CN114679253B - Chinese commercial cipher algorithm expansion method of vTPM2.0 - Google Patents
Chinese commercial cipher algorithm expansion method of vTPM2.0 Download PDFInfo
- Publication number
- CN114679253B CN114679253B CN202210429912.5A CN202210429912A CN114679253B CN 114679253 B CN114679253 B CN 114679253B CN 202210429912 A CN202210429912 A CN 202210429912A CN 114679253 B CN114679253 B CN 114679253B
- Authority
- CN
- China
- Prior art keywords
- algorithm
- function
- hash
- control flow
- tpm2
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 17
- 230000006870 function Effects 0.000 claims abstract description 144
- 230000001131 transforming effect Effects 0.000 claims abstract description 4
- 230000004044 response Effects 0.000 claims description 25
- 238000012545 processing Methods 0.000 claims description 12
- JLQUFIHWVLZVTJ-UHFFFAOYSA-N carbosulfan Chemical compound CCCCN(CCCC)SN(C)C(=O)OC1=CC=CC2=C1OC(C)(C)C2 JLQUFIHWVLZVTJ-UHFFFAOYSA-N 0.000 claims description 6
- 238000011084 recovery Methods 0.000 claims description 4
- 238000013461 design Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 4
- 238000012795 verification Methods 0.000 description 4
- 239000000284 extract Substances 0.000 description 2
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/065—Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
A Chinese commercial cipher algorithm expansion method of vTPM2.0 comprises the steps of starting SM3 and SM4 algorithm identifiers reserved in a libtpms function library; adding SM3 and SM4 cryptographic algorithm support modules, and adding SM3 and SM4 algorithm registration structural bodies and definition of algorithm operation result coding and decoding functions into a function library libtpms; reconstructing the tpm2-tss component, adding SM2 algorithm support to an ECC algorithm selector in the asymmetric encryption module, adding SM3 algorithm options and control flow to the hash operation module, and adding SM4 algorithm options and control flow to the symmetric encryption module; and finally, transforming the tpm2-tools component, and adding calls for SM2 and SM4 algorithms into the ECC algorithm selector and the symmetric encryption algorithm selector. The method effectively makes up the problem that the vTPM2.0 temporarily does not support the national secret SM2, SM3 and SM4 algorithms, ensures that the tpm command in the virtual machine can call the national secret algorithm through the vTPM to carry out cryptographic operation, and avoids the conflict problem caused by the instability of the national secret algorithm header files of different versions of openssl.
Description
Technical Field
The invention relates to the technical field of virtualization and trusted computing, in particular to a Chinese commercial cryptographic algorithm expansion method of vTPM2.0.
Background
The Trusted computing technology takes a hardware TPM (Trusted Platform Module) as a Trusted basis, and ensures that key components in the system are not damaged by measuring, storing and reporting the integrity state of the key components in the system. However, the hardware TPM cannot provide Trusted support for multiple virtual machines at the same time, and with the development of virtualization technology, the industry has proposed a virtual Trusted computing technology and already provided a mature implementation scheme, and a virtual Trusted Platform Module (vTPM virtual Trusted Platform Module) can be allocated to each virtual machine by using the virtual Trusted computing technology to provide Trusted support for multiple virtual machines.
libtpms and swtpm: libtpms is a function library integrated with TPM functions, and swtpm is a TPM software simulator based on libtpms, and a virtual machine trusted environment based on a user space character device mode can be constructed through the two components. At present, an SM2 algorithm is realized in a libtpms function library of an open source of a Stefan Berger, identifiers of SM3 and SM4 algorithms, a part of data structures and processing functions are reserved, but the SM3 and SM4 algorithms are not started, and key cryptographic operation functions and encoding and decoding processing functions are lacked.
TPM2.0 software stack: the TPM2.0 software stack of Intel consists of three items, TPM2-tss, TPM2-abrmd, and TPM 2-tools. TPM2-tss allows access to the TPM from operating systems and other programs, TPM2-abrmd is a system daemon that implements TPM2.0 access agent and resource manager specifications for managing multi-process synchronization with the TPM; TPM2-tools provide access to the underlying and aggregated command line tool functionality of TPM2.0 devices from the shell environment. At present, the TPM2.0 software stack which is open source does not support the calling of the SM2, SM3 and SM4 algorithms, and lacks the function control flow options and algorithm parameter setting of the corresponding algorithms.
The TCG (Trusted Computing Group Trusted Computing organization) indicates in the TPM2.0 standard that a cryptographic algorithm extension interface has been reserved for the embedding of various other cryptographic algorithms. Although the TPM2.0 standard gives the algorithm identifications of the chinese commercial cryptographic algorithms SM2, SM3, SM4, there is no complete implementation of the cryptographic algorithms, nor an encoding and decoding functional interface for providing algorithm parameters and returning results. With the increasing shortage of national network space security situation, in order to reduce legal risk brought by using a cryptographic algorithm which is not independently developed in China and meet the requirement of level protection 2.0, the support of a virtual trusted computing platform module on the cryptographic algorithm is researched, and the problem that the current vTPM2.0 does not support the cryptographic algorithms SM2, SM3 and SM4 is very important.
Disclosure of Invention
Aiming at the problems, the invention aims to provide a method for expanding the Chinese commercial cryptographic algorithm of vTPM2.0, which adds support for SM3 and SM4 algorithms to a vTPM2.0 simulation function library libtpms, improves TPM2.0 software stack, adds support and call for SM2, SM3 and SM4 algorithms, realizes support of vTPM2.0 for the national cryptographic algorithm, and calls the vTPM2.0 to use the national cryptographic algorithm to carry out cryptographic operation through the TPM2.0 software stack in a virtual machine. The technical scheme is as follows:
a Chinese commercial cipher algorithm expansion method of vTPM2.0 comprises the following steps:
step 1: starting SM3 and SM4 algorithm identifiers reserved in a libtpms function library to provide support for normal use after a cryptographic algorithm support module is added;
step 2: for the SM3 algorithm, a SM3 cryptographic algorithm support module SM3 part is added, and the SM3 algorithm registration structural body and the definition of SM3 algorithm operation result coding and decoding functions are added into a function library libtpms;
and step 3: for the SM4 algorithm, a SM4 cryptographic algorithm support module SM4 part is added, and the SM4 algorithm registration structural body, the definition of an SM4 algorithm operation result coding function and the statement of a decoding function are added into a function library libtpms;
and 4, step 4: reconstructing a TPM2.0 software stack TPM2-tss component, and adding SM2 algorithm support to an ECC algorithm selector in an asymmetric encryption module; adding options and control flow of an SM3 algorithm to the hash operation module to call an EVP _ SM3 () function interface; adding options and control flows of an SM4 algorithm to the symmetric encryption module;
and 5: and transforming a TPM2-tools component of the TPM2.0 software stack, and adding calls for SM2 and SM4 algorithms to an ECC algorithm selector and a symmetric encryption algorithm selector respectively.
Further, the step 1 specifically comprises: the values of ALG _ SM3_256 and ALG _ SM4 are modified to ALG _ YES.
Further, the step 2 specifically includes:
step 2.1: registering an SM3 algorithm data structure in a Hash algorithm submodule, wherein the structure comprises an SM3 initialization function, an updating function, a data recovery function, a memory copy function, an algorithm operation unit length definition, an output result length definition, an algorithm structure body length definition and an algorithm identifier;
step 2.2: adding a function for encoding and decoding the SM3 algorithm operation result, wherein the encoding function is tpmHashStatSM 3_256_Marshal and is used for encoding the hash operation result into a TPM command response stream; the decoding function is tpmHashStatSM 3_256 _UnCarshal, which is used to decode the TPM command response stream into a hash operation result.
Further, the step 3 specifically includes:
step 3.1: registering an SM4 algorithm data structure into a symmetric encryption algorithm selector, wherein the SM4 algorithm data structure comprises an SM4 encryption function, a decryption function, an encryption key setting function, a decryption key setting function and a data recovery function, and is defined in a macro definition mode based on the design of the algorithm selector;
step 3.2: adding function definition for coding SM4 algorithm processing results and statement of a decoding function, wherein the coding function is TPMI _ SM4_ KEY _ BITS _ Marshal and is used for coding the SM4 algorithm processing results into TPM command response streams; the decode function is TPMI _ SM4_ KEY _ BITS _ unnmar for decoding the TPM command response stream into SM4 processing results.
Furthermore, in step 4, the support for modifying the tpm2-tss component to implement the SM2 algorithm is as follows: setting SM2 algorithm encryption identification, adding SM2 algorithm control flow options to an isys _ cryptossl _ get _ ecdh _ point function and an ossl _ ecc _ pub _ from _ tpm function, and setting curveId as a data structure of an SM2 algorithm; adding an SM2 algorithm control flow option to a get _ ecc _ tpm2b _ public _ from _ evp function to set tpmCurveId as an SM2 algorithm identification; an SM2 algorithm control flow option is added to the ifapi _ calculate _ pcr _ digest function to set pcr _ digest _ hash _ alg to the hash algorithm type of the SM2 signature algorithm.
Furthermore, in step 4, the support for modifying the tpm2-tss component to implement the SM3 algorithm is as follows: realizing serialization, adding an SM3 algorithm identifier to a CHECK _ IN _ LIST checker IN a Hash algorithm serialization function, and adding an SM3 algorithm control flow to a Hash algorithm parameter serialized function to set an algorithm length and a serialized data variable; realizing deserialization, adding SM3 algorithm control flow to a function of a hash parameter deserialized object, setting a hash length variable as TPM2_ SM3_256 \\ DIGEST_SIZE, and adding an SM3 algorithm identifier to a SUBTYPE _ FILTER FILTER in the function of the hash parameter deserialized object; and setting a Hash data control flow call encryption interface, and adding a control flow option of an SM3 algorithm to the get _ ossl _ hash _ md function to call an EVP _ SM3 interface.
Furthermore, in step 4, the support for modifying the tpm2-tss component to implement the SM4 algorithm is as follows: realizing serialization, adding an SM4 algorithm identifier to a CHECK _ IN _ LIST checker IN a function of a symmetric encryption algorithm serialization object, adding an SM4 algorithm control flow option to a symmetric encryption algorithm key parameter serialization function, and serializing a key object of an SM4 algorithm; and realizing deserialization, and adding an SM4 algorithm identifier to the SUBTYPE _ FILTER FILTER in the symmetric encryption deserialization function, the deserialization object function and the deserialization algorithm mode function.
Further, the step 5 specifically includes:
step 5.1: modifying the tpm2-tools component, and respectively setting SM2 and SM4 algorithm parameters to the curveID variables of an ECC algorithm and a symmetric encryption algorithm control flow option inPublic pointer in a key setting function set _ key _ algorithm;
step 5.2: and modifying the tpm2-tools component, and setting SM2 and SM4 algorithm parameters to the curveID variables of the ECC algorithm and the symmetric encryption algorithm control flow option ctx structure in the algorithm start function setup _ alg respectively.
The invention has the beneficial effects that: aiming at the problem that the current vTPM2.0 does not support the national secret SM2, SM3 and SM4 algorithms, the invention provides a vTPM2.0 Chinese commercial cryptographic algorithm expansion method, which expands the cryptographic algorithms supported by a libtpms function library and transforms a TPM2.0 software stack, so that the vTPM2.0 can be called by the TPM2.0 software stack in a virtual machine to perform cryptographic operation by using the SM2, SM3 and SM4 three national secret algorithms, and meanwhile, the invention effectively avoids the conflict problem caused by the instability of national secret algorithm header files of different versions of opennsl through the function interfaces required by initialization of the libtpms function library custom SM3 and SM4 encryption algorithms.
Drawings
Fig. 1 is an expansion schematic diagram of a vtpm2.0 chinese commercial cipher algorithm in the present invention.
Fig. 2 is a working principle diagram of the vtpm2.0 extended SM2 algorithm in the present invention.
Fig. 3 is a working principle diagram of the vtpm2.0 extended SM3 algorithm in the present invention.
Fig. 4 is a working principle diagram of the vtpm2.0 extended SM4 algorithm in the present invention.
Detailed Description
The invention is described in further detail below with reference to the figures and specific embodiments. Fig. 1 shows an extended schematic diagram of a vtpm2.0 chinese commercial cryptographic algorithm, in which a double-frame line part is a key content that needs to be added in the present invention, and the double-frame line part includes adding a cryptographic algorithm support module to a libtpms function library and modifying a TPM2.0 software stack.
A Chinese commercial cipher algorithm expansion method of vTPM2.0 comprises the following steps:
step 1: and starting the SM3 and SM4 algorithm identifiers reserved in the libtpms function library to provide support for normal use after a cryptographic algorithm support module is added.
Specifically, the values of ALG _ SM3_256 and ALG _ SM4 are modified to ALG _ YES.
Step 2: and a SM3 cryptographic algorithm support module part is added, and the definition of SM3 algorithm registration structure SM3_256 \Defand SM3 algorithm operation result encoding and decoding functions is mainly added into a function library libtpms. The method comprises the following specific steps:
step 2.1: and registering an SM3 algorithm data structure in the Hash algorithm submodule, wherein the structure comprises an SM3 initialization function, an SM3 updating function, an SM3 termination function, a memory copy function, an algorithm operation unit size, an output result size, an algorithm structure body size and an algorithm identifier. The SM3 algorithm data structure realizes hash operation on the messages in the TPM command stream, and the algorithm structure body is as follows:
HASH_DEF SM3_256_Def{
.method=HASH_METHODS{
.start=sm3_init,
.data=sm3_update,
.end=sm3_final,
.copy=memcpy,
}
.blockSize=SM3_256_BLOCK_SIZE,
.digestSize=SM3_256_DIGEST_SIZE,
.contextSize=sizeof(sm3_ctx_t),
.hashAlg=TPM_ALG_SM3_256,
}
step 2.2: adding a function for encoding and decoding the SM3 algorithm operation result, wherein the encoding function is tpmHashStatSM 3_256_Marshal and is used for encoding the hash operation result into a TPM command response stream; the decoding function is tpmHashStatSM 3_256 _UnCarshal, which is used to decode the TPM command response stream into a hash operation result.
And step 3: and a SM4 cryptographic algorithm support module part is added, and the SM4 cryptographic algorithm registration structure body, the definition of the SM4 algorithm operation result coding function and the statement of the decoding function are mainly added into a function library libtpms. The method comprises the following specific steps:
step 3.1: registering an SM4 algorithm data structure into a symmetric encryption algorithm selector, wherein the SM4 algorithm data structure comprises an SM4 encryption function, a decryption function, an encryption key setting function, a decryption key setting function and a data cleaning function, and is defined in a macro definition mode based on the design of the algorithm selector, and the SM4 algorithm data structure comprises the following steps:
#define TpmCryptEncryptSM4 SM4_encrypt
#define TpmCryptDecryptSM4 SM4_decrypt
#define tpmKeyScheduleSM4 SM4_KEY
#define TpmCryptFinalSM4 SM4_final
#define TpmCryptSetEncryptKeySM4(key,keySizeInBits,schedule)\
SM4_set_encrypt_key((key),(tpmKeyScheduleSM4*)(schedule))
#define TpmCryptSetDecryptKeySM4(key,keySizeInBits,schedule)\
SM4_set_decrypt_key((key),(tpmKeyScheduleSM4*)(schedule))
step 3.2: adding function definition for coding SM4 algorithm processing results and statement of a decoding function, wherein the coding function is TPMI _ SM4_ KEY _ BITS _ Marshal and is used for coding the SM4 algorithm processing results into TPM command response streams; the decode function is TPMI _ SM4_ KEY _ BITS _ unnmar for decoding the TPM command response stream into SM4 processing results.
And 4, step 4: the TPM2.0 software stack is modified.
Reconstructing a TPM2.0 software stack TPM2-tss component, and adding SM2 algorithm support to an ECC algorithm selector in an asymmetric encryption module; adding options and control flow of an SM3 algorithm to the hash operation module to call an EVP _ SM3 () function interface; the options and control flow of the SM4 algorithm are added to the symmetric encryption module to call EVP _ SM4_ ecb ().
The TPM2-tss is modified, so that programs in the system can use algorithms SM2, SM3 and SM4 when accessing the TPM, and since the TPM2-tss project has hash algorithms such as SHA1, etc., ecc type algorithms such as ECDSA, etc., and symmetric encryption algorithms such as AES, etc., it is only necessary to add control flow options for the algorithms SM2, SM3 and SM4 to functions related to calling the three types of algorithms in the project.
(1) The support for realizing the SM2 algorithm by modifying the tpm2-tss component is as follows: setting SM2 algorithm encryption identification, adding SM2 algorithm control flow options to an isys _ cryptossl _ get _ ecdh _ point function and an ossl _ ecc _ pub _ from _ tpm function, and setting curveId as a data structure of an SM2 algorithm; adding an SM2 algorithm control flow option to a get _ ecc _ tpm2b _ public _ from _ evp function to set tpmCurveId as an SM2 algorithm identification; an SM2 algorithm control flow option is added to the ifapi _ calculate _ pcr _ digest function to set pcr _ digest _ hash _ alg to the hash algorithm type of the SM2 signature algorithm.
(2) The support for realizing the SM3 algorithm by modifying the tpm2-tss component is as follows: realizing serialization, adding SM3 algorithm identifiers to a CHECK _ IN _ LIST checker IN a hash algorithm serialization function, and adding SM3 algorithm control flow to a hash algorithm parameter serialization function to set algorithm length and a serialization data variable; realizing deserialization, adding SM3 algorithm control flow to a function of a hash parameter deserialized object, setting a hash length variable as TPM2_ SM3_256 \\ DIGEST_SIZE, and adding an SM3 algorithm identifier to a SUBTYPE _ FILTER FILTER in the function of the hash parameter deserialized object; and setting a Hash data control flow call encryption interface, and adding a control flow option of an SM3 algorithm to the get _ ossl _ hash _ md function to call an EVP _ SM3 interface.
(3) The support for realizing the SM4 algorithm by modifying the tpm2-tss component is as follows: realizing serialization, adding an SM4 algorithm identifier to a CHECK _ IN _ LIST checker IN a function of a symmetric encryption algorithm serialization object, adding an SM4 algorithm control flow option to a symmetric encryption algorithm key parameter serialization function, and serializing a key object of an SM4 algorithm; and realizing deserialization, and adding an SM4 algorithm identifier to the SUBTYPE _ FILTER FILTER in the symmetric encryption deserialization function, the deserialization object function and the deserialization algorithm mode function.
And 5: and transforming a TPM2-tools component of the TPM2.0 software stack, and adding calls for SM2 and SM4 algorithms to an ECC algorithm selector and a symmetric encryption algorithm selector respectively. The method specifically comprises the following steps:
step 5.1: modifying the tpm2-tools component, and respectively setting SM2 and SM4 algorithm parameters to the curveID variables of an ECC algorithm and a symmetric encryption algorithm control flow option inPublic pointer in a key setting function set _ key _ algorithm;
step 5.2: and modifying the tpm2-tools component, and setting SM2 and SM4 algorithm parameters to the curveID variables of the ECC algorithm and the symmetric encryption algorithm control flow option ctx structure in the algorithm start function setup _ alg respectively.
Fig. 2 shows a working principle diagram of the vtpm2.0 extended SM2 algorithm in the present invention. The specific execution flow is as follows:
(1) The command which uses the SM2 algorithm of the TPM to sign or verify the signature is issued in the virtual machine, the command is processed through TPM2-tools, an ECC algorithm interface is set by a set _ key _ algorithm and a setup _ alg function to sign or verify the signature by using the SM2 algorithm, then the command interacts with a TPM2-tss software stack, and an API component interface in the software stack interacts with a libtpms function library.
(2) And a TPM functional module in libtpms identifies a TPM command stream, sends the command to an asymmetric encryption algorithm submodule, extracts a specific cryptographic algorithm identifier from the asymmetric encryption algorithm submodule, and transmits the TPM command stream to an ECC algorithm interface.
(3) And the ECC algorithm interface analyzes the TPM command stream and extracts the signature frame SM2 identifier. For the signature operation, the ECC algorithm signature function calls SM2 algorithm signature operation to carry out signature; for the signature verification operation, the ECC algorithm signature verification function calls the SM2 algorithm signature verification operation to perform signature verification.
(4) And the SM2 algorithm operation result encodes the signature value and the signature frame type through an encoding interface, and then returns the encoding result to a response result encoding interface.
(5) And the response result coding interface codes the result into a TPM command response stream, the TPM command response stream is driven to return to a software stack in the virtual machine through TPM _ tis, and the result is analyzed by the software stack.
Fig. 3 shows a working principle diagram of the vtpm2.0 extended SM3 algorithm in the present invention. The specific execution flow is as follows:
(1) The method comprises the steps of issuing an instruction for carrying out hash operation by using an SM3 algorithm of the TPM in a virtual machine, processing the instruction through TPM2-tools, extracting an identifier of the current hash operation algorithm as the SM3 algorithm, interacting with a TPM2-tss software stack, setting a control flow of the current hash operation as the SM3 algorithm by a get _ ossl _ hash _ md function, and interacting with a libtpms function library through an API component interface.
(2) And identifying a TPM command stream by a TPM functional module in libtpms, sending the command to a HASH operation sub-module, extracting a specific cryptographic algorithm identifier as SM3, checking whether the SM3 cryptographic algorithm is supported, generating an error response TPM _ RC _ HASH if the current libtpms is not supported, and otherwise, transmitting the TPM command stream to an SM3 HASH algorithm interface.
(3) And calling SM3_ init, SM3_ update and SM3_ final functions defined by the SM3 algorithm structure to carry out hash operation on the message, and transmitting an operation result to a response result coding interface.
(4) And the response result coding interface codes the result into a TPM command response stream, the TPM command response stream is driven to return to a software stack in the virtual machine through TPM _ tis, and the result is analyzed by the software stack.
Fig. 4 shows a working principle diagram of the vtpm2.0 extended SM4 algorithm in the present invention. The specific execution flow is as follows:
(1) In the virtual machine, a user issues an instruction for encrypting or decrypting by using the SM4 algorithm of the TPM, the instruction is processed through TPM2-tools, a set _ key _ algorithm function is used for setting a symmetric encryption algorithm interface to encrypt or decrypt by using the SM4 algorithm, then the symmetric encryption algorithm interface interacts with a TPM2-tss software stack, and an API component interface in the software stack interacts with a libtpms function library.
(2) And a TPM functional module in libtpms identifies a TPM command stream and sends the command to a symmetric encryption algorithm submodule, and a symmetric encryption algorithm selector SELECT calls a key setting function corresponding to the SM4 algorithm according to the cryptographic algorithm identifier.
(3) For encryption operation, sms4_ set _ encrypt _ key is called to set an encryption key; for the decryption operation, sms4_ set _ decrypt _ key is called to set the decryption key.
(4) And the SELECT selector transmits the TPM command stream to the SM4 algorithm interface, and calls the SM4 part of the cryptographic algorithm support module to perform encryption and decryption operations according to the message content extracted from the TPM command stream. For the encryption operation, calling an SM4_ encrypt interface in a support module to encrypt the message; for the decryption operation, the SM4_ decrypt interface in the support module is called to decrypt the message. And transmitting the message operation result to a response result encoding function interface.
(5) And the response result coding interface codes the result into a TPM command response stream, the TPM command response stream is driven to return to a software stack in the virtual machine through TPM _ tis, and the result is analyzed by the software stack.
Claims (1)
1. A Chinese commercial cipher algorithm expansion method of vTPM2.0 is characterized by comprising the following steps:
step 1: starting SM3 and SM4 algorithm identifiers reserved in a libtpms function library to provide support for normal use after a cryptographic algorithm support module is added;
step 2: for the SM3 algorithm, a SM3 cryptographic algorithm support module SM3 part is added, and the SM3 algorithm registration structural body and the definition of SM3 algorithm operation result coding and decoding functions are added into a function library libtpms;
and step 3: for the SM4 algorithm, a SM4 cryptographic algorithm support module SM4 part is added, and the SM4 algorithm registration structural body, the definition of an SM4 algorithm operation result coding function and the statement of a decoding function are added into a function library libtpms;
and 4, step 4: reconstructing a TPM2.0 software stack TPM2-tss component, and adding SM2 algorithm support to an ECC algorithm selector in an asymmetric encryption module; adding options and control flow of an SM3 algorithm to the hash operation module to call an EVP _ SM3 () function interface; adding options and control flow of an SM4 algorithm to the symmetric encryption module;
and 5: transforming a TPM2-tools component of a TPM2.0 software stack, and respectively adding calls for SM2 and SM4 algorithms to an ECC algorithm selector and a symmetric encryption algorithm selector;
the step 1 specifically comprises the following steps: modifying the values of ALG _ SM3_256 and ALG _ SM4 into ALG _ YES;
the step 2 specifically comprises the following steps:
step 2.1: registering an SM3 algorithm data structure in a Hash algorithm sub-module, wherein the structure comprises an SM3 initialization function, an updating function, a data recovery function, a memory copy function, an algorithm operation unit length definition, an output result length definition, an algorithm structure body length definition and an algorithm identifier;
step 2.2: adding a function for encoding and decoding the SM3 algorithm operation result, wherein the encoding function is tpmHashStatSM 3_256_Marshal and is used for encoding the hash operation result into a TPM command response stream; the decoding function is tpmHashStatSM 3_256_UnMarshal, and is used for decoding the TPM command response stream into a hash operation result;
the step 3 specifically comprises the following steps:
step 3.1: registering an SM4 algorithm data structure into a symmetric encryption algorithm selector, wherein the SM4 algorithm data structure comprises an SM4 encryption function, a decryption function, an encryption key setting function, a decryption key setting function and a data recovery function, and the SM4 algorithm data structure is defined in a macro-definition form based on the design of the algorithm selector;
step 3.2: adding function definition for coding SM4 algorithm processing results and statement of a decoding function, wherein the coding function is TPMI _ SM4_ KEY _ BITS _ Marshal and is used for coding the SM4 algorithm processing results into TPM command response streams; the decoding function is TPMI _ SM4_ KEY _ BITS _ UnMarshal and is used for decoding the TPM command response stream into an SM4 processing result;
in the step 4, the support for realizing the SM2 algorithm by modifying the tpm2-tss component is as follows: setting SM2 algorithm encryption identification, adding SM2 algorithm control flow options to an isys _ cryptossl _ get _ ecdh _ point function and an ossl _ ecc _ pub _ from _ tpm function, and setting curveId as a data structure of an SM2 algorithm; adding an SM2 algorithm control flow option to a get _ ecc _ tpm2b _ public _ from _ evp function to set tpmCurveId as an SM2 algorithm identification; adding an SM2 algorithm control flow option to an ifapi _ calculated _ pcr _ digest function to set pcr _ digest _ hash _ alg as a hash algorithm type of an SM2 signature algorithm;
in the step 4, the support for realizing the SM3 algorithm by modifying the tpm2-tss component is as follows: realizing serialization, adding an SM3 algorithm identifier to a CHECK _ IN _ LIST checker IN a Hash algorithm serialization function, and adding an SM3 algorithm control flow to a Hash algorithm parameter serialized function to set an algorithm length and a serialized data variable; realizing deserialization, adding SM3 algorithm control flow into a function of a hash parameter deserialization object, setting a hash length variable to TPM2_ SM3_256 differential_SIZE, and adding an SM3 algorithm identifier into a SUBTYPE _ FILTER FILTER in the function of the hash parameter deserialization object; setting a Hash data control flow call encryption interface, adding a control flow option of an SM3 algorithm to a get _ ossl _ Hash _ md function, and calling an EVP _ SM3 interface;
in the step 4, the support for realizing the SM4 algorithm by modifying the tpm2-tss component is as follows: realizing serialization, adding an SM4 algorithm identifier to a CHECK _ IN _ LIST checker IN a function of a symmetric encryption algorithm serialization object, adding an SM4 algorithm control flow option to a symmetric encryption algorithm key parameter serialization function, and serializing a key object of an SM4 algorithm; realizing deserialization, and adding SM4 algorithm identifiers to SUBTYPE _ FILTER FILTERs in a symmetric encryption deserialization function, a deserialization object function and a deserialization algorithm mode function;
the step 5 specifically comprises the following steps:
step 5.1: modifying the tpm2-tools component, and respectively setting SM2 and SM4 algorithm parameters to the curveID variables of an ECC algorithm and a symmetric encryption algorithm control flow option inPublic pointer in a key setting function set _ key _ algorithm;
step 5.2: and modifying the tpm2-tools component, and setting SM2 and SM4 algorithm parameters to the curveID variables of the ECC algorithm and the symmetric encryption algorithm control flow option ctx structure in the algorithm start function setup _ alg respectively.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210429912.5A CN114679253B (en) | 2022-04-22 | 2022-04-22 | Chinese commercial cipher algorithm expansion method of vTPM2.0 |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210429912.5A CN114679253B (en) | 2022-04-22 | 2022-04-22 | Chinese commercial cipher algorithm expansion method of vTPM2.0 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114679253A CN114679253A (en) | 2022-06-28 |
| CN114679253B true CN114679253B (en) | 2023-03-14 |
Family
ID=82079215
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210429912.5A Active CN114679253B (en) | 2022-04-22 | 2022-04-22 | Chinese commercial cipher algorithm expansion method of vTPM2.0 |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114679253B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104794394A (en) * | 2015-04-30 | 2015-07-22 | 浪潮电子信息产业股份有限公司 | Virtual machine starting verification method and device |
| CN111555881A (en) * | 2020-03-23 | 2020-08-18 | 中安云科科技发展(山东)有限公司 | Method and system for realizing national secret SSL protocol by using SDF and SKF |
| CN111698091A (en) * | 2020-05-26 | 2020-09-22 | 东南大学 | Docker platform dynamic protection method based on trusted computing |
| WO2021135978A1 (en) * | 2019-12-31 | 2021-07-08 | 华为技术有限公司 | Method for proving trusted state and related device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105678173B (en) * | 2015-12-31 | 2018-06-29 | 武汉大学 | VTPM method for security protection based on hardware transaction memory |
| CN108170516A (en) * | 2018-01-03 | 2018-06-15 | 浪潮(北京)电子信息产业有限公司 | Create method, apparatus, equipment and the computer readable storage medium of vTPM |
-
2022
- 2022-04-22 CN CN202210429912.5A patent/CN114679253B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104794394A (en) * | 2015-04-30 | 2015-07-22 | 浪潮电子信息产业股份有限公司 | Virtual machine starting verification method and device |
| WO2021135978A1 (en) * | 2019-12-31 | 2021-07-08 | 华为技术有限公司 | Method for proving trusted state and related device |
| CN111555881A (en) * | 2020-03-23 | 2020-08-18 | 中安云科科技发展(山东)有限公司 | Method and system for realizing national secret SSL protocol by using SDF and SKF |
| CN111698091A (en) * | 2020-05-26 | 2020-09-22 | 东南大学 | Docker platform dynamic protection method based on trusted computing |
Non-Patent Citations (3)
| Title |
|---|
| "VTPM: Virtualizing the trusted platform module";Stefan Berger;《USENIX Association》;20060731;全文 * |
| 基于TEE的主动可信TPM/TCM设计与实现;董攀等;《软件学报》;20200515(第05期);全文 * |
| 针对虚拟可信平台模块的国密算法扩展技术研究;陈兴蜀等;《工程科学与技术》;20200509(第03期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114679253A (en) | 2022-06-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Blanchet et al. | Automated formal analysis of a protocol for secure file sharing on untrusted storage | |
| CN108345806B (en) | Hardware encryption card and encryption method | |
| Delaune et al. | Formal analysis of protocols based on TPM state registers | |
| CN108462686A (en) | Acquisition methods, device, terminal device and the storage medium of dynamic key | |
| JP2010514000A (en) | Method for securely storing program state data in an electronic device | |
| CN111274611A (en) | Data desensitization method, device and computer readable storage medium | |
| CN106452771B (en) | JCE calls the method and device of the built-in RSA key operation of cipher card realization | |
| CN113452522B (en) | Hardware security module software implementation method based on state password, storage medium and device | |
| CN109688116B (en) | Close management system supporting dynamic expansion algorithm and operational capability | |
| CN114115836B (en) | Design method and system of trusted TCM software stack based on Linux operating system | |
| Küsters et al. | Extending and applying a framework for the cryptographic verification of java programs | |
| CN107257282B (en) | Code full-package encryption method based on RC4 algorithm | |
| CN111884814A (en) | Method and system for preventing counterfeiting of intelligent terminal | |
| Backes et al. | On the development and formalization of an extensible code generator for real life security protocols | |
| CN114679253B (en) | Chinese commercial cipher algorithm expansion method of vTPM2.0 | |
| CN103425939A (en) | Implementation method and system for SM3 algorithm in JAVA environment | |
| Arquint et al. | Sound verification of security protocols: From design to interoperable implementations | |
| CN112115430A (en) | Apk reinforcement method, electronic equipment and storage medium | |
| Datta et al. | Protocol composition logic | |
| Danjean et al. | Adaptive loops with kaapi on multicore and grid: Applications in symmetric cryptography | |
| CN110990111B (en) | Method and system for verifying virtual trusted root in cloud environment | |
| Bouamama et al. | Cloud Key Management using Trusted Execution Environment. | |
| CN111130788B (en) | Data processing method and system, data reading method and iSCSI server | |
| Grandy et al. | Verification of Mondex electronic purses with KIV: from a security protocol to verified code | |
| Yang et al. | Authentication technology in industrial control system based on identity password |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231227 Address after: 215163 Building 1, 58 Kunlunshan Road, high tech Zone, Suzhou City, Jiangsu Province Patentee after: CHINA MOBILE (SUZHOU) SOFTWARE TECHNOLOGY Co.,Ltd. Patentee after: SICHUAN University Address before: 610065, No. 24, south section of first ring road, Chengdu, Sichuan, Wuhou District Patentee before: SICHUAN University |
|
| TR01 | Transfer of patent right |