CN117034257A - Information acquisition method, device, equipment and medium under virtualization management - Google Patents
Information acquisition method, device, equipment and medium under virtualization management Download PDFInfo
- Publication number
- CN117034257A CN117034257A CN202310750725.1A CN202310750725A CN117034257A CN 117034257 A CN117034257 A CN 117034257A CN 202310750725 A CN202310750725 A CN 202310750725A CN 117034257 A CN117034257 A CN 117034257A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- operating system
- machine operating
- domain
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 68
- 238000005192 partition Methods 0.000 claims abstract description 62
- 230000008569 process Effects 0.000 claims description 29
- 238000004590 computer program Methods 0.000 claims description 16
- 238000000638 solvent extraction Methods 0.000 claims description 2
- 238000004891 communication Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000013461 design Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000001010 compromised effect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Abstract
The invention discloses an information acquisition method, device, equipment and medium under virtualization management. The method is applied to the same system-on-chip SOC and comprises the following steps: carrying out hardware virtualization on the SOC through a set management program to obtain a privilege management domain and at least one virtual machine operating system domain; when the information acquisition request of the virtual machine operating system domain meets the use condition of the key pair, generating a security service request according to the set format and sending the security service request to the privilege management domain; and authenticating the authority of the security service request through the privilege management domain, determining reply information sent to the virtual machine operating system domain according to an authentication result and the associated security partition, and sending the reply information to the virtual machine operating system domain. A specific security service request is generated by formatting, authority authentication is performed by the privilege management domain, and key information is determined in a security partition accessible only by it. The safety of information acquisition is ensured, and leakage of important information is avoided.
Description
Technical Field
The present invention relates to the field of virtualization technologies, and in particular, to a method, an apparatus, a device, and a medium for obtaining information under virtualization management.
Background
In the interaction process, many systems or clients often store some private data, encrypt the private data, and generate a platform signature to ensure the security of the data.
In the Android system, some existing storage platform signatures are stored in a local partition and are called out when in use.
In this case, however, the Android system may be connected to the PC, and then the sensitive information and files in the Android partition may be read through some debug instructions (such as adb). Such that device keys are compromised, design of the system, or other important information is compromised.
Disclosure of Invention
The invention provides an information acquisition method, device, equipment and medium under virtualization management, so as to realize information security acquisition under the virtualization management.
According to a first aspect of the present invention, there is provided an information acquisition method under virtualization management, which is characterized by being applied to the same system-on-chip SOC, including:
carrying out hardware virtualization on the SOC through a set management program to obtain a privilege management domain and at least one virtual machine operating system domain;
when the information acquisition request of the virtual machine operating system domain meets the key pair use condition, generating a security service request by the information acquisition request according to a set format through the virtual machine operating system domain, and sending the security service request to the privilege management domain;
and authenticating the authority of the security service request through the privilege management domain, determining reply information sent to the virtual machine operating system domain according to an authentication result and the associated security partition, and sending the reply information to the virtual machine operating system domain.
According to a second aspect of the present invention, there is provided an information acquisition apparatus under virtualization management, comprising:
the virtualization module is used for carrying out hardware virtualization on the SOC through a set management program to obtain a privilege management domain and at least one virtual machine operating system domain;
the request sending module is used for generating a security service request according to a set format through the virtual machine operating system domain when the information acquisition request of the virtual machine operating system domain meets the key pair use condition, and sending the security service request to the privilege management domain;
and the information sending module is used for carrying out authority authentication on the security service request through the privilege management domain, determining reply information sent to the virtual machine operating system domain according to an authentication result and the associated security partition, and sending the reply information to the virtual machine operating system domain.
According to a third aspect of the present invention, there is provided an electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the information retrieval method under virtualization management according to any one of the embodiments of the present invention.
According to a fourth aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to execute the method for obtaining information under virtualization management according to any one of the embodiments of the present invention.
According to the technical scheme, hardware virtualization is carried out on the SOC through a set management program, so that a privilege management domain and at least one virtual machine operating system domain are obtained; when the information acquisition request of the virtual machine operating system domain meets the use condition of the key pair, generating a security service request by the information acquisition request through the virtual machine operating system domain according to a set format, and sending the security service request to the privilege management domain; and authenticating the authority of the security service request through the privilege management domain, determining reply information sent to the virtual machine operating system domain according to an authentication result and the associated security partition, and sending the reply information to the virtual machine operating system domain. A specific security service request is generated by formatting, authority authentication is performed by the privilege management domain, and key information is determined in a security partition accessible only by it. The safety of information acquisition is ensured, and leakage of important information is avoided.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a method for obtaining information under virtualization management according to a first embodiment of the present invention;
fig. 2 is a flowchart of a method for obtaining information under virtualization management according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of an information acquisition device under virtualization management according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device implementing an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
Fig. 1 is a flowchart of a method for obtaining information under virtualization management according to an embodiment of the present invention, where the method may be performed by an information obtaining device under virtualization management, and the information obtaining device under virtualization management may be implemented in a form of hardware and/or software, and the information obtaining device under virtualization management may be configured in an electronic device. As shown in fig. 1, the method is applied to the same system-on-chip SOC, and includes:
s110, carrying out hardware virtualization on the SOC through a set management program to obtain a privilege management domain and at least one virtual machine operating system domain.
In this embodiment, the Hypervisor may be understood as a program for hardware isolation, such as a Hypervisor, where the Hypervisor is a virtualized base, and the real hardware provides an isolated virtualized hardware environment for the virtual machine running on the Hypervisor through a virtualization technology. A privilege management domain may be understood as a management system on a host that is used to manage physical resources of the host and virtualized resources and virtual machines on the host. A virtual machine operating system domain may be understood as an operating system of a virtual machine, such as gueastos.
Specifically, the processor can virtualize the SOC through a set hypervisor, virtualize at least one virtual machine operating system domain and privilege management domain, and can start and monitor the running state of each virtual machine, and can communicate with the virtual machine.
By way of example, taking the intelligent cabin as an example, the intelligent cabin can virtualize three virtual machine operating system domains through a Hypervisor, namely an entertainment screen running android os, an instrument screen running Linux, a game screen running Linux, and a privilege management Domain0 of the Hypervisor, wherein the three virtual machine operating system domains can communicate with Domain0 in a cross-Domain manner through a network.
S120, when the information acquisition request of the virtual machine operating system domain meets the key pair use condition, generating a security service request through the information acquisition request according to a set format by the virtual machine operating system domain, and sending the security service request to the privilege management domain.
In this embodiment, the information obtaining request may be understood as a request generated when obtaining information, for example, when downloading an upgrade package, the request is corresponding to the upgrade package obtaining request. The key pair usage condition may be understood as a request type corresponding to the information that needs to be accessed to obtain the information. The set format may be understood as a data format for generating a security service request. A secure service request may be understood as a request in a particular format generated for acquiring a key pair.
Specifically, the virtual machine operating system domain may compare the information acquisition request with the key pair usage condition, check whether the signature key pair is needed to be used for the acquired information, if so, satisfy the key pair usage condition, and then the virtual machine operating system domain may convert the information acquisition request according to the set format, generate a security service request identifiable by the privilege management domain, and send the security service request to the privilege management domain for keeping the signature key pair.
S130, authority authentication is carried out on the security service request through the privilege management domain, and reply information sent to the virtual machine operating system domain is determined according to an authentication result and the associated security partition and is sent to the virtual machine operating system domain.
The security partition is mounted to the privilege management domain and used for storing security information of each virtual machine operating system domain.
In this embodiment, the secure partition may be understood as a partition that is only accessible by the privilege management domain and is used to store secure information, where the secure information may include signature key pairs of other operating system domains of each virtual machine, sensitive files, sensitive information, and the like, and other systems cannot directly access the content of the secure partition. Reply information may be understood as information used to reply to a request result to the virtual machine operating system domain.
Specifically, authority authentication can be performed on the security service request through the privilege management domain, a specific field or identifier in the security service request is compared with a set authority list and the like to determine whether the security service request has authority to access corresponding content, an authentication result is obtained, when the authentication result is authority, the privilege management domain can access the mounted security partition, reply content corresponding to the security service request is read from the security partition, reply information sent to the virtual machine operating system domain is determined by combining with identification information in the security service request, if the authentication result is no authority, an unauthorized prompt can be generated as a reply message, and the reply message is sent to the virtual machine operating system domain.
According to the technical scheme, hardware virtualization is carried out on the SOC through a set management program, so that a privilege management domain and at least one virtual machine operating system domain are obtained; when the information acquisition request of the virtual machine operating system domain meets the use condition of the key pair, generating a security service request by the information acquisition request through the virtual machine operating system domain according to a set format, and sending the security service request to the privilege management domain; and authenticating the authority of the security service request through the privilege management domain, determining reply information sent to the virtual machine operating system domain according to an authentication result and the associated security partition, and sending the reply information to the virtual machine operating system domain. A specific security service request is generated by formatting, authority authentication is performed by the privilege management domain, and key information is determined in a security partition accessible only by it. The safety of information acquisition is ensured, and leakage of important information is avoided.
As a first alternative embodiment of the present embodiment, on the basis of the above embodiment, further optimization may include:
when the information acquisition request of the virtual machine operating system domain does not meet the use condition of the key pair, determining target information corresponding to the information acquisition request through the virtual machine operating system domain according to the system partition mounted by the virtual machine operating system domain.
In this embodiment, a system partition may be understood as a storage partition for storing information related to the operating system domain of a virtual machine.
The system partition and the safe partition are obtained by dividing the target hard disk according to set standards.
It should be noted that the virtual machine operating system domains partitioned by the same SOC are stored on a unified SSD hard disk. The partition on the hard disk is mounted in the assigned virtual machine operating system domain according to the system design, and other systems cannot access the partition. For example, if the system partition a is allocated to be mounted on the android os, the Linux system of the meter screen cannot access the system partition a. And a secure partition can be partitioned on the SSD, the secure partition is mounted on a system of the privilege management Domain0, other systems cannot directly access the content of the secure partition, and a system signed key pair is stored in the secure partition.
Specifically, when the information acquisition request of the virtual machine operating system domain does not meet the key pair use condition, that is, the signature key pair is not required to be used in the information acquisition request, the virtual machine operating system domain can search in a system partition mounted by the virtual machine operating system domain, and the target information corresponding to the information acquisition request is determined.
In the first alternative embodiment of the present embodiment, when the information acquisition request of the virtual machine operating system domain does not meet the use condition of the key pair, the system domain is ensured to access only the corresponding system partition by partitioning the target hard disk, and the information is acquired from the system partition by accessing the mounted system partition through the virtual machine operating system domain, thereby ensuring the security of information acquisition.
Example two
Fig. 2 is a flowchart of an information obtaining method under virtualization management according to a second embodiment of the present invention, where the present embodiment is further refined based on the foregoing embodiment. As shown in fig. 2, the method includes:
s210, carrying out hardware virtualization on the SOC through a set management program to obtain a privilege management domain and at least one virtual machine operating system domain.
S220, when the information acquisition request of the virtual machine operating system domain meets the use condition of the key pair, determining a process name and a unique identification code corresponding to the information acquisition request according to a set format through the virtual machine operating system domain.
In this embodiment, the process name may be understood as a basis for the privilege management domain to perform the privilege verification, and only the application initiated by the agreed process will be accepted. The unique identification code can be understood as the generated identification code of the current information acquisition request.
Specifically, when the information acquisition request of the virtual machine operating system domain meets the key pair use condition, the virtual machine operating system domain can determine the matched process name for the request type corresponding to the information acquisition request according to the set process table, and generate the unique identification code corresponding to the application.
S230, determining a request code corresponding to the information acquisition request in a preset request code table.
In the present embodiment, the request encoding table can be understood as a table in which encoding corresponding to the request type is set in advance. Request encoding may be understood as encoding that matches the information acquisition request.
Specifically, the virtual machine operating system domain may search a preset request encoding table for a request type to which the information acquisition request belongs, and determine a request encoding matched with the request type.
Illustratively, 0 corresponds to the application private key and 1 corresponds to the application user data as in the request encoding table. If the information acquisition request is the application private key, the virtual machine operating system domain can determine that the request code corresponding to the information acquisition request is 0 through table lookup.
S240, determining the request content from the information acquisition request.
Specifically, the virtual machine operating system domain may determine the requested content from the information retrieval request.
For example, the information obtaining request is to download an upgrade package, and before obtaining the upgrade package, a private key needs to be applied, the corresponding request code is 0, and the request content corresponds to obtaining the upgrade package.
S250, determining a security service request according to the process name, the unique identification code, the request code and the request content.
Specifically, the process name, the unique identification code, the request code and the request content can be integrated according to a set format to determine the security service request.
Illustratively, the set format may be: the process-token-code-content, wherein the process is the process name of the application, is used for performing authority verification on Domain0, and only the appointed process initiates the application to be accepted; the token is a unique identification code of the application and is used for the identification code of the subsequent reply request; code is the request code; content is a requested content, and may be stored in content if additional information needs to be transferred.
S260, analyzing the security service request through the privilege management domain, and determining the process name, the unique identification code and the request content in the security service request.
Specifically, the privilege management domain may receive a security service request transmitted by the virtual machine operating system domain through a corresponding network cross-domain, and analyze the security service request to determine a process name, a unique identification code and a request content included in the security service request.
S270, performing authority authentication on the process name according to preset authority authentication conditions, and determining an authentication result.
In the present embodiment, the authority authentication condition may be understood as a condition including all authorized process names.
Specifically, the privilege management domain may acquire a preset privilege authentication condition from a corresponding storage location, search a process name in the preset privilege authentication condition, determine whether the process name is in the privilege authentication condition, if so, take the ownership privilege as an authentication result corresponding to the security service request, and if not, take no access privilege as an authentication result corresponding to the security service request.
And S280, when the authentication result is the ownership right, determining reply information sent to the virtual machine operating system domain according to the associated security partition, the unique identification code and the request content.
Specifically, when the authentication result is the ownership right, the privilege management domain can access and search in the associated security partition according to the request content, determine the corresponding reply content, and determine the reply information sent to the virtual machine operating system domain by combining the unique identification code.
Further, on the basis of the above embodiment, the step of determining the reply information sent to the virtual machine operating system domain according to the associated secure partition, the unique identification code and the request content may be optimized as follows:
a1, searching private key information matched with the request content in the secure partition.
In this embodiment, the private key information can be understood as a key used in encryption of information.
Specifically, the privilege management domain may access the secure partition and look up private key information in the secure partition that matches the requested content.
b1, generating reply information sent to the virtual machine operating system domain according to the unique identification code and the private key information.
Specifically, the privilege management domain may generate reply information with the unique identifier sent to the virtual machine operating system domain according to the unique identifier and the private key information.
According to the technical scheme, the security information of each virtual machine operating system domain is stored in the security partition which can only be accessed by the privilege management domain, the security service request is generated through the set format, the privilege management domain is used for checking the authority of the process name included in the security service request, whether the virtual machine operating system domain has the authority to acquire the corresponding key information is further determined, if the virtual machine operating system domain has the authority, the security partition is accessed through the privilege management domain, and the reply message is obtained and fed back to the virtual machine operating system domain. The safety of information acquisition is ensured, and leakage of important information is avoided. Therefore, even if the corresponding virtual machine operating system domain is cracked and debugged, important safety information cannot be seen in the corresponding system partition.
Example III
Fig. 3 is a schematic structural diagram of an information obtaining device under virtualization management according to a third embodiment of the present invention. As shown in fig. 3, the apparatus is applied to the same system-on-chip SOC, and includes: virtualization module 31, request transmission module 32, and information transmission module 33. Wherein,
the virtualization module 31 is configured to perform hardware virtualization on the SOC through a set hypervisor to obtain a privilege management domain and at least one virtual machine operating system domain;
a request sending module 32, configured to generate, when the information acquisition request of the virtual machine operating system domain meets a key pair usage condition, a security service request by the virtual machine operating system domain according to a set format, and send the security service request to the privilege management domain;
and the information sending module 33 is configured to perform authority authentication on the security service request through the privilege management domain, determine reply information sent to the virtual machine operating system domain according to an authentication result and an associated security partition, and send the reply information to the virtual machine operating system domain.
According to the technical scheme, hardware virtualization is carried out on the SOC through a set management program, so that a privilege management domain and at least one virtual machine operating system domain are obtained; when the information acquisition request of the virtual machine operating system domain meets the use condition of the key pair, generating a security service request by the information acquisition request through the virtual machine operating system domain according to a set format, and sending the security service request to the privilege management domain; and authenticating the authority of the security service request through the privilege management domain, determining reply information sent to the virtual machine operating system domain according to an authentication result and the associated security partition, and sending the reply information to the virtual machine operating system domain. A specific security service request is generated by formatting, authority authentication is performed by the privilege management domain, and key information is determined in a security partition accessible only by it. The safety of information acquisition is ensured, and leakage of important information is avoided.
Further, the request sending module 32 is specifically configured to:
determining a process name and a unique identification code corresponding to the information acquisition request according to a set format;
determining a request code corresponding to the information acquisition request in a preset request code table;
determining request content from the information acquisition request;
and determining the security service request according to the process name, the unique identification code, the request code and the request content.
Further, the information transmitting module 33 includes:
the first determining unit is used for analyzing the security service request and determining a process name, a unique identification code and request content in the security service request;
the second determining unit is used for carrying out authority authentication on the process name according to preset authority authentication conditions and determining an authentication result;
and the third determining unit is used for determining reply information sent to the virtual machine operating system domain according to the associated security partition, the unique identification code and the request content when the authentication result is the ownership right.
The third determining unit is specifically configured to:
searching private key information matched with the request content in the secure partition;
and generating reply information sent to the virtual machine operating system domain according to the unique identification code and the private key information.
The secure partition is mounted to the privilege management domain and is used for storing security information of each virtual machine operating system domain.
Optionally, the apparatus further comprises: and the information acquisition module.
The information acquisition module is used for determining target information corresponding to the information acquisition request through the virtual machine operating system domain according to the system partition mounted by the virtual machine operating system domain when the information acquisition request of the virtual machine operating system domain does not meet the key pair use condition.
The system partition and the security partition are obtained by dividing a target hard disk according to a set standard.
The information acquisition device under the virtualization management provided by the embodiment of the invention can execute the information acquisition method under the virtualization management provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example IV
Fig. 4 shows a schematic diagram of an electronic device 40 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 4, the electronic device 40 includes at least one processor 41, and a memory communicatively connected to the at least one processor 41, such as a Read Only Memory (ROM) 42, a Random Access Memory (RAM) 43, etc., in which the memory stores a computer program executable by the at least one processor, and the processor 41 may perform various suitable actions and processes according to the computer program stored in the Read Only Memory (ROM) 42 or the computer program loaded from the storage unit 48 into the Random Access Memory (RAM) 43. In the RAM43, various programs and data required for the operation of the electronic device 40 may also be stored. The processor 41, the ROM42 and the RAM43 are connected to each other via a bus 44. An input/output (I/O) interface 45 is also connected to bus 44.
Various components in electronic device 40 are connected to I/O interface 45, including: an input unit 46 such as a keyboard, a mouse, etc.; an output unit 47 such as various types of displays, speakers, and the like; a storage unit 48 such as a magnetic disk, an optical disk, or the like; and a communication unit 49 such as a network card, modem, wireless communication transceiver, etc. The communication unit 49 allows the electronic device 40 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 41 may be various general and/or special purpose processing components with processing and computing capabilities. Some examples of processor 41 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 41 performs the respective methods and processes described above, for example, an information acquisition method under virtualization management.
In some embodiments, the information retrieval method under virtualization management may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as storage unit 48. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 40 via the ROM42 and/or the communication unit 49. When the computer program is loaded into the RAM43 and executed by the processor 41, one or more steps of the information acquisition method under the virtualization management described above may be performed. Alternatively, in other embodiments, processor 41 may be configured to perform the information retrieval method under virtualization management in any other suitable manner (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (10)
1. The information acquisition method under the virtualization management is characterized by being applied to the same system-on-chip (SOC), and comprising the following steps:
carrying out hardware virtualization on the SOC through a set management program to obtain a privilege management domain and at least one virtual machine operating system domain;
when the information acquisition request of the virtual machine operating system domain meets the key pair use condition, generating a security service request by the information acquisition request according to a set format through the virtual machine operating system domain, and sending the security service request to the privilege management domain;
and authenticating the authority of the security service request through the privilege management domain, determining reply information sent to the virtual machine operating system domain according to an authentication result and the associated security partition, and sending the reply information to the virtual machine operating system domain.
2. The method of claim 1, wherein generating, by the virtual machine operating system domain, the secure service request from the information acquisition request in a set format, comprises:
determining a process name and a unique identification code corresponding to the information acquisition request according to a set format;
determining a request code corresponding to the information acquisition request in a preset request code table;
determining request content from the information acquisition request;
and determining the security service request according to the process name, the unique identification code, the request code and the request content.
3. The method of claim 1, wherein the authenticating the security service request by the privilege management domain, determining reply information sent to the virtual machine operating system domain based on the authentication result and the associated security partition, comprises:
analyzing the security service request, and determining a process name, a unique identification code and request content in the security service request;
performing authority authentication on the process name according to preset authority authentication conditions, and determining an authentication result;
and when the authentication result is the ownership right, determining reply information sent to the virtual machine operating system domain according to the associated security partition, the unique identification code and the request content.
4. The method of claim 3, wherein the determining reply information sent to the virtual machine operating system domain based on the partitioned secure partition, the unique identification code, and the requested content comprises:
searching private key information matched with the request content in the secure partition;
and generating reply information sent to the virtual machine operating system domain according to the unique identification code and the private key information.
5. The method of claim 1, wherein the secure partition is mounted to the privilege management domain and is configured to store secure information for each of the virtual machine operating system domains.
6. The method as recited in claim 1, further comprising: when the information acquisition request of the virtual machine operating system domain does not meet the key pair use condition,
and determining target information corresponding to the information acquisition request by the virtual machine operating system domain according to the system partition mounted by the virtual machine operating system domain.
7. The method of claim 6, wherein the system partition and the secure partition are obtained by partitioning a target hard disk according to a set standard.
8. An information acquisition device under virtualization management, applied to the same system-on-chip SOC, is characterized by comprising:
the virtualization module is used for carrying out hardware virtualization on the SOC through a set management program to obtain a privilege management domain and at least one virtual machine operating system domain;
the request sending module is used for generating a security service request according to a set format through the virtual machine operating system domain when the information acquisition request of the virtual machine operating system domain meets the key pair use condition, and sending the security service request to the privilege management domain;
and the information sending module is used for carrying out authority authentication on the security service request through the privilege management domain, determining reply information sent to the virtual machine operating system domain according to an authentication result and the associated security partition, and sending the reply information to the virtual machine operating system domain.
9. An electronic device, the electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the information acquisition method under virtualization management according to any one of claims 1 to 7.
10. A computer readable storage medium storing computer instructions for causing a processor to implement the method of information retrieval under virtualization management of any one of claims 1-7 when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310750725.1A CN117034257A (en) | 2023-06-25 | 2023-06-25 | Information acquisition method, device, equipment and medium under virtualization management |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310750725.1A CN117034257A (en) | 2023-06-25 | 2023-06-25 | Information acquisition method, device, equipment and medium under virtualization management |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117034257A true CN117034257A (en) | 2023-11-10 |
Family
ID=88641834
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310750725.1A Pending CN117034257A (en) | 2023-06-25 | 2023-06-25 | Information acquisition method, device, equipment and medium under virtualization management |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117034257A (en) |
-
2023
- 2023-06-25 CN CN202310750725.1A patent/CN117034257A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9928080B2 (en) | Hardware security module access management in a cloud computing environment | |
| CN106170763B (en) | A kind of software check method and apparatus | |
| US20180198777A1 (en) | Implementing single sign-on in a transaction processing system | |
| CN107704308B (en) | Virtual platform vTPM management system, trust chain construction method and device, and storage medium | |
| US20200110879A1 (en) | Trusted computing attestation of system validation state | |
| CN106529284B (en) | Virtual machine monitor security reinforcement method based on security chip | |
| CN113010897A (en) | Cloud computing security management method and system | |
| US9436529B2 (en) | Providing random data to a guest operating system | |
| CN116303069A (en) | Test method, device, upper computer, system and medium of vehicle-mounted terminal | |
| CN111158857A (en) | Data encryption method, device, equipment and storage medium | |
| CN117034257A (en) | Information acquisition method, device, equipment and medium under virtualization management | |
| CN115291973A (en) | Method and device for connecting database by application on cloud, electronic equipment and storage medium | |
| CN115130114B (en) | Gateway secure starting method and device, electronic equipment and storage medium | |
| WO2024002342A1 (en) | Cloud technology-based trusted execution system and method | |
| CN114444041A (en) | Interface access method and device, electronic equipment and storage medium | |
| CN115934254A (en) | Deployment method, device, server and medium of elastic search engine cluster | |
| CN117077199A (en) | File access control method, device, equipment and medium | |
| CN116318968A (en) | Target operation execution method, device, equipment and storage medium | |
| CN116015770A (en) | Communication method, communication system, communication device and electronic equipment for server | |
| CN116954823A (en) | Rights management method, device, electronic equipment, storage medium and program product | |
| CN116846680A (en) | Data desensitization method, device, equipment and storage medium | |
| CN117193940A (en) | Data access method, device, electronic equipment and computer readable medium | |
| CN114594912A (en) | Information protection method, device, equipment and medium for vehicle instrument system | |
| WO2024006624A1 (en) | Isolated runtime environments for securing secrets used to access remote resources from compute instances | |
| CN116627469A (en) | Method, device, equipment and medium for generating unique identifier of Android equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |