CN116502186A - System application tpm license generation method, system, medium and device - Google Patents
System application tpm license generation method, system, medium and device Download PDFInfo
- Publication number
- CN116502186A CN116502186A CN202310754449.6A CN202310754449A CN116502186A CN 116502186 A CN116502186 A CN 116502186A CN 202310754449 A CN202310754449 A CN 202310754449A CN 116502186 A CN116502186 A CN 116502186A
- Authority
- CN
- China
- Prior art keywords
- tpm
- application
- kernel
- service
- customized
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 238000013475 authorization Methods 0.000 claims abstract description 15
- 238000004590 computer program Methods 0.000 claims description 11
- 238000004891 communication Methods 0.000 claims description 7
- 238000005192 partition Methods 0.000 claims description 5
- 239000008186 active pharmaceutical agent Substances 0.000 description 3
- 238000010276 construction Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/105—Arrangements for software license management or administration, e.g. for managing licenses at corporate level
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/30—Computing systems specially adapted for manufacturing
Abstract
The invention discloses a system application tpm license generation method, a system, a medium and equipment, wherein the system is a talos system with a customized kernel with a built-in tpm service driver and a tpm software protocol stack, a tpm software package is installed in a root file system of the customized kernel, and a tpm authorization application program service is arranged in a starting service of the customized kernel. The invention solves the technical problem that the conventional talos system cannot provide the tpm authorization permission for the application.
Description
Technical Field
The invention relates to the technical field of communication, in particular to a method, a system, a medium and equipment for generating a system application tpm license.
Background
the talos operating system is a special linux kernel release that mainly serves the container rapid deployment. However, the current version does not support the functions of the TPM trusted platform module, and does not have the TPM authorization authentication function of the application running thereon.
Disclosure of Invention
Therefore, the technical problem to be solved by the invention is to provide a system application tpm license generation method, a system, a medium and equipment, and solve the technical problem that the existing talos system cannot provide the tpm authorization license for the application.
In order to solve the technical problems, the invention provides the following technical scheme:
a system application tpm license generation method, the system is a talos system, the core of the talos system is a customized core with built-in tpm service drive and a tpm software protocol stack; providing a tpm license for an application in a talos system, firstly setting a configuration file for the application, establishing communication connection between the application and the tpm service, then running the application, calling the tpm service by the application, and then completing the license of the tpm service to the application; and a tpm software package is installed in the root file system of the customized kernel, and a tpm authorization application program service is arranged in the starting service of the customized kernel.
The system applies a tpm license generation method, and the tpm software package comprises a tpm2-tss, a tpm2-abrmd and a tpm2-tools.
When the kernel is customized to become a customized kernel, the system application tpm license generation method adds a tpm driving module and a tpm software protocol stack into the kernel through a user-defined open-source construction mirror method, and adds a tpm software package and an authorized reference program service into a root file system of the kernel and a starting service.
When the kernel is customized to become a customized kernel by the adoption of the tpm license generation method, an open-source mirror image is built by adopting a multi-stage dock.
The system uses the tpm license generation method, and the application and the tpm software package are arranged in a partition.
A system for generating a tpm license for a system application, wherein the system for generating the tpm license for the talos system application is a talos system with a kernel as a customized kernel with a tpm service driver and a tpm software protocol stack, a tpm software package is installed in a root file system of the customized kernel, and a tpm authorization application service is set in a starting service of the customized kernel.
The system described above, the tpm software package includes the tpm2-tss, the tpm2-abrmd, and the tpm2-tools.
In the above system, the tpm package and application are located in a partition.
A computer readable storage medium having stored thereon a computer program which when executed by a processor implements the above method.
Computer device comprising a readable storage medium, a processor and a computer program stored on the readable storage medium and executable on the processor, which computer program when executed by the processor implements the method of claim.
The technical scheme of the invention has the following beneficial technical effects:
the invention realizes the purpose of providing the tpm authorization permission for the application in the talos system by placing a tpm service driver and a tpm software protocol stack in the kernel of the talos system, installing a tpm software package in the root file system of the kernel, and setting a tpm authorization application program service in the starting service of the kernel.
Drawings
FIG. 1 is a schematic diagram of the operation of a system for generating a tpm license for a system application in accordance with the present invention;
FIG. 2 is a flow chart of generating a tpm license for a system application in accordance with the present invention;
FIG. 3 is a schematic diagram of a computer device that may generate a tpm license for a system application.
Detailed Description
The invention is further described below with reference to examples.
As shown in fig. 1, the system for generating the tpm license for the system application is a talos system with a customized kernel with a built-in tpm service driver and a tpm software protocol stack for the kernel, a tpm software package is installed in a root file system of the customized kernel, and a tpm authorized application service is set in a starting service of the customized kernel.
Wherein the tpm package includes the tpm2-tss, the tpm2-abrmd and the tpm2-tools, the tpm package and the application are disposed within a partition.
The existing talos system is extremely simple Linux, is highly integrated with K8s, can provide an unalterable Linux environment (immutable), can be conveniently managed through gRPC API, is convenient to use for constructing an edge computing environment or a IaC architecture of an ultra-low power consumption environment, can be deployed in a container environment, a cloud environment of a main public cloud or a common virtualization environment (VMware and Microsoft Hyper-V are supported), and can also be used on a bare computer platform.
The existing talos system hard disk encryption scheme does not support tpm communication and the tpm storage key, and the existing talos system hard disk encryption scheme has the following characteristics as a special container operating system:
and (3) light weight: talos includes only a small portion of binary files and shared libraries, sufficient to run only a container engine and a small portion of system services;
the method is not changeable: the invariability of the talos system means that the system is not changed after deployment, and the root service system is mounted in a read-only mode when the system operates; the invariance of the talos system reduces the access of newly added software and also prevents the intrusion access of malicious software;
API driver: in the talos system, APIs perform system management tasks such as diagnostics, upgrading talos and Kubernetes, retrieving kernel logs, exposing network interfaces.
the main components of the talos system are as follows:
kernel: a linux system kernel;
apid: the component provides the gRPCAPI node. When communicating with talos, the apid listens to 50000 ports, which is equivalent to the gateway accepting the request, routing information to the destination device. The user uses the talos CLI tool to connect the apid;
udevd: the component is device file management, with the device nodes controlled under the/dev path. For example, the hardware path is/dev/sda, udevd handles all device reporting and user pointing device operations. Such as adding and deleting devices.
When the existing talos system kernel is customized to be a customized kernel, a tpm driving module and a tpm software protocol stack are added into the kernel through a multi-stage dock construction open-source mirroring method, and a tpm software package and an authorized reference program service are added into a root file system of the kernel and a starting service.
When the existing talos system kernel is customized to be a customized kernel, a custom stage can be defined and the construction can be started from an installer image, and when the installer image is constructed, the content of the installer image and the like is automatically copied into a root file system in the stage of customizing the kernel.
As shown in fig. 2, the steps of generating a tpm license for a talos system application using a system that generates a tpm license for a talos system application are:
s1) setting a configuration file for an application;
s2) establishing a communication connection between the application and the tpm service;
s3) running the application, calling the tpm service by the application, and then completing the permission of the tpm service to the application.
In using the system of the present invention to generate a tpm license for a talos system application to provide an authorized license for the application, an entity is created using the commands tpm2_ createPrimary, tpm2_create and tpm2_nv_define, each of which has a parameter field for the incoming authvalue, which may be used as a simple plaintext password or as an input for HMAC authorization. Wherein the TPM2_createprimary is used to create a master object (an object directly under the master seed) in the hierarchy. If the userWithAuth attribute of the inPublic parameter is set, the user authorization may be a password authorization; this means that authorization of an operation requiring a user role can be performed by a password or HMAC. The TPM2_Create is used to Create an object that can be loaded into the TPM. The authorization types userWithAuth and authValue are configured by setting the same fields used by TPM 2_createprimary. TPM2_NV_DefineStace is used to define the NV index. If the attribute tpma_nv_authread or tpma_nv_authwrite is set, cryptographic authorization may be used. The input parameter authValue is entered as an auth parameter of the tpm2_nv_defining command.
Based on the foregoing talos system application tpm license generation method, correspondingly, in this example, there is also provided a computer readable storage medium storing a computer program, where the computer program when executed by a processor implements the steps of: setting a configuration file for the application, establishing communication connection between the application and the tpm service, running the application, calling the tpm service by the application, and completing permission of the tpm service to the application.
As shown in fig. 3, based on the foregoing talos system application tpm license generation method and computer readable storage medium, in this embodiment, there is further provided a computer device, which includes a readable storage medium, a processor, and a computer program stored on the readable storage medium and executable on the processor, where the readable storage medium and the processor are both disposed on a bus, and the processor implements the following steps when executing the computer program: setting a configuration file for the application, establishing communication connection between the application and the tpm service, running the application, calling the tpm service by the application, and completing permission of the tpm service to the application.
It is apparent that the above examples are given by way of illustration only and are not limiting of the embodiments. Other variations or modifications of the above teachings will be apparent to those of ordinary skill in the art. It is not necessary here nor is it exhaustive of all embodiments. While the obvious variations or modifications which are extended therefrom remain within the scope of the claims of this patent application.
Claims (10)
1. A system application tpm license generation method is characterized in that a system is a talos system, and a talos system kernel is a customized kernel in which a tpm service driver and a tpm software protocol stack are arranged; providing a tpm license for an application in a talos system, firstly setting a configuration file for the application, establishing communication connection between the application and the tpm service, then running the application, calling the tpm service by the application, and then completing the license of the tpm service to the application; and a tpm software package is installed in the root file system of the customized kernel, and a tpm authorization application program service is arranged in the starting service of the customized kernel.
2. The system application tpm license generation method of claim 1, wherein the tpm software package comprises a tpm2-tss, a tpm2-abrmd, and a tpm2-tools.
3. The system application tpm license generation method of claim 1, wherein when the kernel is customized to become a customized kernel, a tpm driver module and a tpm software protocol stack are added to the kernel by a custom-built open-source mirroring method, and a tpm software package and an authorized reference program service are added to a root file system of the kernel and a startup service.
4. The system application tpm license generation method of claim 3, wherein the open source mirror is constructed using a multi-stage dock when the kernel is customized to a customized kernel.
5. The system application tpm license generation method of claim 1, wherein the application is disposed within a partition with the tpm package.
6. The system for generating the tpm license for the system application is characterized in that the system for generating the tpm license for the system application is a talos system with a customized kernel with a built-in tpm service driver and a tpm software protocol stack, a tpm software package is installed in a root file system of the customized kernel, and a tpm authorized application service is arranged in a starting service of the customized kernel.
7. The system of claim 6, wherein the tpm software package comprises tpm2-tss, tpm2-abrmd, and tpm2-tools.
8. The system of claim 6, wherein the tpm package and application are disposed within a partition.
9. A computer readable storage medium having stored thereon a computer program, characterized in that the computer program, when executed by a processor, implements the method of any of claims 1-5.
10. Computer device comprising a readable storage medium, a processor and a computer program stored on the readable storage medium and executable on the processor, characterized in that the computer program when executed by the processor implements the method according to any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310754449.6A CN116502186B (en) | 2023-06-26 | 2023-06-26 | System application tpm license generation method, system, medium and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310754449.6A CN116502186B (en) | 2023-06-26 | 2023-06-26 | System application tpm license generation method, system, medium and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116502186A true CN116502186A (en) | 2023-07-28 |
| CN116502186B CN116502186B (en) | 2023-09-15 |
Family
ID=87316903
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310754449.6A Active CN116502186B (en) | 2023-06-26 | 2023-06-26 | System application tpm license generation method, system, medium and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116502186B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20070103590A (en) * | 2006-04-19 | 2007-10-24 | 삼성전자주식회사 | Method of managing authorization session safely in the tpm software stack |
| CN102456111A (en) * | 2011-07-12 | 2012-05-16 | 中标软件有限公司 | Method and system for license control of Linux operating system |
| CN103218553A (en) * | 2013-03-08 | 2013-07-24 | 深圳数字电视国家工程实验室股份有限公司 | Authorizing method and system based on trusted platform module |
| WO2019071126A1 (en) * | 2017-10-06 | 2019-04-11 | Stealthpath, Inc. | Methods for internet communication security |
| US20210192017A1 (en) * | 2019-12-24 | 2021-06-24 | Microsoft Technology Licensing, Llc | System and method for protecting software licensing information via a trusted platform module |
-
2023
- 2023-06-26 CN CN202310754449.6A patent/CN116502186B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20070103590A (en) * | 2006-04-19 | 2007-10-24 | 삼성전자주식회사 | Method of managing authorization session safely in the tpm software stack |
| CN102456111A (en) * | 2011-07-12 | 2012-05-16 | 中标软件有限公司 | Method and system for license control of Linux operating system |
| CN103218553A (en) * | 2013-03-08 | 2013-07-24 | 深圳数字电视国家工程实验室股份有限公司 | Authorizing method and system based on trusted platform module |
| WO2019071126A1 (en) * | 2017-10-06 | 2019-04-11 | Stealthpath, Inc. | Methods for internet communication security |
| US20210192017A1 (en) * | 2019-12-24 | 2021-06-24 | Microsoft Technology Licensing, Llc | System and method for protecting software licensing information via a trusted platform module |
Non-Patent Citations (1)
| Title |
|---|
| PARINAZ AVAZNEJAD: "《Disk Encryption on Talos Operating System》", 《AALTO UNIVERSITY SCHOOL OF SCIENCE MASTER’S PROGRAMME IN COMPUTER, COMMUNICATION AND INFORMATION SCIENCES》, pages 5 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116502186B (en) | 2023-09-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8112116B2 (en) | Bidirectional dynamic offloading of tasks between a host and a mobile device | |
| US10666685B2 (en) | Service oriented software-defined security framework | |
| US11469964B2 (en) | Extension resource groups of provider network services | |
| US10095539B2 (en) | Automated data structure-driven orchestration of complex server provisioning tasks | |
| US9344334B2 (en) | Network policy implementation for a multi-virtual machine appliance within a virtualization environment | |
| US11048544B2 (en) | Cloud resource credential provisioning for services running in virtual machines and containers | |
| US8997080B2 (en) | System updates with personal virtual disks | |
| AU2015358292B2 (en) | Computing systems and methods | |
| CN108604187B (en) | Hosted virtual machine deployment | |
| CN113544675A (en) | Secure execution of client owner environment control symbols | |
| US20200267004A1 (en) | On-Demand Emergency Management Operations in a Distributed Computing System | |
| CN113626133B (en) | Virtual machine control method, device, equipment and computer readable storage medium | |
| KR20210118130A (en) | Startup of secure guests using the initial program load mechanism | |
| CN116502186B (en) | System application tpm license generation method, system, medium and device | |
| KR102325986B1 (en) | Method and system for dinamic application of storage encryption | |
| KR102441860B1 (en) | Provider network service extension | |
| US20240037238A1 (en) | Enabling flexible policies for bios settings access with role-based authentication | |
| US11356438B2 (en) | Access management system with a secret isolation manager | |
| CN114995956A (en) | Kubernets component configuration method, device, equipment and medium | |
| Tan et al. | Home PC Maintenance with Intel AMT. | |
| CN116029380A (en) | Quantum algorithm processing method, device, equipment, storage medium and program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |