CN115840943A - Computing node based on cloud technology and instance management method based on cloud technology - Google Patents

Computing node based on cloud technology and instance management method based on cloud technology Download PDF

Info

Publication number
CN115840943A
CN115840943A CN202111113344.XA CN202111113344A CN115840943A CN 115840943 A CN115840943 A CN 115840943A CN 202111113344 A CN202111113344 A CN 202111113344A CN 115840943 A CN115840943 A CN 115840943A
Authority
CN
China
Prior art keywords
instance
enclave
card
trusted execution
host machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111113344.XA
Other languages
Chinese (zh)
Inventor
龚磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Cloud Computing Technologies Co Ltd
Original Assignee
Huawei Cloud Computing Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Cloud Computing Technologies Co Ltd filed Critical Huawei Cloud Computing Technologies Co Ltd
Priority to CN202111113344.XA priority Critical patent/CN115840943A/en
Priority to PCT/CN2022/119318 priority patent/WO2023041037A1/en
Publication of CN115840943A publication Critical patent/CN115840943A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/38Information transfer, e.g. on bus
    • G06F13/40Bus structure
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Multi Processors (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application discloses a computing node based on a cloud technology and an example management method based on the cloud technology, which are used for improving the safety, confidentiality and integrity of user programs and data and reducing the influence on service performance. The cloud technology-based computing node specifically comprises a host machine and an unloading card, wherein the unloading card is inserted into the host machine and establishes a communication channel with the host machine, an Enclave instance is run on the unloading card, a trusted execution module distributed for the instance is also arranged on the unloading card, a main instance is run on the host machine, and an application program is arranged in the instance, wherein the instance is used for sending confidential computing tasks generated by the application program in the instance to the trusted execution module; the trusted execution module is to process the confidential calculation task.

Description

Computing node based on cloud technology and instance management method based on cloud technology
Technical Field
The embodiment of the application relates to the technical field of cloud, in particular to a computing node based on a cloud technology and an instance management method based on the cloud technology.
Background
Cloud technology is widely used in various fields, such as cloud services, security of data environment of cloud services, and security related to data privacy in cloud.
Data in cloud services generally fall into three forms: static data, data in transmission, and data in use, the former two of which may be encrypted to ensure data security, for the data in use, confidential computing is generally adopted to protect the security of the data in use at present, and the security is mainly characterized by providing a Trusted Execution Environment (TEE), which is a secure area inside a Central Processing Unit (CPU). The confidential data and the software to be processed are placed in the TEE, and the confidential data placed in the TEE and the software for processing the confidential data can only be accessed in an authorized mode, so that the confidentiality and the integrity of the confidential data are guaranteed, and the attack surface of the software during processing the confidential data is reduced. The existing TEE is constructed based on a Virtual Machine Monitor (VMM), specifically, a part of a CPU and a memory are isolated from a host machine through the VMM, and the isolated CPU and memory are used to create the TEE.
However, when the host machine is attacked maliciously, for example, after the VMM of the host machine is attacked, the CPU and the memory in the host machine can be accessed through the VMM, so the security of the TEE is affected, the security of the TEE is reduced, and in addition, the TEE occupies the resources of the host machine, so that the service in the host machine is affected.
Disclosure of Invention
The embodiment of the application provides a computing node based on a cloud technology, which is used for improving the safety, confidentiality and integrity of user programs and data and reducing the influence on business performance. The embodiment of the application also provides a corresponding instance management method based on the cloud technology.
The first aspect of the application provides a computing node based on a cloud technology, which comprises a host machine and an uninstalling card, wherein the uninstalling card is inserted into the host machine and establishes a communication channel with the host machine, an Enclave instance is operated on the uninstalling card, a trusted execution module distributed for the Enclave instance is also arranged on the uninstalling card, an application program is arranged in the Enclave instance, and a host instance is operated on the host machine, wherein the Enclave instance is used for sending a confidential computing task generated by the application program to the trusted execution module; the trusted execution module is used for processing the confidential calculation task and returning a processing result to the instance of the envelope.
In the present application, a computing node based on a cloud technology may be a server, where the server includes a host machine and an offload card, the host machine may run one or more Virtual Machines (VMs) thereon and execute the VMs through a virtual machine manager (Hypervisor), the VM is also called a Virtual Machine Monitor (VMM), the offload card is a standard external device of the host machine, and is also called a smart card, and is inserted into the host machine and establishes a communication channel with the host machine, where a host instance runs on the host machine.
The method comprises the steps that an Enclave instance runs on an uninstall card, a trusted execution module distributed for the instance is further arranged, the instance is a trusted execution environment and is also a trusted isolation space, the trusted execution module is used for executing secret calculation, an application program is arranged in the instance, in the application process, the instance sends secret calculation tasks generated by the application program to the trusted execution module, the trusted execution module can process the secret calculation tasks and returns processing results to the instance, and therefore the secret calculation tasks are completed.
In the first aspect, a computing node based on a cloud technology comprises a host machine and an uninstall card, wherein the uninstall card is inserted into the host machine and establishes a communication channel with the host machine, an Enclave instance is run on the uninstall card, a trusted execution module distributed for the Enclave instance is also arranged on the uninstall card, a main instance is run on the host machine, an application program is set in the Enclave instance, and the Enclave instance is used for sending a confidential computing task generated by the application program to the trusted execution module; the trusted execution module is used for processing confidential calculation tasks, the unloading card runs the Enclave instance to enable the TEE to be physically isolated from the main instance through the host machine and the unloading card, the host machine is attacked, and then the TEE in the unloading card cannot be affected, so that the safety, confidentiality and integrity of user programs and data are improved, the safety of a data processing process of confidential calculation is guaranteed, in addition, the TEE in the unloading card cannot occupy resources of the host machine, and service performance is not affected.
In a possible implementation manner of the first aspect, the offload card is connected to a cloud management platform through a network, where: the uninstalling card is used for receiving a main instance creating request sent by the cloud management platform and informing the host machine of creating the main instance through a communication channel.
In the possible implementation manner, the uninstalling card is further connected with the cloud management platform through a network, that is, the computing node based on the cloud technology can be applied to the cloud data center, a user can input a main instance creating request at a client and send the main instance creating request to the cloud management platform through the internet, the cloud management platform sends the main instance creating request to the uninstalling card of the computing node through the internal network of the data center, and the uninstalling card informs the host machine of creating the main instance through a communication channel, so that the realizability of the scheme is improved.
In a possible implementation manner of the first aspect, the host instance is further configured to notify the offload card to create an Enclave instance and the trusted execution module based on an Enclave instance creation command input by a tenant logging in the host instance.
In the possible implementation manner, the computing node can be shared by a plurality of tenants for use, and the tenants can input an Enclave instance creation command after logging in the main instance to notify the uninstall card of creating an Enclave instance and the trusted execution module, so that the realizability of the scheme is improved.
In a possible implementation manner of the first aspect, the number of Enclave instances is 1.
In the possible implementation manner, one main instance configures one Enclave instance, so that the realizability of the scheme is improved.
In a possible implementation manner of the first aspect, the number of Enclave instances is N, where N is a positive integer greater than or equal to 2, and the N Enclave instances respectively handle different types of secret computing tasks.
In this possible implementation manner, a main instance may be configured with multiple Enclave instances, each Enclave instance respectively handles secret computing tasks of different types, after the main instance starts one Enclave instance, an application program running on the Enclave instance may generate a corresponding secret computing task, and if a specific type of secret computing task needs to be handled, the main instance only needs to start the corresponding Enclave instance, thereby improving the fine-grained secret computing task splitting capability and ensuring that the permission is minimized.
In a possible implementation manner of the first aspect, the number of the trusted execution modules is N, and each trusted execution module is connected to an instance of Enclave that is different from each other.
In this possible implementation manner, the number of the trusted execution modules is the same as the number of the Enclave instances, and each trusted execution module is connected with the Enclave instances which are different from each other, so that the realizability of the scheme is improved.
In a possible implementation manner of the first aspect, one master instance corresponds to one trusted execution module.
In this possible implementation manner, the number of the main instances is the same as that of the trusted execution modules, and the trusted execution module corresponding to one main instance may be connected to different Enclave instances to provide services, thereby improving the realizability of the scheme.
In one possible implementation of the first aspect, the communication channels include a serial computer expansion bus (PCIe) express channel and a compute express link (CXL) channel.
In this possible implementation manner, the communication channel may be a peripheral component interconnect express (PCIe) channel or a compute express link (CXL) channel, so as to improve the communication speed between the host and the offload card.
The second aspect of the application provides an instance management method based on cloud technology, the method is applied to a computing node, the computing node comprises a host machine and an unloading card, the unloading card is inserted into the host machine and establishes a communication channel with the host machine, an Enclave instance is operated on the unloading card, a trusted execution module distributed for the Enclave instance is further arranged on the unloading card, an application program is arranged in the Enclave instance, and a main instance is operated on the host machine; the trusted execution module processes the confidential computation task and returns the processing result to the instance of Enclave.
The cloud technology-based computing node in the application can be a server, the server comprises a host machine and an unloading card, one or more virtual machines can run on the host machine and can be executed through a virtual machine manager, the virtual machine manager is also called as a virtual machine monitor, the unloading card is standard external equipment of the host machine, is also called as a smart card and is inserted into the host machine and establishes a communication channel with the host machine, and a host instance runs on the host machine.
The method comprises the steps that an Enclave instance runs on an uninstall card, a trusted execution module distributed for the instance is further arranged, the instance is a trusted execution environment and is also a trusted isolation space, the trusted execution module is used for executing secret calculation, an application program is arranged in the instance, in the application process, the instance sends a secret calculation task generated by the application program to the trusted execution module, the trusted execution module can process the secret calculation task and returns a processing result to the instance, and therefore the secret calculation task is completed.
In the second aspect, the cloud technology-based instance management method is applied to a computing node, the computing node includes a host machine and an uninstall card, the uninstall card is inserted into the host machine and establishes a communication channel with the host machine, an Enclave instance is run on the uninstall card, the uninstall card is further provided with a trusted execution module distributed for the Enclave instance, the host machine is run with a host instance, and an application program is set in the Enclave instance, and the method includes: the Enclave instance sends the confidential calculation task generated by the application program to the trusted execution module; the trusted execution module processes confidential calculation tasks, the unloading card runs the Enclave instance to enable the TEE and the main instance to be physically isolated through the host machine and the unloading card, the host machine cannot influence the TEE in the unloading card after being attacked, therefore, the security, the confidentiality and the integrity of user programs and data are improved, the security of a data processing process of confidential calculation is guaranteed, in addition, the TEE in the unloading card cannot occupy resources of the host machine, and the service performance is not influenced.
In a possible implementation manner of the second aspect, the offload card is connected to a cloud management platform through a network, and the method further includes: the uninstalling card receives a main instance creating request sent by the cloud management platform and informs the host machine of creating the main instance through a communication channel.
In the possible implementation manner, the uninstalling card is further connected with the cloud management platform through a network, that is, the cloud technology-based instance management method can be applied to a cloud data center, a user can input a main instance creation request at a client and send the main instance creation request to the cloud management platform through the internet, the cloud management platform sends the main instance creation request to the uninstalling card of the computing node through the internal network of the data center, and the uninstalling card informs a host machine of creating the main instance through a communication channel, so that the realizability of the scheme is improved.
In one possible implementation manner of the second aspect, the method further includes: the main instance informs the uninstalling card to create the Enclave instance and the trusted execution module based on an Enclave instance creating command input by the tenant logging in the main instance.
In the possible implementation manner, the computing node can be shared by a plurality of tenants, and the tenants can input an envelope instance creating command to notify the uninstall card of creating the envelope instance and the trusted execution module after logging in the main instance, so that the realizability of the scheme is improved.
In one possible implementation of the second aspect, the number of Enclave instances is 1.
In the possible implementation manner, one main instance configures one Enclave instance, so that the realizability of the scheme is improved.
In a possible implementation manner of the second aspect, the number of Enclave instances is N, where N is a positive integer greater than or equal to 2, and the N Enclave instances respectively handle different types of secret computing tasks.
In this possible implementation manner, a main instance may be configured with multiple Enclave instances, each Enclave instance respectively handles secret computing tasks of different types, after the main instance starts one Enclave instance, an application program running on the Enclave instance may generate a corresponding secret computing task, and if a specific type of secret computing task needs to be handled, the main instance only needs to start the corresponding Enclave instance, thereby improving the fine-grained secret computing task splitting capability and ensuring that the permission is minimized.
In a possible implementation manner of the second aspect, the number of the trusted execution modules is N, and each trusted execution module is connected to an instance of Enclave that is different from each other.
In this possible implementation manner, the number of the trusted execution modules is the same as the number of the Enclave instances, and each trusted execution module is connected with the Enclave instances which are different from each other, so that the realizability of the scheme is improved.
In a possible implementation manner of the second aspect, one master instance corresponds to one trusted execution module.
In this possible implementation manner, the number of the main instances is the same as the number of the trusted execution modules, and the trusted execution modules corresponding to one main instance may be connected with different Enclave instances to provide services, thereby improving the realizability of the scheme.
In one possible implementation of the second aspect, the communication channels include a serial computer expansion bus express (PCIe) channel and a compute express link (CXL) channel.
In this possible implementation, the communication channel may be a high-speed serial computer expansion bus channel, or a computational fast link channel, thereby increasing the communication speed between the host and the offload card.
In the embodiment of the application, the computing node based on the cloud technology comprises a host machine and an unloading card, wherein the unloading card is inserted into the host machine and establishes a communication channel with the host machine, an Enclave instance is operated on the unloading card, a trusted execution module distributed for the Enclave instance is also arranged on the unloading card, a main instance is operated on the host machine, and an application program is arranged in the Enclave instance, wherein the Enclave instance is used for sending a confidential computing task generated by the application program to the trusted execution module; the trusted execution module is used for processing confidential calculation tasks, the unloading card runs the Enclave instance to enable the TEE and the host instance to be physically isolated through the host machine and the unloading card, the host machine cannot influence the TEE in the unloading card after being attacked, therefore, the security of the TEE is improved, the security of a data processing process of confidential calculation is guaranteed, in addition, the TEE in the unloading card cannot occupy resources of the host machine, and the service performance is not influenced.
Drawings
FIG. 1 is an architecture diagram of a cloud data center;
fig. 2 is a software layer schematic diagram of an embodiment of a cloud technology-based computing node provided in an embodiment of the present application;
fig. 3 is a hardware layer schematic diagram of an embodiment of a cloud technology based computing node according to an embodiment of the present application;
fig. 4 is a hardware layer schematic diagram of another embodiment of a computing node based on cloud technology according to an embodiment of the present application;
FIG. 5 is a schematic diagram of an embodiment of an example cloud-based management method provided by an embodiment of the present application;
fig. 6 is a schematic diagram of another embodiment of an example management method based on cloud technology according to an embodiment of the present application.
Detailed Description
Embodiments of the present application will now be described with reference to the accompanying drawings, and it is to be understood that the described embodiments are merely illustrative of some, but not all, embodiments of the present application. As can be known to those skilled in the art, with the development of technology and the emergence of new scenarios, the technical solution provided in the embodiments of the present application is also applicable to similar technical problems.
The terms "first," "second," and the like in the description and in the claims of the present application and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The embodiment of the application provides a computing node based on a cloud technology, which is used for improving the safety, confidentiality and integrity of user programs and data and reducing the influence on business performance. The embodiment of the application also provides a corresponding instance management method based on the cloud technology. The following are detailed below.
As shown in fig. 1, the cloud data center includes a cloud management platform, a data center internal network, and a plurality of servers, each of which is the same, for example, a server 1 and a server 2, the server 1 and the server 2 complete information interaction with the data center internal network and the cloud management platform through their network cards, and the cloud management platform completes information interaction with a client through the internet, where the network card is installed on an offload card, the offload card is also called a smart card, and is a standard external device of the server, and each server is equipped with the offload card. The server further includes a host, where the offload card is inserted into the host and establishes a communication channel with the host, where one or more Virtual Machines (VMs), such as virtual machine 1 and virtual machine 2, may be run on the host, where the virtual machines may also be referred to as cloud servers (ECSs) or elastic instances, and the host is executed through a virtual machine manager (Hypervisor), which is also referred to as a Virtual Machine Monitor (VMM).
Specifically, the cloud management platform provides an access interface (such as an interface or an API), a tenant can operate a client to remotely access the access interface, register a cloud account and a password on the cloud management platform, and log in the cloud management platform, after the cloud management platform successfully authenticates the cloud account and the password, the tenant can further pay for the selection and purchase of a virtual machine with a specific specification (a processor, a memory and a disk) on the cloud management platform, after successful payment and purchase, the cloud management platform provides a remote login account password of the purchased virtual machine, the client can remotely log in the virtual machine, and the application of the tenant is installed and operated in the virtual machine. The cloud management platform client receives the control plane command sent by the cloud management platform, and creates and carries out full-life-cycle management on the virtual machine on the server according to the control plane command, so that the tenant can create, manage, log in and operate the virtual machine in the cloud data center through the cloud management platform.
Before an application can process data, the data typically must be decrypted in memory. This makes the data vulnerable to attacks in memory processing. Confidential computing typically addresses this problem using a hardware-based Trusted Execution Environment (TEE), which is a secure area inside the CPU. The TEE is secured using an embedded encryption key and an embedded attestation mechanism to ensure that the key is only accessible by authorized application code. If malware or other unauthorized code attempts to access the key-or authorized code is hacked or altered in any way-the TEE will deny access to the key and cancel the computation. In this way, sensitive data may remain protected in memory until the application tells the TEE to decrypt it for processing. The VMM, other computing stack resources, and cloud providers and their employees in the operating system or VM cannot see the data during decryption and throughout the computation.
Confidential calculations can protect sensitive data in use. When used with static data encryption and transmission through exclusive control of keys, confidential computing eliminates the biggest hurdle to migrating sensitive or highly regulated data sets and application workloads from inflexible, expensive local Internet Technology (IT) infrastructure to more flexible and modern public cloud platforms.
Confidential calculations may protect intellectual property. Confidential calculations are not only used for data protection. TEE can also be used to protect proprietary business logic, analytics functions, machine learning algorithms, or entire applications.
Confidential computing may enable new cloud solutions to securely collaborate with partners. For example, one company may combine its sensitive data with another company's proprietary calculations to create a new solution without requiring any company to share any data or intellectual property that it does not wish to share.
Confidential computing may eliminate concerns when selecting a cloud provider. Confidential computing allows a company to select the cloud computing service that best meets its technical and business requirements without having to worry about storing and processing customer data, proprietary technology, and other sensitive assets. This also helps to alleviate any other competing issues if the cloud provider also provides competing business services.
Confidential calculations can protect data processed at the edges. Edge computing is a distributed computing framework that can bring enterprise applications closer to data sources, such as internet of things (IoT) devices or local edge servers. When used as part of a distributed cloud model, confidential computing can be used to protect data and applications on edge nodes.
The cloud technology-based computing node provided by the embodiment of the present application is described below with reference to the architecture of the cloud data center and the concept of confidential computation.
As shown in fig. 2, an embodiment of the cloud-technology-based computing node provided in the embodiment of the present application includes a host 100 and an offload card 200, where the offload card 200 is inserted in the host 100 and establishes a communication channel with the host 100, the offload card 200 runs an Enclave instance 210, the offload card 200 further sets a trusted execution module 220 allocated to the instance 210, and the instance 210 is provided with an application program, and the host 100 runs a main instance 110, where the number of the instance 210 is 1, and the communication channel may be a peripheral component interconnect express (PCIe) channel or a compute express link (CXL) channel.
Specifically, the host 100 further includes a virtual machine manager 130 and an instance simulator front-end module 120, where the instance simulator front-end module 120 is only applied to the host instance 110, and a simulated instance of the instance is an abstract concept and is not limited to a virtual machine, a container, a function, and the like, the instance simulator front-end module 120 is configured to simulate various chipsets of a computer device, lifecycle management of a Central Processing Unit (CPU) in the virtual machine, virtual machine Exit (VM Exit), and other logical processes strongly related to virtual machine traffic, the instance simulator front-end module 120 specifically includes an intelligent control module 121 and an isolated communication module 122, the intelligent control module 121 is a channel used by the host instance 110 to perform lifecycle control related to the Enclave instance 210, the isolated communication module 122 is a communication channel used by the host instance 110 to connect the host instance 110 and the Enclave instance 210 of the offload card 200 for security, and has perfect security control, and the instance simulator front-end module 120 further includes other modules related to the purpose thereof, which is not limited in this application.
Offload card 200 also includes a policing plane logic component 240 and an instance simulator back-end module 230. The management control plane logic component 240 includes a plurality of components, such as components related to a life cycle of a virtual machine, for example, components Nova and libvirt (components for managing a virtualization platform) of an open source OpenStack (an open source cloud computing management platform project), kubernets (components for managing containerized applications on a plurality of hosts in a cloud platform), and components related to system installation, upgrade, deployment, operation and maintenance, modules in the instance simulator back-end module 230 correspond to the instance simulator front-end module 120 one to one, and details of the embodiment of the present application are omitted.
More specifically, the intelligent control module 121 includes a life cycle management module 1211 and a virtual device simulation module 1212. The lifecycle management module 1211 is configured to perform operations such as creating, destroying, modifying, and the like of the instance 210, and is also responsible for connection management with the instance simulator backend module 230, and the Virtual device simulation module 1212 is configured to perform simulation on a device of the command channel of the main instance 110, where the device may be a virtualized IO processing protocol (Virtual IO ) device or any other peripheral component interconnect standard (PCI) device, a memory-mapped I/O (MMIO) simulation device, and the like. The isolated communication module 122 includes a control device module 1221 and a rights management module 1222. The control device module 1221 is mainly used to establish a secure channel connection between the main instance 110 and the Enclave instance 210, where the channel may be a VirtIO device, a network card device, a shared memory device, and the like, and is finally connected through a communication channel or a trusted network, and the authority management module 1222 is used to control and manage the authority of the communication channel, so as to ensure that no other abnormal user or an escaped attacker can access the communication channel.
The trusted execution module 220 includes an enclave security module 221, a message management module 222, a security processing module 223, and a hardware acceleration module 224. The enclave security module 221 is configured to provide the trusted execution module 220 with instructions related to the trusted execution environment and perform simulated management of related devices. The message management module 222 is used for performing handshake connection with the instance simulator front-end module 120, including establishment of communication channel, automatic reconnection, message distribution, and the like. The security processing module 223 is used for performing security operation processing related to the secret computing task, such as encryption and decryption, random number generation processing, and certificate generation logic. The hardware acceleration module 224 is used to enable the capability of the security chip or TEE, store some confidential information in the hardware, such as keys, values of Platform Configuration Registers (PCRs), etc., or accelerate security operations using the hardware. The entire trusted execution module 220 may be placed in whole or in part in the TEE, thereby building a fully isolated confidential computing environment.
Further, the enclave security module 221 includes a device management module 2211, a backend communication management module 2212, a resource management module 2213, and a security information encapsulation module 2214. The device management module 2211 is used for simulation of a lightweight trusted execution environment, and includes a device management function of a security module device, a virtual security module device, or a direct-connection real module device. The backend communication management module 2212 establishes a connection with the instance 210 to transfer a request and response information of the instance 210, the resource management module 2213 is responsible for management resource allocation or release of the whole trusted execution module 220, and the security information encapsulation module 2214 securely encapsulates the request issued by the trusted execution module 220, the security information encapsulation module 2214 is optional, and some scenarios are not required, such as a direct-through scenario.
As shown in fig. 3, for the hardware level, the host 310 includes a CPU311, a memory 312, and a Root Complex (RC) chip 313. The RC chip 313 is a chip defined in the PCIe specification, and functions to provide a hardware interface for the CPU311 of the host 310 to send and receive PCIe messages to and from external devices. The host 310 and the uninstall card 320 are interconnected by a standard specification PCIe protocol, that is, the communication channel is a PCIe channel, and in addition, the communication channel may also be a CXL channel, and at this time, the RC chip 313 may be replaced.
The offload card 320 includes a CPU321, a memory 322, an End Point (EP) chip 323, and a secure chip 324. The EP chip 324 is a chip defined in the PCIe specification, and functions as a peripheral interface to send and receive PCIe messages to the host 310, that is, the communication channel is a PCIe channel, and in addition, the communication channel may also be a CXL channel, and at this time, the EP chip 323 may be replaced. In addition, the security chip 324 may be a TEE security chip, which may also be disposed in the CPU321, so as to further enhance the security of the confidential calculation through hardware.
During application, an application program (APP) running on an Enclave instance generates a secret computing task, the application program is self-developed by a user, namely the user creates the application program in advance according to the secret computing requirement of the user, the secret computing task can specifically acquire a random number or key information and the like, then the Enclave instance sends the secret computing task to a trusted execution module, specifically, the Enclave instance sends the secret computing task to a device management module in an Enclave security module, the Enclave security module analyzes header information used for management in the secret computing task after receiving the secret computing task without analyzing the content of the specific secret computing task, then the security processing module analyzes the secret computing task, the trusted execution module can call corresponding logic of a hardware acceleration module to perform acceleration processing according to the category of the secret computing task, and the trusted execution module returns a processing result to the Enclave instance after obtaining the processing result, so that the secret computing task is completed.
It should be noted that an Enclave security agent module may also be set in the host, the trusted execution module returns the processing result to the Enclave security agent module of the host through the message management module after receiving the processing result, and the Enclave security agent module returns the processing result to the Enclave instance after receiving the processing result.
Furthermore, if parameters need to be obtained from the outside when secret computing tasks are processed, the Enclave instance can communicate with the main instance through the communication channel, and the main instance is used as an agent to obtain the parameters from the external network.
In addition, when the computing node fails, the host and the smart card can be integrally migrated to other computing nodes together, so that the migratability and the virtualization elasticity of the cloud service are ensured.
In the embodiment of the application, the computing node based on the cloud technology comprises a host machine and an unloading card, wherein the unloading card is inserted into the host machine and establishes a communication channel with the host machine, an Enclave instance is operated on the unloading card, a trusted execution module distributed for the Enclave instance is also arranged on the unloading card, a main instance is operated on the host machine, an application program is arranged in the Enclave instance, and the main instance is used for generating a confidential computing task; the Enclave instance is used for sending the confidential calculation task to the trusted execution module; the trusted execution module is used for processing confidential calculation tasks, the unloading card runs the Enclave instance to enable the TEE and the main instance to be physically isolated through the host machine and the unloading card, and the host machine cannot influence the TEE in the unloading card after being attacked, so that the safety, confidentiality and integrity of user programs and data are improved, the safety of a data processing process of confidential calculation is ensured, and in addition, the TEE in the unloading card cannot occupy resources of the host machine, so that the service performance is not influenced.
As shown in fig. 4, in another embodiment of the cloud technology-based computing node provided in the embodiment of the present application, the offload card 420 is further connected to the cloud management platform 404 through a network, that is, the computing node 401 is applied to the data center 400.
For the hardware level, the host 410 includes a CPU411, a memory 412, and a Root Complex (RC) chip 413. Wherein the RC chip 413 is a chip defined in the PCIe specification, and functions to provide a hardware interface for the CPU411 of the host 410 to send and receive PCIe messages to external devices. The host 410 and the offload card 420 are interconnected by a standard specification PCIe protocol, that is, the communication channel is a PCIe channel, and in addition, the communication channel may also be a CXL channel, and at this time, the RC chip 413 may be replaced. The offload card 420 includes a CPU421, a memory 422, an End Point (EP) chip 423, and a secure chip 424. The EP chip 424 is a chip defined in the PCIe specification, and functions as a peripheral interface to send and receive PCIe messages to the host 410, that is, the communication channel is a PCIe channel, and the communication channel may also be a CXL channel, and the EP chip 423 may be replaced at this time. In addition, the security chip 424 may be a TEE security chip, which may also be disposed in the CPU421, so as to further enhance the security of the confidential calculation through hardware.
In addition, offload cards 420 also include a network card 425, and offload cards 420 connect global storage resources and network resources through network card 425. Specifically, the network card 425 may be connected to the cloud management platform 404 through the data center internal network 403, the data center internal network 403 may also be connected to network cards of other computing nodes 402, and the cloud management platform 404 is connected to the client 406 through the internet 405.
Before executing a confidential calculation task, a user needs to create a main instance and an Enclave instance, an administrator or the user can send a main instance creation request, because a cloud management platform client is uninstalled on an uninstalling card, a management component of the uninstalling card firstly receives the main instance creation request sent by the cloud management platform, then assembles a configuration file corresponding to the main instance, wherein the configuration file comprises a CPU type, a CPU number, a memory size, a disk, a network card, a mouse and the like, after the configuration file is completely assembled, the uninstalling card informs a host machine of creating the main instance through a communication channel, namely, the configuration file and the main instance creation request are sent to the host machine, the host machine starts an instance simulator front-end module according to the content of the configuration file, calls a virtual device simulation module of the instance simulator front-end module to work, and immediately starts an instance simulator rear-end module after the start, and establishes a connection channel with the instance simulator front-end module for the transfer of subsequent messages, thereby completing the creation of the main instance and starting the work.
The method comprises the steps that a user becomes a tenant after purchasing a main instance, the tenant can log in the main instance, an Enclave is selected in an interface of the main instance or in the creating process of the main instance, an Enclave instance creating command is initiated in the main instance through an Enclave tool and comprises information such as the number of CPUs and the size of memories required by the Enclave instance, the lifecycle management module of an intelligent command control module of an instance simulator front-end module of the main instance receives the Enclave instance creating command, parameters of the Enclave instance creating command are analyzed, preparation before starting is made, the instance simulator front-end module of the main instance informs an instance simulator rear-end module of an unloading card through a communication channel to start and construct the Enclave instance, the instance simulator rear-end module pulls up the Enclave instance and a trusted execution module, a safe connection is established with the main instance by using a message management module, the Enclave instance and the trusted execution module start working at the moment, and can execute subsequent confidential tasks.
Furthermore, the number of the Enclave instances is N, where N is a positive integer greater than or equal to 2, the N Enclave instances respectively process secret computing tasks of different types, and the number of the trusted execution modules on the offload card is also N, and each trusted execution module is respectively connected with different Enclave instances, that is, each Enclave instance is connected with one trusted execution module. When the confidential calculation task is executed, after the main instance starts an Enclave instance, the application program running on the Enclave instance can generate a corresponding confidential calculation task, if the confidential calculation task of a specific type needs to be processed, the main instance only needs to start the corresponding Enclave instance, and the corresponding trusted execution module completes the processing of the confidential calculation task. In addition, one main instance can also correspond to one trusted execution module, the number of the main instances is the same as that of the trusted execution modules, and the trusted execution modules corresponding to one main instance can be connected with different Enclave instances to provide services.
In the embodiment of the application, the computing node is applied to a cloud data center, the unloading card is further connected with a cloud management platform through a network, so that a main instance and an Enclave instance are created, the realizability of the scheme is improved, and in addition, the number of the Enclave instances is multiple, the capacity of fine-grained secret computing task splitting is improved, and the minimum permission is ensured.
As shown in fig. 5, in an embodiment of an example management method based on a cloud technology provided in an embodiment of the present application, the method includes:
501. the Enclave instance sends the confidential computation task generated by the application to the trusted execution module.
502. The trusted execution module processes the confidential computation task and returns the processing result to the instance of Enclave.
The cloud technology-based instance management method is applied to a computing node, the computing node comprises a host machine and an unloading card, the unloading card is inserted into the host machine and establishes a communication channel with the host machine, an Enclave instance runs on the unloading card, a trusted execution module distributed for the Enclave instance is also arranged on the unloading card, an application program is arranged in the Enclave instance, a main instance runs on the host machine, the number of the Enclave instances is 1, and the communication channel comprises a high-speed serial computer expansion bus (PCIe) channel and a computing express link (CXL) channel.
The method includes that an Enclave instance of a computing node sends a secret computing task generated by an application program to a trusted execution module, then the trusted execution module of the computing node processes the secret computing task, and returns a processing result to the Enclave instance to complete the secret computing task.
In the embodiment of the application, an instance management method based on a cloud technology is applied to a computing node, the computing node comprises a host machine and an uninstalling card, the uninstalling card is inserted into the host machine and establishes a communication channel with the host machine, an Enclave instance runs on the uninstalling card, a trusted execution module distributed for the Enclave instance is also arranged on the uninstalling card, a host instance runs on the host machine, and an application program is arranged in the Enclave instance, and the method comprises the following steps: the Enclave instance sends the confidential calculation task generated by the application program to the trusted execution module; the trusted execution module processes confidential calculation tasks, the unloading card runs the Enclave instance to enable the TEE and the main instance to be physically isolated through the host machine and the unloading card, the host machine cannot influence the TEE in the unloading card after being attacked, therefore, the security, the confidentiality and the integrity of user programs and data are improved, the security of a data processing process of confidential calculation is guaranteed, in addition, the TEE in the unloading card cannot occupy resources of the host machine, and the service performance is not influenced.
As shown in fig. 6, in another embodiment of the cloud technology-based instance management method provided in the embodiment of the present application, the method includes:
601. the uninstalling card receives a main instance creation request sent by the cloud management platform and informs a host machine of creating a main instance through a communication channel.
602. The main instance informs the uninstalling card to create the Enclave instance and the trusted execution module based on an Enclave instance creating command input by the tenant logging in the main instance.
603. The Enclave instance sends the confidential computation task generated by the application to the trusted execution module.
604. The trusted execution module processes the confidential computation task and returns the processing result to the instance of Enclave.
The cloud technology-based instance management method is applied to a computing node, the computing node comprises a host machine and an uninstalling card, the uninstalling card is inserted into the host machine and establishes a communication channel with the host machine, an Enclave instance runs on the uninstalling card, a trusted execution module distributed for the Enclave instance is also arranged on the uninstalling card, an application program is arranged in the Enclave instance, a main instance runs on the host machine, the uninstalling card is connected with a cloud management platform network, the number of the Enclave instances is N, N is a positive integer greater than or equal to 2, the N Enclave instances respectively process different types of confidential computing tasks, the number of the trusted execution modules is N, and each trusted execution module is respectively connected with different Enclave instances, wherein the communication channel comprises a high-speed serial computer expansion bus (PCIe) channel and a computing quick link (CXL) channel. In addition, one main instance can also correspond to one trusted execution module, the number of the main instances is the same as that of the trusted execution modules, and the trusted execution modules corresponding to one main instance can be connected with different Enclave instances to provide services.
The method includes the steps that an uninstalling card of a computing node receives a main instance creation request sent by a cloud management platform, and informs a host machine of creating a main instance through a communication channel, then the main instance of the computing node informs the uninstalling card of creating an Enclave instance and a trusted execution module based on an Enclave instance creation command input by a tenant logging in the main instance, if a certain secret computing task needs to be carried out by the main instance of the computing node, the Enclave instance corresponding to the secret computing task only needs to be started, the Enclave instance of the computing node sends the secret computing task generated by an application program running on the Enclave instance to the trusted execution module corresponding to the Enclave instance, finally the trusted execution module corresponding to the Enclave instance processes the secret computing task, and returns a processing result to the Enclave instance to complete the secret computing task.
In the embodiment of the application, the cloud technology-based instance management method is applied to the computing node, the computing node is applied to the cloud data center, the unloading card is further connected with the cloud management platform through the network, and therefore the main instance and the Enclave instance are created, the scheme realizability is improved, in addition, the number of the Enclave instances is multiple, the fine-grained secret computing task splitting capacity is improved, and the permission minimization is guaranteed.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working process of the method described above may refer to the corresponding process in the foregoing unit embodiment, and details are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and the like.

Claims (14)

1. A computing node based on cloud technology is characterized by comprising a host machine and an uninstall card, wherein the uninstall card is inserted into the host machine and establishes a communication channel with the host machine, an Enclave instance is run on the uninstall card, a trusted execution module distributed for the instance is further arranged on the uninstall card, an application program is arranged in the instance, and a main instance is run on the host machine,
the Enclave instance is used for sending the confidential computing task generated by the application program to the trusted execution module;
and the trusted execution module is used for processing the confidential calculation task and returning a processing result to the instance of the Enclave.
2. The computing node of claim 1, wherein the offload card is networked with a cloud management platform, wherein:
the uninstalling card is used for receiving a main instance creation request sent by the cloud management platform and informing the host machine of creating the main instance through the communication channel.
3. The computing node of claim 1 or 2,
the main instance is further used for informing the uninstall card to create the Enclave instance and the trusted execution module based on an Enclave instance creation command input by a tenant logging in the main instance.
4. A computing node according to any of claims 1 to 3, wherein the number of Enclave instances is 1.
5. The compute node as recited in any of claims 1 to 3, wherein the number of the Enclave instances is N, N being a positive integer greater than or equal to 2, the N Enclave instances respectively handling different types of confidential compute tasks.
6. The computing node according to claim 5, wherein the number of the trusted execution modules is N, and each trusted execution module is connected to an instance of Enclave different from each other.
7. The computing node of any of claims 1 to 6, wherein the communication channels comprise a high-speed serial computer expansion bus (PCIe) channel and a compute express link (CXL) channel.
8. An instance management method based on cloud technology is applied to a computing node, the computing node comprises a host machine and an uninstall card, the uninstall card is inserted into the host machine and establishes a communication channel with the host machine, an Enclave instance runs on the uninstall card, a trusted execution module distributed for the Enclave instance is further arranged on the uninstall card, an application program is arranged in the Enclave instance, and a host instance runs on the host machine, and the method comprises the following steps:
the Enclave instance sends the confidential calculation task generated by the application program to the trusted execution module;
and the trusted execution module processes the confidential calculation task and returns a processing result to the Enclave instance.
9. The method of claim 8, wherein the offload card is networked with a cloud management platform, the method further comprising:
and the uninstalling card receives a main instance creating request sent by the cloud management platform and informs the host machine of creating the main instance through the communication channel.
10. The method according to claim 8 or 9, characterized in that the method further comprises:
the main instance informs the uninstalling card to create the Enclave instance and the trusted execution module based on an Enclave instance creating command input by a tenant logging in the main instance.
11. The method according to any one of claims 8 to 10, wherein the number of Enclave instances is 1.
12. The method according to any one of claims 8 to 10, wherein the number of Enclave instances is N, where N is a positive integer greater than or equal to 2, and the N Enclave instances respectively handle different types of confidential calculation tasks.
13. The method according to claim 12, wherein the number of the trusted execution modules is N, and each trusted execution module is respectively connected to an instance of Enclave different from each other.
14. The method of any of claims 8 to 13, wherein the communication channels comprise a serial computer expansion bus (PCIe) high speed channel and a compute express link (CXL) channel.
CN202111113344.XA 2021-09-18 2021-09-18 Computing node based on cloud technology and instance management method based on cloud technology Pending CN115840943A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202111113344.XA CN115840943A (en) 2021-09-18 2021-09-18 Computing node based on cloud technology and instance management method based on cloud technology
PCT/CN2022/119318 WO2023041037A1 (en) 2021-09-18 2022-09-16 Cloud-technology-based computing node and cloud-technology-based instance management method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111113344.XA CN115840943A (en) 2021-09-18 2021-09-18 Computing node based on cloud technology and instance management method based on cloud technology

Publications (1)

Publication Number Publication Date
CN115840943A true CN115840943A (en) 2023-03-24

Family

ID=85574543

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111113344.XA Pending CN115840943A (en) 2021-09-18 2021-09-18 Computing node based on cloud technology and instance management method based on cloud technology

Country Status (2)

Country Link
CN (1) CN115840943A (en)
WO (1) WO2023041037A1 (en)

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10911451B2 (en) * 2017-01-24 2021-02-02 Microsoft Technology Licensing, Llc Cross-platform enclave data sealing
CN107682159B (en) * 2017-10-12 2021-02-02 北京握奇智能科技有限公司 Trusted application management method and trusted application management system of intelligent terminal
US11010309B2 (en) * 2018-05-18 2021-05-18 Intel Corporation Computer system and method for executing one or more software applications, host computer device and method for a host computer device, memory device and method for a memory device and non-transitory computer readable medium
US10902133B2 (en) * 2018-10-25 2021-01-26 Enveil, Inc. Computational operations in enclave computing environments

Also Published As

Publication number Publication date
WO2023041037A1 (en) 2023-03-23

Similar Documents

Publication Publication Date Title
US9575790B2 (en) Secure communication using a trusted virtual machine
US8108668B2 (en) Associating a multi-context trusted platform module with distributed platforms
US7865876B2 (en) Multiple trusted computing environments
US8627069B2 (en) System and method for securing a computer comprising a microkernel
CN102411693A (en) Inherited Product Activation For Virtual Machines
EP3999966A1 (en) Secure runtime systems and methods
CN112948070A (en) Method for processing data by a data processing accelerator and data processing accelerator
CN110874468A (en) Application program safety protection method and related equipment
AU2020287873B2 (en) Systems and methods for processor virtualization
CN112052446A (en) Password unit creation method, data processing method and device and electronic equipment
WO2023041025A1 (en) Cloud-technology-based computing node and cloud-technology-based instance management method
US20220374512A1 (en) Software-based hardware security module (hsm) for a virtualized computing environment
US11748520B2 (en) Protection of a secured application in a cluster
Yao et al. CryptVMI: A flexible and encrypted virtual machine introspection system in the cloud
Pop et al. Towards securely migrating webassembly enclaves
US11922211B2 (en) System and method for cross-architecture trusted execution environment migration
WO2023041037A1 (en) Cloud-technology-based computing node and cloud-technology-based instance management method
US11025594B2 (en) Secret information distribution method and device
Chu et al. Secure cryptography infrastructures in the cloud
WO2024002342A1 (en) Cloud technology-based trusted execution system and method
Aw Ideler Cryptography as a service in a cloud computing environment
EP4012587A1 (en) System and method for securely transmitting or storing data
Bobda et al. Domain Isolation and Access Control in Multi-tenant Cloud FPGAs
Johnson et al. Confidential Container Groups: Implementing confidential computing on Azure container instances
Weiß System Architectures to Improve Trust, Integrity and Resilience of Embedded Systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication