regarding the SGX-based server cluster log obtaining method, which is not described herein. The modules in the server cluster log obtaining device based on SGX may be implemented in whole or in part by software, hardware, and a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.

In one embodiment, a computer device is provided, which may be a terminal, and the internal structure of which may be as shown in fig. 3. The computer device includes a processor, a memory, a network interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements a method for obtaining server cluster logs based on SGX. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.

It will be appreciated by those skilled in the art that the structure shown in fig. 3 is merely a block diagram of some of the structures associated with the present application and is not limiting of the computer device to which the present application may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.

In one embodiment, a computer device is provided comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the steps of when executing the computer program:

In one embodiment, the processor when executing the computer program further performs the steps of:

formatting the plaintext log;

In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of:

In one embodiment, the computer program when executed by the processor further performs the steps of:

formatting the plaintext log;

Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the various embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.

The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.

The above examples merely represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application is to be determined by the claims appended hereto.

Claims

1. The method for acquiring the server cluster log based on SGX is characterized by comprising the following steps:

after the identity authentication is successful, acquiring a log of the baseboard management controller;

wherein the method further comprises:

formatting the plaintext log;

classifying the formatted logs to form log data of a first type classified according to different log categories; classifying the logs according to time, and performing association analysis on the logs in the same time period on different clusters to form second-class log data;

the method further comprises the steps of:

2. The method for obtaining a server cluster log based on SGX according to claim 1, wherein the obtaining a baseboard management controller log includes at least one of:

3. The SGX based server cluster log acquisition method of claim 1, further comprising:

4. The SGX based server cluster log acquisition method of claim 1, further comprising:

5. The utility model provides a server cluster log acquisition device based on SGX, its characterized in that, log acquisition device establishes the trusted execution environment based on SGX, and long-range log acquisition and processing code are put in the trusted execution environment based on SGX to connect the server base plate management controller in the server cluster through the IP network, log acquisition device includes communication encryption and decryption module, remote attestation module, authentication module, log acquisition module, wherein:

the log acquisition module is used for carrying out log acquisition operation of the baseboard management controller after the identity authentication is successful;

the log formatting module is used for formatting the plaintext log;

the log classification module is used for classifying the formatted logs to form first-class log data which are classified according to different log categories; classifying the logs according to time, and performing association analysis on the logs in the same time period on different clusters to form second-class log data;

6. The SGX-based server cluster log obtaining apparatus according to claim 5, wherein the log obtaining module includes a log active obtaining module and a log passive obtaining module, wherein: