CN117873645A - Trusted computing method, trusted computing device, computer equipment and storage medium - Google Patents

Trusted computing method, trusted computing device, computer equipment and storage medium Download PDF

Info

Publication number
CN117873645A
CN117873645A CN202311799899.3A CN202311799899A CN117873645A CN 117873645 A CN117873645 A CN 117873645A CN 202311799899 A CN202311799899 A CN 202311799899A CN 117873645 A CN117873645 A CN 117873645A
Authority
CN
China
Prior art keywords
trusted
target
root
virtual machine
target virtual
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311799899.3A
Other languages
Chinese (zh)
Inventor
田建生
段古纳
王炎玲
范宗亮
齐洪东
宣艳杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING KEXIN HUATAI INFORMATION TECHNOLOGY CO LTD
Original Assignee
BEIJING KEXIN HUATAI INFORMATION TECHNOLOGY CO LTD
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING KEXIN HUATAI INFORMATION TECHNOLOGY CO LTD filed Critical BEIJING KEXIN HUATAI INFORMATION TECHNOLOGY CO LTD
Priority to CN202311799899.3A priority Critical patent/CN117873645A/en
Publication of CN117873645A publication Critical patent/CN117873645A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The application relates to a trusted computing method, apparatus, computer device and storage medium. The method comprises the following steps: when a trusted processing command sent by a target virtual trusted root in a target virtual machine is received, determining a target context corresponding to the target virtual trusted root; updating the target context based on the trusted processing command to obtain an updated target context; invoking a physical trusted root through a first trusted software stack to execute the trusted processing command by using the updated target context, and acquiring a trusted computing result corresponding to the trusted processing command from the physical trusted root through the first trusted software stack; and feeding the trusted computing result back to the target virtual trusted root in the target virtual machine to serve as a trusted function triggering result of the target virtual trusted root. Even though the start-up of the virtual trusted root lags behind the start-up of the virtual machine, the trusted computing result of the physical trusted root may be considered as a result of a start-up metric for the virtual machine.

Description

Trusted computing method, trusted computing device, computer equipment and storage medium
Technical Field
The present disclosure relates to the field of trusted computing technology, and in particular, to a trusted computing method, apparatus, computer device, and storage medium.
Background
At present, with the wide application of cloud computing technology, due to the characteristics of complexity and diversity of cloud platform environments, large equipment scale and the like, a plurality of safety problems are brought. In order to solve the network security problem in the cloud environment, the trusted computing technology is applied to the cloud computing environment, and the requirements of cloud computing can be met by combining the trusted computing technology with the virtualization technology of the cloud computing.
The virtual root of trust construction technique refers to constructing a virtual root of trust device in a virtual machine, and provides trusted related functions for the virtual machine as a physical root of trust device. At present, a method based on pure software simulation equipment is mostly adopted to provide a password security function for a virtual machine, the method simulates a physical device in a virtual machine operating system in a pure software mode, the simulation equipment is called by trusted software in the virtual machine operating system to perform data transmission and receiving of verification results, a plurality of virtual trusted root instances are simulated by using a software algorithm, each virtual trusted root instance is unique and is bound with a secret key in the physical trusted root, and the virtual machine is operated in a common software identity to provide trusted password service for each virtual machine. According to the method, a pure software simulation mode is adopted, and aiming at the virtual machine, a virtual trusted root is software, the starting of the software is relatively lagged compared with the starting of the virtual machine, and the starting measurement capability of the virtual machine is not provided.
Disclosure of Invention
The application provides a trusted computing method, a trusted computing device, computer equipment and a storage medium, which are used for solving the problem that the existing software is adopted to realize that a virtual trusted root does not have the starting measurement capability for a virtual machine.
In a first aspect, the present application provides a trusted computing method applied to a host operating system, the method comprising:
when a trusted processing command sent by a target virtual trusted root in a target virtual machine is received, determining a target context corresponding to the target virtual trusted root;
updating the target context based on the trusted processing command to obtain an updated target context;
invoking a physical trusted root through a first trusted software stack to execute the trusted processing command by using the updated target context, and acquiring a trusted computing result corresponding to the trusted processing command from the physical trusted root through the first trusted software stack;
and feeding the trusted computing result back to the target virtual trusted root in the target virtual machine to serve as a trusted function triggering result of the target virtual trusted root.
In a second aspect, the present application provides a trusted computing method applied to a virtual machine, the method including:
creating simulation equipment serving as a virtual trusted root through trusted software;
under the condition of triggering a trusted computing condition, the trusted application calls the virtual trusted root through a second trusted software stack to send a trusted processing command to a host operating system, wherein the host operating system is used for calling a physical trusted root to execute the trusted processing command so as to obtain a trusted computing result;
and when the trusted computing result obtained by the host operating system from the physical trusted root is received, the trusted computing result is used as a trusted function triggering result of the virtual trusted root.
In a third aspect, the present application provides a trusted computing device for use in a host operating system, the device comprising:
the virtualization supporting platform is used for determining a target context corresponding to a target virtual trusted root when receiving a trusted processing command sent by the target virtual trusted root in the target virtual machine; updating the target context based on the trusted processing command to obtain an updated target context;
the first trusted software stack is used for calling a physical trusted root to execute the trusted processing command by using the updated target context and acquiring a trusted computing result corresponding to the trusted processing command from the physical trusted root;
the virtualization supporting platform is further used for feeding the trusted computing result back to the target virtual trusted root in the target virtual machine to serve as a trusted function triggering result of the target virtual trusted root.
In a fourth aspect, the present application provides a trusted computing device for use with a virtual machine, the device comprising:
trusted software for creating a simulated device as a virtual trusted root;
the second trusted software stack is used for calling the virtual trusted root to send a trusted processing command to a host operating system under the condition of triggering a trusted computing condition, wherein the host operating system is used for calling a physical trusted root to execute the trusted processing command so as to obtain a trusted computing result;
the virtual trusted root is configured to, when receiving the trusted computing result obtained by the host operating system from the physical trusted root, use the trusted computing result as a trusted function triggering result of the virtual trusted root.
In a fifth aspect, the present application provides a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the above-mentioned trusted computing method when executing the computer program.
In a sixth aspect, the present application also provides a computer storage medium storing computer-executable instructions for performing the above-described trusted computing method.
Compared with the prior art, the technical scheme provided by the embodiment of the application has the following advantages: according to the method provided by the embodiment of the application, when a host operating system receives a trusted processing command sent by a target virtual trusted root in a target virtual machine, a target context corresponding to the target virtual trusted root is determined; updating the target context based on the trusted processing command to obtain an updated target context; invoking a physical trusted root through a first trusted software stack to execute the trusted processing command by using the updated target context, and acquiring a trusted computing result corresponding to the trusted processing command from the physical trusted root through the first trusted software stack; and feeding the trusted computing result back to the target virtual trusted root in the target virtual machine to serve as a trusted function triggering result of the target virtual trusted root. By taking the trusted computing result of the physical trusted root as the trusted function triggering result of the virtual trusted root, even if the starting of the virtual trusted root lags behind the starting of the virtual machine, the trusted computing result of the physical trusted root can be regarded as the starting measurement result of the virtual machine, thereby solving the problem that the existing software is adopted to realize that the virtual trusted root does not have the starting measurement capability of the virtual machine.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
In order to more clearly illustrate the embodiments of the invention or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, and it will be obvious to a person skilled in the art that other drawings can be obtained from these drawings without inventive effort.
One or more embodiments are illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements, and in which the figures of the drawings are not to be taken in a limiting sense, unless otherwise indicated.
Fig. 1 is an application environment diagram of a trusted computing method provided in an embodiment of the present application;
fig. 2 is a schematic flow chart of a trusted computing method according to an embodiment of the present application;
fig. 3 is a schematic flow chart of a trusted computing method according to an embodiment of the present application;
FIG. 4 is a block diagram of a trusted computing system provided in an embodiment of the present application;
fig. 5 is a schematic diagram of an internal structure of a computer device according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present application based on the embodiments herein.
The following disclosure provides many different embodiments, or examples, for implementing different structures of the invention. In order to simplify the present disclosure, components and arrangements of specific examples are described below. They are, of course, merely examples and are not intended to limit the invention. Furthermore, the present invention may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed.
FIG. 1 is a diagram of an application environment for a trusted computing method in one embodiment. Referring to fig. 1, the trusted computing method is applied to a trusted computing system. The trusted computing system includes a virtual machine 110, a host operating system 120, and host hardware 130. The virtual machine 110, host operating system 120, and host hardware 130 are connected by a network. The virtual machine 110, the host operating system 120 and the host hardware 130 are integrated into the same host, a plurality of different virtual machines 110 can be arranged in the host, a virtual trusted root (VTPCM) is arranged in each virtual machine, and the host is realized by adopting a server. The host hardware 130 is used to indicate the hardware device that contains the physical trusted root (TPCM).
In one embodiment, fig. 2 is a flow chart of a trusted computing method in one embodiment, and referring to fig. 2, a trusted computing method is provided. The embodiment is mainly exemplified by the method applied to the host operating system in fig. 1, and the trusted computing method specifically includes the following steps:
step S210, when a trusted processing command sent by a target virtual trusted root in a target virtual machine is received, determining a target context corresponding to the target virtual trusted root.
Specifically, the target virtual machine may be any one of the virtual machines in the host machine, in which a target virtual trusted root is configured, and virtual VIO devices are specifically built in the virtual machine based on the KVM/QEMU virtualization technology, and the virtual VIO devices are used as the virtual trusted root. The host operating system and the virtual machine are isolated from each other, but data communication can be realized by a virtual trusted root based on a communication protocol. When receiving a trusted processing command sent by a target virtual trusted root in a target virtual machine, the host machine operating system searches a target context corresponding to the target virtual trusted root in a virtualized supporting platform, the virtualized supporting platform manages contexts corresponding to a plurality of different virtual machines in the host machine, when creating the virtual trusted root in the virtual machine, the contexts corresponding to the virtual trusted root are synchronously created in the virtualized supporting platform, the contexts are used for indicating service related environments corresponding to the virtual trusted root, and the contexts at least comprise a to-be-processed command queue corresponding to the virtual machine and application scene information, namely, the virtualized supporting platform stores and manages mapping relations between the virtual trusted root and the contexts in different virtual machines. The trusted process command is a command for triggering a trusted computing function of the virtual trusted root.
Step S220, updating the target context based on the trusted processing command, to obtain the updated target context.
Specifically, the target context corresponding to the target virtual machine is updated by using the trusted processing command, that is, the trusted processing command is added to a to-be-processed command queue in the target context, so that the updated target context is obtained.
Step S230, invoking a physical trusted root through a first trusted software stack, executing the trusted processing command by using the updated target context, and obtaining a trusted computing result corresponding to the trusted processing command from the physical trusted root through the first trusted software stack.
Specifically, the virtualization supporting platform calls a first trusted software stack to send a trusted computing request to a physical trusted root in host hardware, the physical trusted root supports the virtualized call to request the physical trusted root to execute a trusted processing command by using the updated target context, namely, the physical trusted root is used for completing trusted computing to generate a corresponding trusted computing result, the virtualization supporting platform acquires the trusted computing result provided by the physical trusted root through the first software stack, and when the trusted computing result is received, the virtualization supporting platform further updates the target context again to clear the trusted processing command from a queue to be processed in the target context, and records the transfer process of the trusted processing command and the trusted computing result.
And step S240, feeding the trusted computing result back to the target virtual trusted root in the target virtual machine to serve as a trusted function triggering result of the target virtual trusted root.
Specifically, the virtualization supporting platform sends the trusted computing result to a target virtual trusted root in a corresponding target virtual machine, the target virtual machine trusted root takes the trusted computing result generated by the physical trusted root computing as a self trusted function triggering result, and even if the starting of the virtual trusted root lags behind the starting of the virtual machine, the trusted computing result of the physical trusted root can be regarded as a starting measurement result of the virtual machine, so that the problem that the existing virtual trusted root realized by software does not have the starting measurement capability of the virtual machine is solved.
In one embodiment, the determining, when receiving the trusted processing command sent by the target virtual trusted root in the target virtual machine, a target context corresponding to the target virtual trusted root includes:
when a trusted processing command sent by a target virtual trusted root in a target virtual machine is received, determining a context corresponding to a context identifier in the trusted processing command as a target context corresponding to the target virtual trusted root in a preset relation mapping table.
Specifically, the preset relation mapping table includes mapping relations among different virtual machines, virtual trusted roots and contexts, and the trusted processing command includes a context Identifier (ID), and the target context corresponding to the context identifier is searched in the preset relation mapping table. The context corresponding to the command initiated by the virtual machine is identified as a non-null value, and the context corresponding to the command initiated by the physical machine is identified as a null value or a special value. Different contexts correspond to different context identifications.
In one embodiment, the target virtual machine includes a plurality of virtual machines, and when receiving a trusted processing command sent by a target virtual trusted root in the target virtual machine, determining a target context corresponding to the target virtual trusted root includes:
and when receiving the trusted processing command sent by the target virtual trusted root in the plurality of virtual machines, determining the target context corresponding to the corresponding target virtual trusted root of each virtual machine in sequence according to the order of the access priority of each virtual machine from high to low.
Specifically, when the virtualization supporting platform receives the trusted processing commands sent by the virtual trusted roots of the multiple virtual machines at the same time, the target contexts corresponding to the virtual machines are sequentially determined according to the access priorities of the virtual machines, and the physical trusted roots are sequentially controlled to execute the corresponding trusted processing commands according to the access priority orders of the virtual machines. The access priority of the virtual machine can be determined by the receiving time stamp of the trusted processing command, namely, the earlier the receiving time stamp is, the higher the access priority of the corresponding virtual machine of the trusted processing command is; the access priority may also be determined by the configuration level of the virtual machine, i.e. the higher the configuration level of the virtual machine, the higher the access priority thereof; the access priority may also be determined by the access urgency level corresponding to the trusted process command, with higher access urgency level being higher for the virtual machine corresponding to the trusted process command.
As shown in fig. 4, all virtual machines access the virtual trusted root instance sequentially through the front end driver and the back end driver of the virtual trusted root, and access the vTPCM management module after passing through the QEMU module. The vTPCM management module sorts the access behaviors of different virtual machines to the virtual trusted root and executes the access behaviors in sequence.
In one embodiment, after the feedback of the trusted computing result to the target virtual trusted root in the target virtual machine as the trusted function trigger result of the target virtual trusted root, the method further includes:
acquiring the running state of the target virtual machine;
and updating the state of the target context according to the running state of the target virtual machine.
Specifically, the running state of the target virtual machine may be deleting, starting, stopping, exporting, importing, etc., and the state of the context corresponding to the virtual machine in the virtualized support platform is synchronously updated along with the change of the running state of the virtual machine, and if the running state of the target virtual machine is deleting, the target context corresponding to the target virtual machine in the virtualized support platform is deleted; and if the running state of the target virtual machine is started, starting a target context corresponding to the target virtual machine in the virtualized support platform. If the running state of the target virtual machine is export, which means that the target virtual machine is in a migration state, then the target context is exported from the virtualized support platform synchronously.
In one embodiment, the updating the state of the target context according to the running state of the target virtual machine includes:
when the running state of the target virtual machine is a migration state, a target context corresponding to the target virtual machine is exported;
invoking the physical trusted root to sign and encrypt the target context to obtain a signed context;
and migrating the signature context to a target host operating system corresponding to the migration instruction, wherein the target host operating system decrypts the signature context and loads the decrypted target context.
Specifically, when the target virtual machine is migrated, the virtualization supporting platform exports a target context corresponding to a virtual machine trusted root to be migrated, signs and encrypts the target context by using a physical trusted root to obtain a signed context, and then migrates the signed context to the virtualization supporting platform in the target host machine operating system to conduct importing processing, and the virtualization supporting platform in the target host machine operating system decrypts the signed context and loads the decrypted signed context into the physical trusted root corresponding to the target host machine operating system, so that migration processing of the target context of the target virtual trusted root is completed.
In one embodiment, referring to fig. 3, a trusted computing method is provided for application to a virtual machine, the method comprising:
in step S310, the simulation device is created by trusted software as a virtual trusted root.
Specifically, the trusted software is the security software with the KVM/QEMU virtualization technology, and the trusted software adopts the KVM/QEMU virtualization technology to create virtual VIO equipment in the virtual machine, and takes the virtual VIO equipment as a virtual trusted root.
Step S320, in the case of triggering a trusted computing condition, the trusted application invokes the virtual trusted root through a second trusted software stack to issue a trusted processing command to a host operating system, where the host operating system is configured to invoke a physical trusted root to execute the trusted processing command to obtain a trusted computing result.
Specifically, the trusted computing conditions include a static trusted computing condition and a dynamic trusted computing condition, wherein the static trusted computing condition is that a virtual machine is started, and the dynamic trusted computing condition is that trusted software is in a working state. Whether triggering a static trusted computing condition or a dynamic trusted computing condition, the trusted application invokes a virtual trusted root through a second trusted software stack in the virtual machine to issue a trusted processing command to the host operating system, which executes the trusted processing command by invoking a physical trusted root to generate a trusted computing result.
Step S330, when the trusted computing result obtained by the host operating system from the physical trusted root is received, the trusted computing result is used as a trusted function triggering result of the virtual trusted root.
Specifically, the virtual trusted root receives a trusted computing result obtained by a host operating system from the physical trusted root, and takes the trusted computing result as a trusted function triggering result of the virtual trusted root, namely, the trusted computing result of the physical trusted root is taken as the trusted computing result of the virtual trusted root, and hardware-level trusted cryptography service is provided for the virtual machine based on a software-hardware combination mode, so that the trusted computing function of the virtual trusted root is realized.
The virtual trusted root can perform active data access and acquisition with the host operating system by utilizing the DMA controller and the communication protocol of the virtual VIO device, so that active measurement, monitoring and protection of the virtual machine operating system and trusted application in the virtual machine according to the strategy can be realized.
By utilizing an isolation mechanism of a host machine operating system, independent virtual trusted root computing environment, memory space, hardware storage, context and other resources are built for each virtual machine, measurement of the virtual machine, virtual trusted root establishment, trusted password calculation and service are realized while the virtualization architecture is kept unchanged, and simultaneously, in order to ensure password security, the password calculation required by virtual trusted root measurement and the like is forwarded to a physical trusted root, a secret key is protected by the physical trusted root, and the virtual trusted root and the physical trusted root reach the same level from the password perspective.
Fig. 2 and 3 are flow diagrams of trusted computing methods in one embodiment. It should be understood that, although the steps in the flowcharts of fig. 2 and 3 are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in fig. 2 and 3 may include multiple sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor does the order in which the sub-steps or stages are performed necessarily occur in sequence, but may be performed alternately or alternately with at least a portion of the other steps or sub-steps of other steps.
In one embodiment, as shown in FIG. 4, there is provided a trusted computing device comprising:
the virtualization supporting platform is used for determining a target context corresponding to a target virtual trusted root when receiving a trusted processing command sent by the target virtual trusted root in the target virtual machine; updating the target context based on the trusted processing command to obtain an updated target context;
the first trusted software stack is used for calling a physical trusted root to execute the trusted processing command by using the updated target context and acquiring a trusted computing result corresponding to the trusted processing command from the physical trusted root;
the virtualization supporting platform is further used for feeding the trusted computing result back to the target virtual trusted root in the target virtual machine to serve as a trusted function triggering result of the target virtual trusted root.
In one embodiment, the virtualized support platform is further to:
when a trusted processing command sent by a target virtual trusted root in a target virtual machine is received, determining a context corresponding to a context identifier in the trusted processing command as a target context corresponding to the target virtual trusted root in a preset relation mapping table.
In one embodiment, the virtualized support platform is further to:
and when receiving the trusted processing command sent by the target virtual trusted root in the plurality of virtual machines, determining the target context corresponding to the corresponding target virtual trusted root of each virtual machine in sequence according to the order of the access priority of each virtual machine from high to low.
In one embodiment, the virtualized support platform is further to:
acquiring the running state of the target virtual machine;
and updating the state of the target context according to the running state of the target virtual machine.
In one embodiment, the virtualized support platform is further to:
when the running state of the target virtual machine is a migration state, a target context corresponding to the target virtual machine is exported;
invoking the physical trusted root to sign and encrypt the target context to obtain a signed context;
and migrating the signature context to a target host operating system corresponding to the migration instruction, wherein the target host operating system decrypts the signature context and loads the decrypted target context.
In one embodiment, as shown in fig. 4, there is provided a trusted computing device for application to a virtual machine, the device comprising:
trusted software for creating a simulated device as a virtual trusted root;
the second trusted software stack is used for calling the virtual trusted root to send a trusted processing command to a host operating system under the condition of triggering a trusted computing condition, wherein the host operating system is used for calling a physical trusted root to execute the trusted processing command so as to obtain a trusted computing result;
the virtual trusted root is configured to, when receiving the trusted computing result obtained by the host operating system from the physical trusted root, use the trusted computing result as a trusted function triggering result of the virtual trusted root.
As shown in fig. 5, the embodiment of the present application provides a computer device, including a processor 711, a communication interface 712, a memory 713, and a communication bus 714, where the processor 711, the communication interface 712, and the memory 713 perform communication with each other through the communication bus 714;
a memory 713 for storing a computer program;
the processor 711 is configured to implement the trusted computing method provided by any one of the foregoing method embodiments when executing the program stored on the memory 713.
It will be appreciated by those skilled in the art that the structure shown in fig. 5 is merely a block diagram of some of the structures associated with the present application and is not limiting of the computer device to which the present application may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, the trusted computing device provided herein may be implemented in the form of a computer program that may be run on a computer device as shown in fig. 5. The memory of the computer device may store the various program modules that make up the trusted computing device, such as the virtualized support platform and the first trusted software stack shown in FIG. 4. The computer program of each program module causes the processor to execute the trusted computing method of each embodiment of the present application described in the present specification.
The computer device shown in fig. 5 may determine, through a virtualization support platform in the trusted computing device shown in fig. 4, a target context corresponding to a target virtual trusted root when receiving a trusted processing command sent by the target virtual trusted root in the target virtual machine; and updating the target context based on the trusted processing command to obtain the updated target context. The computer equipment can execute the trusted processing command by calling a physical trusted root through a first trusted software stack and utilizing the updated target context, and obtain a trusted computing result corresponding to the trusted processing command from the physical trusted root. The computer equipment can feed the trusted computing result back to the target virtual trusted root in the target virtual machine through a virtualized support platform to serve as a trusted function triggering result of the target virtual trusted root.
The present application also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a trusted computing method as provided in any one of the method embodiments described above.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
From the above description of embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus a general purpose hardware platform, or may be implemented by hardware. Based on such understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the related art in the form of a software product, which may be stored in a computer readable storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the trusted computing method described in the respective embodiments or some parts of the embodiments.
It is to be understood that the terminology used herein is for the purpose of describing particular example embodiments only, and is not intended to be limiting. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. The terms "comprises," "comprising," "includes," "including," and "having" are inclusive and therefore specify the presence of stated features, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, elements, components, and/or groups thereof. The method steps, processes, and operations described herein are not to be construed as necessarily requiring their performance in the particular order described or illustrated, unless an order of performance is explicitly stated. It should also be appreciated that additional or alternative may be used.
The foregoing is only a specific embodiment of the invention to enable those skilled in the art to understand or practice the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A trusted computing method for application to a host operating system, the method comprising:
when a trusted processing command sent by a target virtual trusted root in a target virtual machine is received, determining a target context corresponding to the target virtual trusted root;
updating the target context based on the trusted processing command to obtain an updated target context;
invoking a physical trusted root through a first trusted software stack to execute the trusted processing command by using the updated target context, and acquiring a trusted computing result corresponding to the trusted processing command from the physical trusted root through the first trusted software stack;
and feeding the trusted computing result back to the target virtual trusted root in the target virtual machine to serve as a trusted function triggering result of the target virtual trusted root.
2. The trusted computing method of claim 1, wherein the determining the target context corresponding to the target virtual trusted root when receiving the trusted processing command sent by the target virtual trusted root in the target virtual machine comprises:
when a trusted processing command sent by a target virtual trusted root in a target virtual machine is received, determining a context corresponding to a context identifier in the trusted processing command as a target context corresponding to the target virtual trusted root in a preset relation mapping table.
3. The trusted computing method of claim 1, wherein the target virtual machine comprises a plurality of virtual machines, and wherein determining the target context corresponding to the target virtual trusted root when receiving the trusted processing command sent by the target virtual trusted root in the target virtual machine comprises:
and when receiving the trusted processing command sent by the target virtual trusted root in the plurality of virtual machines, determining the target context corresponding to the corresponding target virtual trusted root of each virtual machine in sequence according to the order of the access priority of each virtual machine from high to low.
4. The trusted computing method of claim 1, wherein after said feeding back the trusted computing result to the target virtual trusted root in the target virtual machine as the trusted function trigger result of the target virtual trusted root, the method further comprises:
acquiring the running state of the target virtual machine;
and updating the state of the target context according to the running state of the target virtual machine.
5. The trusted computing method of claim 4, wherein said updating the state of said target context based on the operating state of said target virtual machine comprises:
when the running state of the target virtual machine is a migration state, a target context corresponding to the target virtual machine is exported;
invoking the physical trusted root to sign and encrypt the target context to obtain a signed context;
and migrating the signature context to a target host operating system corresponding to the migration instruction, wherein the target host operating system decrypts the signature context and loads the decrypted target context.
6. A trusted computing method, applied to a virtual machine, the method comprising:
creating simulation equipment serving as a virtual trusted root through trusted software;
under the condition of triggering a trusted computing condition, the trusted application calls the virtual trusted root through a second trusted software stack to send a trusted processing command to a host operating system, wherein the host operating system is used for calling a physical trusted root to execute the trusted processing command so as to obtain a trusted computing result;
and when the trusted computing result obtained by the host operating system from the physical trusted root is received, the trusted computing result is used as a trusted function triggering result of the virtual trusted root.
7. A trusted computing device for application to a host operating system, the device comprising:
the virtualization supporting platform is used for determining a target context corresponding to a target virtual trusted root when receiving a trusted processing command sent by the target virtual trusted root in the target virtual machine; updating the target context based on the trusted processing command to obtain an updated target context;
the first trusted software stack is used for calling a physical trusted root to execute the trusted processing command by using the updated target context and acquiring a trusted computing result corresponding to the trusted processing command from the physical trusted root;
the virtualization supporting platform is further used for feeding the trusted computing result back to the target virtual trusted root in the target virtual machine to serve as a trusted function triggering result of the target virtual trusted root.
8. A trusted computing device, for application to a virtual machine, the device comprising:
trusted software for creating a simulated device as a virtual trusted root;
the second trusted software stack is used for calling the virtual trusted root to send a trusted processing command to a host operating system under the condition of triggering a trusted computing condition, wherein the host operating system is used for calling a physical trusted root to execute the trusted processing command so as to obtain a trusted computing result;
the virtual trusted root is configured to, when receiving the trusted computing result obtained by the host operating system from the physical trusted root, use the trusted computing result as a trusted function triggering result of the virtual trusted root.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the trusted computing method of any one of claims 1 to 6 when the computer program is executed.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the trusted computing method of any one of claims 1 to 6.
CN202311799899.3A 2023-12-25 2023-12-25 Trusted computing method, trusted computing device, computer equipment and storage medium Pending CN117873645A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311799899.3A CN117873645A (en) 2023-12-25 2023-12-25 Trusted computing method, trusted computing device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311799899.3A CN117873645A (en) 2023-12-25 2023-12-25 Trusted computing method, trusted computing device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117873645A true CN117873645A (en) 2024-04-12

Family

ID=90580356

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311799899.3A Pending CN117873645A (en) 2023-12-25 2023-12-25 Trusted computing method, trusted computing device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117873645A (en)

Similar Documents

Publication Publication Date Title
US10983898B2 (en) Methods for improved web application testing using remote headless browsers and devices thereof
CN104965757A (en) Virtual machine live migration method, virtual machine migration management apparatus, and virtual machine live migration system
CN108469986A (en) A kind of data migration method and device
CN108073423B (en) Accelerator loading method and system and accelerator loading device
GB2513826A (en) Trusted boot of a virtual machine
CN106201566A (en) The rich big special hot upgrade method of software of profit and equipment
US11886302B1 (en) System and method for execution of applications in a container
CN108809975B (en) Internal and external network isolation system and method for realizing internal and external network isolation
WO2018175925A1 (en) Secure memory arrangements
CN110012074A (en) A kind of credible context management method of cloud environment
CN115454636A (en) Container cloud platform GPU resource scheduling method, device and application
CN107908957B (en) Safe operation management method and system of intelligent terminal
CN108062239B (en) Accelerator loading method and system and accelerator loading device
US8621606B1 (en) Systems and methods for identifying external functions called by untrusted applications
CN109154895A (en) context data control
US11743046B2 (en) Snapshot transfer for cloud-based storage across accounts
US9154519B1 (en) System and method for antivirus checking of objects from a plurality of virtual machines
CN109710609A (en) Generate the method and device of tables of data mark
CN117873645A (en) Trusted computing method, trusted computing device, computer equipment and storage medium
CN111400771A (en) Target partition checking method and device, storage medium and computer equipment
CN110795156A (en) Mobile memory loading method, thin client, storage medium and device
CN115202907A (en) Application program interface operation method, system, computer equipment and medium
CN110768855B (en) Method and device for testing linkmzation performance
EP3651052A1 (en) Secure use of dual networks
US20230367789A1 (en) Data structure synchronization with webhooks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination