WO2021174655A1 - Method and apparatus for determining trusted state of virtual data center, device and storage medium - Google Patents

Method and apparatus for determining trusted state of virtual data center, device and storage medium Download PDF

Info

Publication number
WO2021174655A1
WO2021174655A1 PCT/CN2020/087107 CN2020087107W WO2021174655A1 WO 2021174655 A1 WO2021174655 A1 WO 2021174655A1 CN 2020087107 W CN2020087107 W CN 2020087107W WO 2021174655 A1 WO2021174655 A1 WO 2021174655A1
Authority
WO
WIPO (PCT)
Prior art keywords
host
trusted
output system
characteristic value
comparison result
Prior art date
Application number
PCT/CN2020/087107
Other languages
French (fr)
Chinese (zh)
Inventor
刘海伟
Original Assignee
苏州浪潮智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 苏州浪潮智能科技有限公司 filed Critical 苏州浪潮智能科技有限公司
Publication of WO2021174655A1 publication Critical patent/WO2021174655A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45575Starting, stopping, suspending or resuming virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45591Monitoring or debugging support
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Abstract

A method and apparatus for determining a trusted state of a virtual data center, a device, and a computer-readable storage medium. The method for determining the trusted state is based on a trusted management and control component of a computing pool, and comprises: by means of a basic input and output system, acquiring an operating feature value of a host to be tested in a virtual data center when resources are started; acquiring a reference value corresponding to the host, wherein the reference value has the same data type as the operating feature value; and comparing the operating feature value to the reference value, and determining the trusted state of the host according to the comparison result. It may be seen that in the present application, by means of comparing the operating feature value of a server/virtual host of the virtual data center to the reference value, the trusted state of the server/virtual host may be determined, thereby ensuring the security of physical resources and virtual resources of the virtual data center.

Description

虚拟数据中心可信状态确定方法、装置、设备及存储介质Method, device, equipment and storage medium for determining trusted state of virtual data center
本申请要求于2020年03月06日提交中国专利局、申请号为202010152749.3、发明名称为“虚拟数据中心可信状态确定方法、装置、设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application filed with the Chinese Patent Office on March 6, 2020, the application number is 202010152749.3, and the invention title is "the method, device, equipment and storage medium for determining the credibility of a virtual data center", all of which The content is incorporated in this application by reference.
技术领域Technical field
本发明涉及数据安全技术领域,更具体地说,涉及一种虚拟数据中心的可信状态确定方法、装置、设备及计算机可读存储介质。The present invention relates to the technical field of data security, and more specifically, to a method, device, equipment and computer-readable storage medium for determining the trusted state of a virtual data center.
背景技术Background technique
目前,越来越多的企业、科研院校采用云计算中的私有云模式来部署自己的虚拟数据中心。采用私有云方式部署的虚拟数据中心能够带来节约成本,部署灵活等优势,但是相比较传统数据中心也带来了新的安全隐患。传统数据中心通常使用防火墙、入侵检测,访问控制等机制来保护其中的计算、存储、网络资源,同时也可以使用带锁机柜等物理层面的安全措施来保护数据中心的物理硬件。但虚拟数据中心部署单元为虚拟机,整个生命周期(计算、存储和网络)都是由相应的虚拟化管理软件来进行管理和监测。为了保证业务便捷性、连续性和稳定性,私有云环境又具有迁移、备份和快照等特性。因此上述的安全解决方案针对虚拟数据中心并不适用。At present, more and more enterprises and scientific research institutions adopt the private cloud model in cloud computing to deploy their own virtual data centers. A virtual data center deployed in a private cloud can bring advantages such as cost savings and flexible deployment, but it also brings new security risks compared to traditional data centers. Traditional data centers usually use firewalls, intrusion detection, access control and other mechanisms to protect computing, storage, and network resources. At the same time, physical security measures such as lockable cabinets can also be used to protect the physical hardware of the data center. However, the virtual data center deployment unit is a virtual machine, and the entire life cycle (computing, storage, and network) is managed and monitored by corresponding virtualization management software. In order to ensure business convenience, continuity, and stability, the private cloud environment also has features such as migration, backup, and snapshots. Therefore, the aforementioned security solutions are not applicable to virtual data centers.
发明内容Summary of the invention
本发明的目的在于提供一种虚拟数据中心的可信状态确定方法、装置、设备及计算机可读存储介质,以确定虚拟数据中心的可信状态,提高虚拟数据中心资源的安全性。The purpose of the present invention is to provide a method, device, equipment and computer-readable storage medium for determining the trusted state of a virtual data center to determine the trusted state of the virtual data center and improve the security of the resources of the virtual data center.
为实现上述目的,本发明提供一种虚拟数据中心的可信状态确定方法,所述可信状态确定方法基于计算池可信管控组件,所述可信状态确定包括:To achieve the above objective, the present invention provides a method for determining the trusted state of a virtual data center. The method for determining the trusted state is based on a computing pool trusted management and control component, and the determination of the trusted state includes:
通过基本输入输出系统获取虚拟数据中心的待测主机在资源启动时的运行特征值;其中,待测主机为服务器或者部署在服务器上的虚拟主机,基本输入输出系统为所述服务器或者所述虚拟主机的可信基本输入输出系统;Obtain the operating characteristic value of the host under test in the virtual data center when the resource is started through the basic input output system; wherein, the under test host is a server or a virtual host deployed on the server, and the basic input output system is the server or the virtual host. The trusted basic input and output system of the host;
获取与所述待测主机对应的基准值;所述基准值为通过所述基本输入输出系统预先存储的所述待测主机在资源首次创建时的初始运行特征值;所述基准值与所述运行特征值的数据类型相同;Acquire a reference value corresponding to the host to be tested; the reference value is the initial operating characteristic value of the host to be tested that is pre-stored by the basic input output system when the resource is first created; the reference value is the same as the The data types of running characteristic values are the same;
将所述运行特征值与所述基准值进行对比,并根据对比结果确定所述待测主机的可信状态。The operating characteristic value is compared with the reference value, and the trusted state of the host to be tested is determined according to the comparison result.
其中,所述通过基本输入输出系统获取虚拟数据中心的待测主机在资源启动时的运行特征值之前,还包括:Wherein, before acquiring the operating characteristic value of the host under test in the virtual data center through the basic input output system when the resource is started, the method further includes:
判断所述待测主机是否为新建主机;Judging whether the host to be tested is a newly-built host;
若否,则继续执行所述通过基本输入输出系统获取虚拟数据中心的待测主机在资源启动时的运行特征值的步骤;If not, continue to perform the step of obtaining the operating characteristic value of the host to be tested in the virtual data center when the resource is started through the basic input output system;
若是,则调用所述基本输入输出系统获取所述待测主机在资源启动时的初始运行特征值,并将所述初始运行特征值作为所述待测主机的基准值进行存储。If so, call the basic input output system to obtain the initial operating characteristic value of the host under test when the resource is started, and store the initial operating characteristic value as the reference value of the host under test.
其中,所述获取虚拟数据中心的待测主机在资源启动时的运行特征值包括:初始化TPM可信平台模块;获取所述基本输入输出系统的Boot Block的特征值、所述基本输入输出系统的Option ROM的特征值、OS Loader的特征值、OS Kernel的特征值中的至少一者,并记录至所述TPM可信平台模块的PCR寄存器。Wherein, said obtaining the operating characteristic value of the host under test of the virtual data center when the resource is started includes: initializing the TPM trusted platform module; obtaining the characteristic value of the Boot Block of the basic input output system, and the characteristic value of the basic input output system. At least one of the feature value of the Option ROM, the feature value of the OS Loader, and the feature value of the OS Kernel is recorded in the PCR register of the TPM trusted platform module.
其中,所述将所述运行特征值与所述基准值进行对比,并根据对比结果确定所述待测主机的可信状态,包括:Wherein, the comparing the operating characteristic value with the reference value, and determining the trusted state of the host under test according to the comparison result includes:
将所述基本输入输出系统的Boot Block的特征值与Boot Block基准值进行对比,得到第一对比结果;将所述基本输入输出系统的Option ROM的特征值与Option ROM基准值进行对比,得到第二对比结果;将OS Loader的特征值与OS Loader基准值进行对比,得到第三对比结果;将OS Kernel的特征值与OS Kernel的基准值进行对比,得到第四对比结果;The feature value of the Boot Block of the basic input output system is compared with the Boot Block reference value to obtain the first comparison result; the feature value of the Option ROM of the basic input output system is compared with the Option ROM reference value to obtain the first comparison result. 2. Comparison result: Compare the characteristic value of OS Loader with the reference value of OS Loader to obtain the third comparison result; compare the characteristic value of OS Kernel with the reference value of OS Kernel to obtain the fourth comparison result;
若所述第一对比结果、所述第二对比结果、所述第三对比结果、所述第四对比结果均为相同,则判定所述待测主机为可信主机;若存在任意一者的对比结果为不相同,则判定所述待测主机为不可信主机。If the first comparison result, the second comparison result, the third comparison result, and the fourth comparison result are all the same, the host to be tested is determined to be a trusted host; if any one of them exists If the comparison result is not the same, it is determined that the host to be tested is an untrusted host.
为实现上述目的,本发明进一步提供一种虚拟数据中心的可信状态确定装置,所述可信状态确定装置基于计算池可信管控组件,所述可信状态确定装置包括:To achieve the above objective, the present invention further provides a device for determining a trusted state of a virtual data center, the device for determining a trusted state is based on a computing pool trusted management and control component, and the device for determining a trusted state includes:
特征值获取模块,用于通过基本输入输出系统获取虚拟数据中心的待测主机在资源启动时的运行特征值;其中,所述待测主机为服务器或者部署在服务器上的虚拟主机,所述基本输入输出系统为所述服务器或者所述虚拟主机的可信基本输入输出系统;The characteristic value acquisition module is used to acquire the operating characteristic value of the host under test of the virtual data center when the resource is started through the basic input output system; wherein, the host under test is a server or a virtual host deployed on the server, and the basic The input and output system is a trusted basic input and output system of the server or the virtual host;
基准值获取模块,用于获取与所述待测主机对应的基准值;所述基准值为通过基本输入输出系统预先存储的所述待测主机在资源首次创建时的初始运行特征值;所述基准值与所述运行特征值的数据类型相同;The reference value acquisition module is configured to acquire a reference value corresponding to the host to be tested; the reference value is the initial operating characteristic value of the host to be tested that is pre-stored through the basic input output system when the resource is first created; The reference value is the same as the data type of the operating characteristic value;
对比模块,用于将所述运行特征值与所述基准值进行对比,并根据对比结果确定所述待测主机的可信状态。The comparison module is used to compare the operating characteristic value with the reference value, and determine the trusted state of the host under test according to the comparison result.
其中,本方案还包括:Among them, this program also includes:
判断模块,用于判断所述待测主机是否为新建主机;The judging module is used to judge whether the host to be tested is a newly-built host;
所述特征值获取模块,具体用于在所述待测主机不为新建主机时,通过基本输入输出系统获取虚拟数据中心的待测主机在资源启动时的运行特征值;The characteristic value obtaining module is specifically configured to obtain the operating characteristic value of the host under test in the virtual data center when the resource is started through the basic input output system when the host under test is not a newly-built host;
初始运行特征值获取模块,用于在所述待测主机为新建主机时,通过基本输入输出系统获取所述待测主机在资源启动时的初始运行特征值;The initial operating characteristic value obtaining module is used to obtain the initial operating characteristic value of the host under test when the resource is started through the basic input output system when the host under test is a new host;
存储模块,用于将所述初始运行特征值作为所述待测主机的基准值进行存储。The storage module is configured to store the initial operating characteristic value as the reference value of the host to be tested.
其中,所述特征值获取模块包括:Wherein, the characteristic value acquisition module includes:
初始化单元,用于初始化TPM可信平台模块;The initialization unit is used to initialize the TPM trusted platform module;
特征值获取单元,用于获取所述基本输入输出系统的Boot Block的特征值、所述基本输入输出系统的Option ROM的特征值、OS Loader的特征 值、OS Kernel的特征值中的至少一者,并记录至所述TPM可信平台模块的PCR寄存器。The feature value obtaining unit is used to obtain at least one of the feature value of the Boot Block of the basic input output system, the feature value of the Option ROM of the basic input output system, the feature value of the OS Loader, and the feature value of the OS Kernel , And record it in the PCR register of the TPM trusted platform module.
其中,所述对比模块包括:Wherein, the comparison module includes:
对比单元,用于将所述基本输入输出系统的Boot Block的特征值与Boot Block基准值进行对比,得到第一对比结果;将所述基本输入输出系统的Option ROM的特征值与Option ROM基准值进行对比,得到第二对比结果;将OS Loader的特征值与OS Loader基准值进行对比,得到第三对比结果;将OS Kernel的特征值与OS Kernel的基准值进行对比,得到第四对比结果;The comparison unit is used to compare the feature value of the Boot Block of the basic input output system with the reference value of the Boot Block to obtain a first comparison result; compare the feature value of the Option ROM of the basic input output system with the reference value of Option ROM Make a comparison to obtain the second comparison result; compare the characteristic value of the OS Loader with the OS Loader reference value to obtain the third comparison result; compare the characteristic value of the OS Kernel with the reference value of the OS Kernel to obtain the fourth comparison result;
判定单元,用于在所述第一对比结果、所述第二对比结果、所述第三对比结果、所述第四对比结果均为相同时,判定所述待测主机为可信主机;若存在任意一者的对比结果为不相同,则判定所述待测主机为不可信主机。A determining unit, configured to determine that the host to be tested is a trusted host when the first comparison result, the second comparison result, the third comparison result, and the fourth comparison result are all the same; If the comparison result of any one is different, it is determined that the host to be tested is an untrusted host.
为实现上述目的,本发明进一步提供一种虚拟数据中心的可信状态确定设备,包括:存储器,用于存储计算机程序;处理器,用于执行所述计算机程序时实现如上述的可信状态确定方法的步骤。In order to achieve the above objective, the present invention further provides a device for determining the trusted state of a virtual data center, including: a memory, used to store a computer program; a processor, used to implement the above-mentioned trusted state determination when the computer program is executed Method steps.
为实现上述目的,本发明进一步提供一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如上述的可信状态确定方法的步骤。In order to achieve the above object, the present invention further provides a computer-readable storage medium having a computer program stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method for determining a trusted state as described above are implemented .
通过以上方案可知,本发明实施例提供的一种虚拟数据中心的可信状态确定方法,所述可信状态确定方法基于计算池可信管控组件,所述可信状态确定包括:通过基本输入输出系统获取虚拟数据中心的待测主机在资源启动时的运行特征值;其中,所述待测主机为服务器或者部署在服务器上的虚拟主机,所述基本输入输出系统为所述服务器或者所述虚拟主机的可信基本输入输出系统,所述基准值与所述运行特征值的数据类型相同;获取与所述待测主机对应的基准值;所述基准值为通过所述基本输入输出系统预先存储的所述待测主机在资源首次创建时的初始运行特征值;将所述运行特征值与所述基准值进行对比,并根据对比结果确定所述待测主机的可信状态。It can be seen from the above solution that a method for determining the trusted state of a virtual data center provided by an embodiment of the present invention is based on a computing pool trusted management and control component, and the determination of the trusted state includes: through basic input and output The system obtains the operating characteristic value of the host under test in the virtual data center when the resource is started; wherein, the host under test is a server or a virtual host deployed on the server, and the basic input output system is the server or the virtual host. The trusted basic input output system of the host, the reference value is the same as the data type of the operating characteristic value; the reference value corresponding to the host to be tested is obtained; the reference value is pre-stored through the basic input output system The initial operating characteristic value of the host under test when the resource is first created; the operating characteristic value is compared with the reference value, and the trusted state of the host under test is determined according to the comparison result.
可见,在本申请中,通过将虚拟数据中心的服务器/虚拟主机的运行特征值与基准值进行对比的方式,可确定服务器/虚拟主机的可信状态,从而保证虚拟数据中心的物理资源及虚拟资源的安全性;本发明还公开了一种虚拟数据中心的可信状态确定装置、设备及计算机可读存储介质,同样能实现上述技术效果。It can be seen that in this application, by comparing the operating characteristic value of the server/virtual host of the virtual data center with the reference value, the trusted state of the server/virtual host can be determined, thereby ensuring the physical resources and virtual host of the virtual data center. Security of resources; the present invention also discloses a device, equipment and computer-readable storage medium for determining the trusted state of a virtual data center, which can also achieve the above technical effects.
附图说明Description of the drawings
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the drawings in the following description are only These are some embodiments of the present invention. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without creative work.
图1为本发明实施例公开的一种虚拟数据中心的可信状态确定方法流程示意图;FIG. 1 is a schematic flowchart of a method for determining the trusted state of a virtual data center disclosed in an embodiment of the present invention;
图2为本发明实施例公开的基于TPM可信平台模块可信BIOS构建信任链流程图;2 is a flow chart of building a trust chain based on the trusted BIOS of a TPM trusted platform module disclosed in an embodiment of the present invention;
图3为本发明实施例公开的待测主机可信状态确定流程图;3 is a flowchart of determining the trusted state of the host under test disclosed in the embodiment of the present invention;
图4为本发明实施例公开的系统结构示意图;Figure 4 is a schematic diagram of the system structure disclosed in an embodiment of the present invention;
图5为本发明实施例公开的一种虚拟数据中心的可信状态确定装置结构示意图;FIG. 5 is a schematic structural diagram of an apparatus for determining a trusted state of a virtual data center disclosed in an embodiment of the present invention;
图6为本发明实施例公开的一种虚拟数据中心的可信状态确定设备结构示意图。Fig. 6 is a schematic structural diagram of a device for determining a trusted state of a virtual data center disclosed in an embodiment of the present invention.
具体实施方式Detailed ways
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没 有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, rather than all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative work shall fall within the protection scope of the present invention.
本发明实施例公开了一种虚拟数据中心的可信状态确定方法、装置、设备及计算机可读存储介质,以确定虚拟数据中心的可信状态,提高虚拟数据中心资源的安全性。The embodiment of the invention discloses a method, device, equipment and computer-readable storage medium for determining the trusted state of a virtual data center to determine the trusted state of the virtual data center and improve the security of the resources of the virtual data center.
参见图1,本发明实施例提供的一种虚拟数据中心的可信状态确定方法,该可信状态确定方法基于计算池可信管控组件,包括:Referring to Figure 1, an embodiment of the present invention provides a method for determining the trusted state of a virtual data center. The method for determining a trusted state is based on a computing pool trusted management and control component and includes:
S101、通过基本输入输出系统获取虚拟数据中心的待测主机在资源启动时的运行特征值;其中,待测主机为服务器或者部署在服务器上的虚拟主机,基本输入输出系统为服务器或者虚拟主机的可信基本输入输出系统;S101. Obtain the operating characteristic value of the host under test in the virtual data center when the resource is started through the basic input output system; where the host under test is a server or a virtual host deployed on the server, and the basic input output system is a server or a virtual host Trusted basic input output system;
需要说明的是,在本申请中,首先需要部署可信服务器集群,该可信服务器集群由若干台可信的服务器组成,可以提供基础的、物理的计算资源。并且,本申请中每个服务器是基于TPM(Trusted Platform Module,可信计算中的安全芯片)可信平台模块、可信BIOS(Basic Input Output System,基本输入输出系统)固件等技术构建的高安全性服务器,具有高安全性、高性能、高可靠性等特点;该可信BIOS为计算机提供最底层的、最直接的硬件设置和控制。在该物理计算资源上,部署了可信虚拟化组件和计算池可信管控组件。It should be noted that in this application, a trusted server cluster needs to be deployed first. The trusted server cluster is composed of several trusted servers and can provide basic and physical computing resources. In addition, each server in this application is a high-security technology based on TPM (Trusted Platform Module, security chip in trusted computing) trusted platform module, trusted BIOS (Basic Input Output System, basic input output system) firmware and other technologies. The server has the characteristics of high security, high performance, and high reliability; this trusted BIOS provides the lowest and most direct hardware settings and control for the computer. On this physical computing resource, a trusted virtualization component and a computing pool trusted management and control component are deployed.
在本申请中,该可信虚拟化组件为基于可信服务器集群的物理资源,可以虚拟化多个VM(Virtual Machine,虚拟机:云计算下虚拟出的计算资源)的虚拟化管理软件。通过该虚拟化组件,可以把真实的、单个物理服务器,虚拟化成多个、虚拟的虚拟主机。与普通的虚拟化管理软件相比,该虚拟化管理软件可以为每个VM虚拟机创建vTPM(Virtual Trusted Platform Module,虚拟可信平台模块),同时,提供虚拟可信BIOS。In this application, the trusted virtualization component is a physical resource based on a trusted server cluster, which can virtualize multiple VMs (Virtual Machine, virtual machine: computing resources virtualized under cloud computing) virtualization management software. Through this virtualization component, a real, single physical server can be virtualized into multiple, virtual virtual hosts. Compared with ordinary virtualization management software, the virtualization management software can create a vTPM (Virtual Trusted Platform Module) for each VM virtual machine, and at the same time, provides a virtual trusted BIOS.
该计算池可信管控组件,主要基于可信服务器集群和可信虚拟化组件管理和控制可信服务器集群中每个可信服务器的可信状态、虚拟化管理软件虚拟出的每个VM虚拟机的可信状态,从而来创建一个逻辑的可信计算池。在该可信计算池范围内的云主机都具有可信硬件和可信软件,对外提 供安全可靠的计算资源。可以理解的是,云主机包括服务器集群及其集群中虚拟化出的虚拟机。其中的硬件指:服务器集群中的服务器物理硬件(如网卡,RAID,显卡)、物理固件(如BIOS,OptionROM),以及集群中虚拟机的虚拟硬件、虚拟固件。软件指:服务器集群中的服务器下的虚拟化软件、系统软件(如服务器上运行的OS Loader,OS Kernel)和集群中的虚拟机的系统软件(如虚拟机上运行的OS Loader,OS Kernel)。The trusted management and control component of the computing pool is mainly based on the trusted server cluster and the trusted virtualization component to manage and control the trusted state of each trusted server in the trusted server cluster, and each VM virtual machine virtualized by the virtualization management software In order to create a logical trusted computing pool. The cloud hosts in the trusted computing pool all have trusted hardware and trusted software, and provide safe and reliable computing resources to the outside world. It is understandable that cloud hosts include server clusters and virtual machines virtualized in the clusters. The hardware refers to the server physical hardware (such as network card, RAID, graphics card), physical firmware (such as BIOS, OptionROM) in the server cluster, and the virtual hardware and virtual firmware of the virtual machines in the cluster. Software refers to the virtualization software under the servers in the server cluster, system software (such as OS Loader and OS Kernel running on the server) and system software of the virtual machines in the cluster (such as OS Loader and OS Kernel running on the virtual machines) .
S102、获取与待测主机对应的基准值;基准值为通过基本输入输出系统预先存储的待测主机在资源首次创建时的初始运行特征值;基准值与运行特征值的数据类型相同;S102. Obtain a reference value corresponding to the host to be tested; the reference value is the initial operating characteristic value of the host to be tested stored in advance through the basic input output system when the resource is first created; the reference value is the same as the data type of the operating characteristic value;
在本申请中,为了确定待测主机的可信状态,需要通过基本输入输出系统预先存储作为对比的基准值,该基准值为待测主机在资源首次创建时的初始运行特征值;该基准值的类型与S102中的运行特征值类型相同,也即:若运行特征值包括:基本输入输出系统的Boot Block的特征值、基本输入输出系统的Option ROM的特征值、OS Loader的特征值、OS Kernel的特征值,则基准值同样包括基本输入输出系统的Boot Block的基准值、基本输入输出系统的Option ROM的基准值、OS Loader的基准值、OS Kernel的基准值。In this application, in order to determine the trusted state of the host under test, it is necessary to pre-store the reference value for comparison through the basic input output system. The reference value is the initial operating characteristic value of the host under test when the resource is first created; the reference value The type is the same as the operating characteristic value type in S102, that is, if the operating characteristic value includes: the characteristic value of the Boot Block of the basic input output system, the characteristic value of the Option ROM of the basic input output system, the characteristic value of the OS Loader, and the OS The characteristic value of the kernel, the reference value also includes the reference value of the Boot Block of the basic input output system, the reference value of the Option ROM of the basic input output system, the reference value of the OS Loader, and the reference value of the OS Kernel.
需要说明的是,本申请中的待测主机可以为可信服务器集群内的可信服务器,也可以为可信虚拟化组件在可信服务器集群上创建的虚拟机,因此,如果待测主机为可信服务器,则基本输入输出系统BIOS为可信服务器的可信BIOS,如果待测主机为虚拟机,则基本输入输出系统BIOS为虚拟机的可信BIOS。相应的,本申请中资源启动时的运行特征值,可以是服务器的物理资源启动时的运行特征值,也可以是虚拟机的虚拟资源启动时的运行特征值,该资源的类型随着待测主机的不同而变化,并且,本申请中的运行特征值,可以是基本输入输出系统的Boot Block的特征值、基本输入输出系统的Option ROM的特征值、OS Loader的特征值、OS Kernel的特征值等等,在此并不具体限定。It should be noted that the host to be tested in this application can be a trusted server in a trusted server cluster, or a virtual machine created by a trusted virtualization component on a trusted server cluster. Therefore, if the host to be tested is For a trusted server, the basic input output system BIOS is the trusted BIOS of the trusted server, and if the host to be tested is a virtual machine, the basic input output system BIOS is the trusted BIOS of the virtual machine. Correspondingly, the operating characteristic value when the resource is started in this application can be the operating characteristic value when the physical resource of the server is started, or the operating characteristic value when the virtual resource of the virtual machine is started. It varies from host to host, and the operating feature value in this application can be the feature value of the Boot Block of the basic input output system, the feature value of the Option ROM of the basic input output system, the feature value of the OS Loader, and the feature of the OS Kernel. The value and so on are not specifically limited here.
可以理解的是,基本输入输出系统BIOS,是初始化、引导服务器或者虚拟机的硬件过程中进行引导度量的单元,它是服务器或者虚拟机启动 的第一个单元,能够度量当前引导对象的完整性。针对于普通服务器或者虚拟机,它完成硬件初始化。在本方案中,除了此功能,它还要度量硬件(在确定当前时刻的硬件是可信的,可以把当前的度量值作为基准值时。服务器或者虚拟机在后续的启动过程中,也执行度量操作,得到度量值,作为运行特征值)。它只是完成初始化和度量的功能。It is understandable that the basic input output system BIOS is the unit that performs boot measurement during the process of initializing and booting the hardware of the server or virtual machine. It is the first unit to start the server or virtual machine and can measure the integrity of the current boot object. . For ordinary servers or virtual machines, it completes hardware initialization. In this solution, in addition to this function, it also measures hardware (when it is determined that the hardware at the current moment is credible, the current measurement value can be used as the reference value. The server or virtual machine also executes the subsequent startup process. The measurement operation, the measurement value is obtained, as the running characteristic value). It just completes the function of initialization and measurement.
计算池可信管控组件是判断可信硬件及可信软件是否可信的判断单元。简单来说,它具有三个功能:1、当新建虚拟机或者集群中新加入服务器时发出命令,让BIOS把当前时刻的度量值提取出来,放到数据库中作为基准值;2、监控服务器或者虚拟机的重新启动过程,并获取启动过程中BIOS的度量值,并把该度量值作为运行特征值,然后比较运行特征值与基准值,来判断是否可信,相等则可信;3、对外提供可信状态。The trusted management and control component of the computing pool is a determination unit that determines whether the trusted hardware and trusted software are trusted. Simply put, it has three functions: 1. When a new virtual machine or a new server is added to the cluster, it issues a command to let the BIOS extract the measurement value at the current moment and put it in the database as a reference value; 2. Monitor the server or During the restart process of the virtual machine, obtain the BIOS measurement value during the startup process, and use the measurement value as the operating characteristic value, and then compare the operating characteristic value with the benchmark value to determine whether it is credible, and if it is equal, it is credible; 3. External Provide trusted status.
也就是说,本方案中的基本输入输出系统BIOS只是引导硬件和系统软件,并度量该引导硬件和系统软件的作用。而计算池可信管控组件则是确定哪个时刻的度量值作为基准值,哪个时刻的度量值作为运行特征值,并提供某个时刻硬件及系统软件的可信状态的作用。That is to say, the basic input output system BIOS in this solution only boots the hardware and system software, and measures the role of the boot hardware and system software. The trusted management and control component of the computing pool determines the measurement value at which time is used as the reference value and the measurement value at which time is used as the operating characteristic value, and provides the role of the trusted state of the hardware and system software at a certain time.
S103、将运行特征值与基准值进行对比,并根据对比结果确定待测主机的可信状态。S103: Compare the operating characteristic value with the reference value, and determine the trusted state of the host to be tested according to the comparison result.
在本申请中,将运行特征值与基准值进行对比,并根据对比结果确定待测主机的可信状态时,可以包括:将运行特征值与基准值进行对比,判断运行特征值与基准值是否相同;若相同,则判定待测主机为可信主机;若不相同,则判定待测主机为不可信主机。In this application, when comparing the operating characteristic value with the reference value, and determining the trustworthy status of the host to be tested according to the comparison result, it may include: comparing the operating characteristic value with the reference value, and judging whether the operating characteristic value and the reference value are Same; if they are the same, the host to be tested is determined to be a trusted host; if they are not the same, the host to be tested is determined to be an untrusted host.
可以看出,本申请中的计算池可信管控组件可以基于可信服务器集群的真实物理资源和可信虚拟化组件的虚拟资源,利用物理资源和虚拟资源启动过程中事先保存的物理资源和虚拟资源在首次创建时的基准值作为基准,然后获取物理资源和虚拟资源在后续启动的运行特征值,比较基准值和运行特征值,来准确判定可信服务器集群的物理服务器和可信虚拟化组件的虚拟主机的可信状态,通过这种方式来构建一个可信的计算池,提高虚拟数据中心资源的安全性。It can be seen that the trusted management and control component of the computing pool in this application can be based on the real physical resources of the trusted server cluster and the virtual resources of the trusted virtualization component, and use the physical resources and virtual resources saved in advance during the startup process of the physical resources and the virtual resources. The baseline value of the resource at the first creation is used as the baseline, and then the operating characteristic values of the physical resources and virtual resources at subsequent startups are obtained, and the baseline values and operating characteristic values are compared to accurately determine the physical servers and trusted virtualization components of the trusted server cluster The trusted state of the virtual host is used in this way to build a trusted computing pool and improve the security of virtual data center resources.
基于上述实施例,在本实施例中,通过所述基本输入输出系统获取虚拟数据中心的待测主机在资源启动时的运行特征值之前,还包括:判断待测主机是否为新建主机;若否,则继续执行通过基本输入输出系统获取虚拟数据中心的待测主机在资源启动时的运行特征值的步骤;若是,则通过所述基本输入输出系统获取待测主机在资源启动时的初始运行特征值,并将初始运行特征值作为、待测主机的基准值进行存储。Based on the foregoing embodiment, in this embodiment, before acquiring the operating characteristic value of the host under test of the virtual data center at resource startup through the basic input output system, the method further includes: determining whether the host under test is a new host; if not , Continue to perform the step of obtaining the operating characteristic value of the host under test in the virtual data center through the basic input output system when the resource is started; if so, obtain the initial operating characteristic value of the host under test when the resource is started through the basic input output system And store the initial operating characteristic value as the reference value of the host to be tested.
并且,本申请在获取虚拟数据中心的待测主机在资源启动时的运行特征值时,具体可以包括:初始化TPM可信平台模块;获取基本输入输出系统的Boot Block的特征值、基本输入输出系统的Option ROM的特征值、OS Loader的特征值、OS Kernel的特征值中的至少一者,并记录至TPM可信平台模块的PCR寄存器。In addition, when obtaining the operating characteristic value of the host under test of the virtual data center when the resource is started, this application may specifically include: initializing the TPM trusted platform module; obtaining the characteristic value of the Boot Block of the basic input output system and the basic input output system At least one of the feature value of the Option ROM, the feature value of the OS Loader, and the feature value of the OS Kernel is recorded in the PCR register of the TPM trusted platform module.
可以理解的是,由于BIOS引导启动过程中,操作系统没有启动,硬件的特征值记录不能依赖于操作系统,同时该特征值也不能被篡改,保证计算池可信管控组件在判断可信状态时的特征值就是BIOS引导过程中记录的特征值。TPM可信平台模块的PCR(Platform Configuration Register)寄存器正好符合该要求。PCR平台配置寄存器在完整记录之后,由BIOS设置其引导完成状态后,操作系统只能读取PCR寄存器中的值,而不能修改PCR寄存器中的值。其中。PCR寄存器由PCR0-PCR23共24个寄存器组成,通常PCR0-PCR7用于硬件的度量对象特征值的存储,PCR8-PCR23用于软件的特征值存储,在本申请中,以获取基本输入输出系统的Boot Block的特征值、基本输入输出系统的Option ROM的特征值、OS Loader的特征值、OS Kernel的特征值这四个特征值为例进行说明,因此,本申请使用了PCR0、PCR2、PCR4、PCR8。It is understandable that since the operating system is not started during the BIOS boot process, the feature value record of the hardware cannot depend on the operating system, and the feature value cannot be tampered with, ensuring that the computing pool trusted management and control component determines the trusted state The characteristic value of is the characteristic value recorded during the BIOS boot process. The PCR (Platform Configuration Register) register of the TPM trusted platform module just meets this requirement. After the PCR platform configuration register is fully recorded, after the boot completion status is set by the BIOS, the operating system can only read the value in the PCR register, but cannot modify the value in the PCR register. in. The PCR register is composed of a total of 24 registers PCR0-PCR23. Usually PCR0-PCR7 is used for the storage of the characteristic value of the measurement object of the hardware, and PCR8-PCR23 is used for the storage of the characteristic value of the software. In this application, it is used to obtain the basic input output system. The feature value of Boot Block, the feature value of Option ROM of the basic input output system, the feature value of OS Loader, and the feature value of OS Kernel are examples for illustration. Therefore, PCR0, PCR2, PCR4, and PCR4 are used in this application. PCR8.
需要说明的是,无论是获取运行特征值还是基准值,其获取过程都是相同的,在此以获取基本输入输出系统的Boot Block的特征值、基本输入输出系统的Option ROM的特征值、OS Loader的特征值、OS Kernel的特征值这四个特征值为例,对获取过程进行具体说明:It should be noted that whether it is to obtain the operating characteristic value or the reference value, the acquisition process is the same. Here, the characteristic value of the Boot Block of the basic input output system, the characteristic value of the Option ROM of the basic input output system, and the OS are obtained. The four characteristic values of Loader's characteristic value and OS Kernel's characteristic value are examples to explain the acquisition process in detail:
首先,待测主机上电,可信BIOS初始化TPM可信平台模块,保证TPM内部是初始状态;First, the host to be tested is powered on, and the trusted BIOS initializes the TPM trusted platform module to ensure that the internal TPM is in the initial state;
然后,可信BIOS度量BIOS中的Boot Block,然后记录到TPM可信平台模块的PCR 0寄存器中;其中,Boot Block是BIOS中的第一块启动代码,度量该Boot Block目的是确保BIOS是完整的。度量指的是对目标对象进行Sha256哈希运算,得到对象的特征值,该特征值代表了被度量对象的完整性,在度量Boot Block时,该目标对象即为Boot Block。Then, the trusted BIOS measures the Boot Block in the BIOS and records it in the PCR 0 register of the TPM Trusted Platform Module; among them, the Boot Block is the first boot code in the BIOS, and the purpose of measuring the Boot Block is to ensure that the BIOS is complete of. The measurement refers to the Sha256 hash operation of the target object to obtain the characteristic value of the object. The characteristic value represents the integrity of the measured object. When the Boot Block is measured, the target object is the Boot Block.
可信BIOS度量BIOS中的Option ROM,然后记录到TPM可信平台模块的PCR 2寄存器中;其中,Option ROM是用于设备初始化和系统启动的代码段,是系统硬件很重要的引导对象,通过度量该对象可以反映系统的PCI硬件设备的完整性。可信BIOS度量OS Loader,然后记录到TPM可信平台模块的PCR 4寄存器中;其中,OS Loader指的是引导加载程序(目前在ICS上是Grub),通过度量该对象可以反应系统的引导过程是否符合预期。可信BIOS度量OS Kernel,然后记录到TPM可信平台模块的PCR 8寄存器中;其中,OS kernel指的是操作系统内核,是操作系统启动、加载、运行的核心,通过度量该对象可以反应操作系统启动是否正常,度量含义与上述记载的一致。The trusted BIOS measures the Option ROM in the BIOS, and then records it in the PCR 2 register of the TPM trusted platform module; among them, Option ROM is a code segment used for device initialization and system startup, and is a very important boot object for system hardware. The measurement of this object can reflect the integrity of the system's PCI hardware devices. The trusted BIOS measures the OS Loader, and then records it in the PCR 4 register of the TPM trusted platform module; among them, OS Loader refers to the boot loader (currently Grub on ICS), which can reflect the boot process of the system by measuring this object Whether it meets expectations. The trusted BIOS measures the OS Kernel, and then records it in the PCR 8 register of the TPM Trusted Platform Module; among them, OS kernel refers to the operating system kernel, which is the core of the operating system's startup, loading, and operation, and the object can be measured to reflect operations Whether the system starts normally, the meaning of the measurement is consistent with the above-mentioned record.
进一步,可信BIOS设置TPM可信平台模块的状态,标识引导阶段结束,OS正常运行。TPM可信平台模块的PCR寄存器只读,不能写,从而防止PCR寄存器的特征值被非法篡改;上述可信BIOS获取BIOS Boot Block、Option ROM、OS Loader、OS Kernel的基准值过程可以称为构建信任链的过程,参见图2,为本发明实施例公开的基于TPM可信平台模块可信BIOS构建信任链流程图,通过该流程,可以依次获取资源的运行特征值。Further, the trusted BIOS sets the state of the TPM trusted platform module to mark the end of the boot phase and the OS is running normally. The PCR register of the TPM trusted platform module is read-only and cannot be written, so as to prevent the characteristic value of the PCR register from being illegally tampered with; the above-mentioned trusted BIOS obtains the BIOS Boot Block, Option ROM, OS Loader, OS Kernel reference value process can be called construction The process of the chain of trust, see FIG. 2, is a flow chart of constructing a chain of trust based on the trusted BIOS of the TPM trusted platform module disclosed in the embodiment of the present invention. Through this process, the operating characteristic values of the resources can be obtained in sequence.
其中,如果本申请获取的运行特征值包括Boot Block的特征值、Option ROM的特征值、OS Loader的特征值、OS Kernel的特征值这四者,则本申请判定待测主机的可信状态的过程具体包括如下步骤:Among them, if the operating characteristic value obtained by this application includes the characteristic value of Boot Block, the characteristic value of Option ROM, the characteristic value of OS Loader, and the characteristic value of OS Kernel, then this application determines the reliability of the host under test. The process specifically includes the following steps:
将所述基本输入输出系统的Boot Block的特征值与Boot Block基准值进行对比,得到第一对比结果;将所述基本输入输出系统的Option ROM的特征值与Option ROM基准值进行对比,得到第二对比结果;将OS Loader的特征值与OS Loader基准值进行对比,得到第三对比结果;将OS Kernel 的特征值与OS Kernel的基准值进行对比,得到第四对比结果;若所述第一对比结果、所述第二对比结果、所述第三对比结果、所述第四对比结果均为相同,则判定所述待测主机为可信主机;若存在任意一者的对比结果为不相同,则判定所述待测主机为不可信主机。The feature value of the Boot Block of the basic input output system is compared with the Boot Block reference value to obtain the first comparison result; the feature value of the Option ROM of the basic input output system is compared with the Option ROM reference value to obtain the first comparison result. 2. Comparison result; compare the characteristic value of OS Loader with the OS Loader reference value to obtain the third comparison result; compare the characteristic value of OS Kernel with the reference value of OS Kernel to obtain the fourth comparison result; if said first If the comparison result, the second comparison result, the third comparison result, and the fourth comparison result are all the same, the host to be tested is determined to be a trusted host; if there is any one, the comparison result is different , It is determined that the host to be tested is an untrusted host.
需要说明的是,在本申请中,计算池可信管控组件可以先判断当前待测主机是否为新建主机,也即:判断可信服务器集群的真实物理主机和可信虚拟化组件的虚拟主机是否为新建主机;如果为新建主机,这时需要获取该待测主机在资源首次创建时的初始运行特征值,当待测主机启动完成后,提取PCR0、PCR2、PCR4、PCR8的值,并保存到白名单数据库中,分别作为BIOS Boot Block、Option ROM、OS Loader、OS Kernel的基准值。It should be noted that in this application, the trusted management and control component of the computing pool can first determine whether the current host to be tested is a new host, that is, whether the real physical host of the trusted server cluster and the virtual host of the trusted virtualization component are determined It is a new host; if it is a new host, you need to obtain the initial operating characteristic value of the host to be tested when the resource is first created. When the host to be tested is started, extract the values of PCR0, PCR2, PCR4, PCR8 and save them to In the whitelist database, they are used as the reference values of BIOS Boot Block, Option ROM, OS Loader, and OS Kernel.
如果待测主机并非是新建主机,则需要获取PCR0、PCR2、PCR4、PCR8的值作为当前的运行特征值,并从白名单数据库中读取BIOS Boot Block、Option ROM、OS Loader、OS Kernel的基准值进行逐个比较,如果都相同,则表示待测主机是可信的,如果存在其中一个不相同,则表示待测主机是不可信的;参见图3,为本发明实施例公开的待测主机可信状态确定流程图,可以看出,通过该流程,可以通过将虚拟数据中心的服务器/虚拟主机的运行特征值与基准值进行对比的方式,确定服务器/虚拟主机的可信状态,从而保证虚拟数据中心的物理资源及虚拟资源的安全性。If the host to be tested is not a new host, you need to obtain the values of PCR0, PCR2, PCR4, PCR8 as the current operating characteristic values, and read the BIOS Boot Block, Option ROM, OS Loader, and OS Kernel benchmarks from the whitelist database The values are compared one by one, if they are all the same, it means that the host under test is trustworthy, and if one of them is different, it means that the host under test is not trustworthy; see Figure 3, which is the host under test disclosed in the embodiment of the present invention The flow chart for determining the trusted state shows that through this process, the trusted state of the server/virtual host can be determined by comparing the operating characteristic value of the server/virtual host in the virtual data center with the reference value, so as to ensure The security of the physical resources and virtual resources of the virtual data center.
参加图4,为本申请公开的系统结构示意图;通过该图可以看出,可信计算池中的可信服务器集群中包括可信BIOS及TPM2.0,可信虚拟化组件包括虚拟可信BIOS及vTPM2.0,计算池可信管控组件通过可信BIOS及TPM2.0判定服务器的可信状态,通过虚拟可信BIOS及vTPM2.0可判定虚拟机的可信状态,计算池可信管控组件可监控CPU池、内存池、存储池的可信状态,具体来说:当计算池中的硬件,如服务器中RAID卡或者虚拟机中虚拟磁盘发生变化,如外部攻击或者管理员恶意篡改时,BIOS引导过程中的度量值发生变化,与基准值(比如新建虚拟机或者集群中新加入服务器时)不同,则计算池可信管控软件会监控这个变化,并提供不可信的状态。通过可信计算池可判定出可信云主机,该可信云主机即 为可信服务器集群内的服务器,在该可信云主机上部署可信虚拟机,该可信云主机上有可信硬件和可信软件。Participate in Figure 4, which is a schematic diagram of the system structure disclosed in this application; it can be seen from this figure that the trusted server cluster in the trusted computing pool includes trusted BIOS and TPM2.0, and the trusted virtualization components include virtual trusted BIOS And vTPM2.0, the trusted management and control component of the computing pool determines the trusted state of the server through the trusted BIOS and TPM2.0, and the trusted state of the virtual machine can be determined through the virtual trusted BIOS and vTPM2.0, the trusted management and control component of the computing pool It can monitor the trusted status of the CPU pool, memory pool, and storage pool, specifically: when the hardware in the computing pool, such as the RAID card in the server or the virtual disk in the virtual machine, changes, such as external attacks or malicious tampering by the administrator, When the measurement value changes during the BIOS boot process, which is different from the baseline value (for example, when a new virtual machine is created or a server is newly added to a cluster), the computing pool trusted management software will monitor this change and provide an untrusted state. A trusted cloud host can be determined through the trusted computing pool. The trusted cloud host is a server in a trusted server cluster. A trusted virtual machine is deployed on the trusted cloud host. Hardware and trusted software.
下面对本发明实施例提供的可信状态确定装置进行介绍,下文描述的可信状态确定装置与上文描述的可信状态确定方法可以相互参照。The following describes the trusted state determining device provided by the embodiment of the present invention. The trusted state determining device described below and the trusted state determining method described above can be cross-referenced.
参见图5,本发明实施例提供的一种虚拟数据中心的可信状态确定装置,该可信状态确定装置基于计算池可信管控组件,所述可信状态确定装置包括:Referring to FIG. 5, an embodiment of the present invention provides a device for determining a trusted state of a virtual data center. The device for determining a trusted state is based on a computing pool trusted management and control component, and the device for determining a trusted state includes:
特征值获取模块100,用于通过基本输入输出系统获取虚拟数据中心的待测主机在资源启动时的运行特征值;其中,待测主机为服务器或者部署在服务器上的虚拟主机,基本输入输出系统为服务器或者虚拟主机的可信基本输入输出系统;The characteristic value obtaining module 100 is used to obtain the operating characteristic value of the host under test of the virtual data center when the resource is started through the basic input output system; the host under test is a server or a virtual host deployed on the server, and the basic input output system Trusted basic input output system for server or virtual host;
基准值获取模块200,用于获取与所述待测主机对应的基准值;所述基准值为通过基本输入输出系统预先存储的所述待测主机在资源首次创建时的初始运行特征值;The reference value obtaining module 200 is configured to obtain a reference value corresponding to the host to be tested; the reference value is the initial operating characteristic value of the host to be tested stored in advance through the basic input output system when the resource is first created;
对比模块300,用于将所述运行特征值与所述基准值进行对比,并根据对比结果确定所述待测主机的可信状态。The comparison module 300 is configured to compare the operating characteristic value with the reference value, and determine the trusted state of the host to be tested according to the comparison result.
其中,本申请还包括:Among them, this application also includes:
判断模块,用于判断所述待测主机是否为新建主机;The judging module is used to judge whether the host to be tested is a newly-built host;
所述特征值获取模块,具体用于在所述待测主机不为新建主机时,通过所述基本输入输出系统获取虚拟数据中心的待测主机在资源启动时的运行特征值;The characteristic value obtaining module is specifically configured to obtain, through the basic input output system, the operating characteristic value of the host to be tested in the virtual data center when the resource is started when the host to be tested is not a newly-built host;
初始运行特征值获取模块,用于在所述待测主机为新建主机时,通过所述基本输入输出系统获取所述待测主机在资源启动时的初始运行特征值;An initial operating characteristic value obtaining module, configured to obtain the initial operating characteristic value of the host under test when the resource is started through the basic input output system when the host under test is a newly-built host;
存储模块,用于将所述初始运行特征值作为所述待测主机的基准值进行存储。The storage module is configured to store the initial operating characteristic value as the reference value of the host to be tested.
其中,所述对比模块包括:Wherein, the comparison module includes:
对比单元,用于将所述基本输入输出系统的Boot Block的特征值与Boot Block基准值进行对比,得到第一对比结果;将所述基本输入输出系统的Option ROM的特征值与Option ROM基准值进行对比,得到第二对比结果;将OS Loader的特征值与OS Loader基准值进行对比,得到第三对比结果;将OS Kernel的特征值与OS Kernel的基准值进行对比,得到第四对比结果;The comparison unit is used to compare the feature value of the Boot Block of the basic input output system with the reference value of the Boot Block to obtain a first comparison result; compare the feature value of the Option ROM of the basic input output system with the reference value of Option ROM Make a comparison to obtain the second comparison result; compare the characteristic value of the OS Loader with the OS Loader reference value to obtain the third comparison result; compare the characteristic value of the OS Kernel with the reference value of the OS Kernel to obtain the fourth comparison result;
判定单元,用于在所述第一对比结果、所述第二对比结果、所述第三对比结果、所述第四对比结果均为相同时,判定所述待测主机为可信主机;若存在任意一者的对比结果为不相同,则判定所述待测主机为不可信主机。A determining unit, configured to determine that the host to be tested is a trusted host when the first comparison result, the second comparison result, the third comparison result, and the fourth comparison result are all the same; If the comparison result of any one is different, it is determined that the host to be tested is an untrusted host.
其中,所述特征值获取模块包括:Wherein, the characteristic value acquisition module includes:
初始化单元,用于初始化TPM可信平台模块;The initialization unit is used to initialize the TPM trusted platform module;
特征值获取单元,用于获取所述基本输入输出系统的Boot Block的特征值、所述基本输入输出系统的Option ROM的特征值、OS Loader的特征值、OS Kernel的特征值中的至少一者,并记录至所述TPM可信平台模块的PCR寄存器。The feature value obtaining unit is used to obtain at least one of the feature value of the Boot Block of the basic input output system, the feature value of the Option ROM of the basic input output system, the feature value of the OS Loader, and the feature value of the OS Kernel , And record it in the PCR register of the TPM trusted platform module.
本发明实施例还公开了一种虚拟数据中心的可信状态确定设备,包括:The embodiment of the invention also discloses a device for determining the trusted state of a virtual data center, including:
存储器,用于存储计算机程序;Memory, used to store computer programs;
处理器,用于执行所述计算机程序时实现如上述任意方法实施例所述的可信状态确定方法的步骤。The processor is configured to implement the steps of the trusted state determination method described in any of the foregoing method embodiments when the computer program is executed.
在本实施例中,设备可以是服务器,也可以是PC(Personal Computer,个人电脑)、智能手机、平板电脑、掌上电脑、便携计算机等终端设备。In this embodiment, the device may be a server, or a terminal device such as a PC (Personal Computer), a smart phone, a tablet computer, a palmtop computer, and a portable computer.
参见图6,为本发明实施例公开的一种虚拟数据中心的可信状态确定设备结构示意图,可以看出,该设备可以包括存储器11、处理器12和总线13。Refer to FIG. 6, which is a schematic structural diagram of a device for determining a trusted state of a virtual data center disclosed in an embodiment of the present invention. It can be seen that the device may include a memory 11, a processor 12 and a bus 13.
其中,存储器11至少包括一种类型的可读存储介质,所述可读存储介质包括闪存、硬盘、多媒体卡、卡型存储器(例如,SD或DX存储器等)、磁性存储器、磁盘、光盘等。存储器11在一些实施例中可以是设备的内部 存储单元,例如该设备的硬盘。存储器11在另一些实施例中也可以是设备的外部存储设备,例如设备上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)等。进一步地,存储器11还可以既包括设备的内部存储单元也包括外部存储设备。存储器11不仅可以用于存储安装于设备的应用软件及各类数据,例如:执行可信状态确定方法的程序代码等,还可以用于暂时地存储已经输出或者将要输出的数据。The memory 11 includes at least one type of readable storage medium, and the readable storage medium includes flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX memory, etc.), magnetic memory, magnetic disk, optical disk, and the like. The memory 11 may be an internal storage unit of the device in some embodiments, such as the hard disk of the device. In other embodiments, the memory 11 may also be an external storage device of the device, such as a plug-in hard disk equipped on the device, a Smart Media Card (SMC), a Secure Digital (SD) card, and a flash memory card. (Flash Card) and so on. Further, the memory 11 may also include both an internal storage unit of the device and an external storage device. The memory 11 can be used not only to store application software and various types of data installed in the device, such as program code for executing the trusted state determination method, etc., but also to temporarily store data that has been output or will be output.
处理器12在一些实施例中可以是一中央处理器(Central Processing Unit,CPU)、控制器、微控制器、微处理器或其他数据处理芯片,用于运行存储器11中存储的程序代码或处理数据,例如执行可信状态确定方法的程序代码等。In some embodiments, the processor 12 may be a central processing unit (CPU), controller, microcontroller, microprocessor, or other data processing chip, for running program codes or processing stored in the memory 11 Data, such as program code that executes the trusted state determination method, etc.
该总线13可以是外设部件互连标准(peripheral component interconnect,简称PCI)总线或扩展工业标准结构(extended industry standard architecture,简称EISA)总线等。该总线可以分为地址总线、数据总线、控制总线等。为便于表示,图6中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The bus 13 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus. The bus can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 6, but it does not mean that there is only one bus or one type of bus.
进一步地,设备还可以包括网络接口14,网络接口14可选的可以包括有线接口和/或无线接口(如WI-FI接口、蓝牙接口等),通常用于在该设备与其他电子设备之间建立通信连接。Further, the device may also include a network interface 14. The network interface 14 may optionally include a wired interface and/or a wireless interface (such as a WI-FI interface, a Bluetooth interface, etc.), which is usually used to communicate between the device and other electronic devices. Establish a communication connection.
可选地,该设备还可以包括用户接口,用户接口可以包括显示器(Display)、输入单元比如键盘(Keyboard),可选的用户接口还可以包括标准的有线接口、无线接口。可选地,在一些实施例中,显示器可以是LED显示器、液晶显示器、触控式液晶显示器以及OLED(Organic Light-Emitting Diode,有机发光二极管)触摸器等。其中,显示器也可以适当的称为显示屏或显示单元,用于显示在设备中处理的信息以及用于显示可视化的用户界面。Optionally, the device may further include a user interface. The user interface may include a display (Display) and an input unit such as a keyboard (Keyboard). The optional user interface may also include a standard wired interface and a wireless interface. Optionally, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode, organic light-emitting diode) touch device, etc. Among them, the display can also be appropriately called a display screen or a display unit, which is used to display the information processed in the device and to display a visualized user interface.
图6仅示出了具有组件11-14的设备,本领域技术人员可以理解的是,图6示出的结构并不构成对设备的限定,可以包括比图示更少或者更多的部件,或者组合某些部件,或者不同的部件布置。Figure 6 only shows a device with components 11-14. Those skilled in the art will understand that the structure shown in Figure 6 does not constitute a limitation on the device, and may include fewer or more components than shown. Or some parts are combined, or different parts are arranged.
本发明实施例还公开了一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如上述任意方法实施例所述的可信状态确定方法的步骤。The embodiment of the present invention also discloses a computer-readable storage medium having a computer program stored on the computer-readable storage medium, and when the computer program is executed by a processor, the trusted state as described in any of the above-mentioned method embodiments is realized Determine the steps of the method.
其中,该存储介质可以包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。Among them, the storage medium may include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk, etc., which can store program code medium.
本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。The various embodiments in this specification are described in a progressive manner. Each embodiment focuses on the differences from other embodiments, and the same or similar parts between the various embodiments can be referred to each other.
对所公开的实施例的上述说明,使本领域专业技术人员能够实现或使用本发明。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本发明的精神或范围的情况下,在其它实施例中实现。因此,本发明将不会被限制于本文所示的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。The above description of the disclosed embodiments enables those skilled in the art to implement or use the present invention. Various modifications to these embodiments will be obvious to those skilled in the art, and the general principles defined herein can be implemented in other embodiments without departing from the spirit or scope of the present invention. Therefore, the present invention will not be limited to the embodiments shown in this document, but should conform to the widest scope consistent with the principles and novel features disclosed in this document.

Claims (10)

  1. 一种虚拟数据中心的可信状态确定方法,其特征在于,所述可信状态确定方法基于计算池可信管控组件,所述可信状态确定包括:A method for determining the trusted state of a virtual data center is characterized in that the method for determining the trusted state is based on a computing pool trusted management and control component, and the determination of the trusted state includes:
    通过基本输入输出系统获取虚拟数据中心的待测主机在资源启动时的运行特征值;其中,所述待测主机为服务器或者部署在服务器上的虚拟主机,所述基本输入输出系统为所述服务器或者所述虚拟主机的可信基本输入输出系统;Obtain the operating characteristic value of the host under test in the virtual data center when the resource is started through the basic input output system; wherein, the under test host is a server or a virtual host deployed on the server, and the basic input output system is the server Or the trusted basic input output system of the virtual host;
    获取与所述待测主机对应的基准值;所述基准值为通过所述基本输入输出系统预先存储的所述待测主机在资源首次创建时的初始运行特征值;所述基准值与所述运行特征值的数据类型相同;Acquire a reference value corresponding to the host to be tested; the reference value is the initial operating characteristic value of the host to be tested that is pre-stored by the basic input output system when the resource is first created; the reference value is the same as the The data types of running characteristic values are the same;
    将所述运行特征值与所述基准值进行对比,并根据对比结果确定所述待测主机的可信状态。The operating characteristic value is compared with the reference value, and the trusted state of the host to be tested is determined according to the comparison result.
  2. 根据权利要求1所述的可信状态确定方法,其特征在于,所述通过基本输入输出系统获取虚拟数据中心的待测主机在资源启动时的运行特征值之前,还包括:The method for determining a trusted state according to claim 1, characterized in that, before acquiring the operating characteristic value of the host under test in the virtual data center through the basic input output system when the resource is started, the method further comprises:
    判断所述待测主机是否为新建主机;Judging whether the host to be tested is a newly-built host;
    若否,则继续执行所述通过基本输入输出系统获取虚拟数据中心的待测主机在资源启动时的运行特征值的步骤;If not, continue to perform the step of obtaining the operating characteristic value of the host to be tested in the virtual data center when the resource is started through the basic input output system;
    若是,则通过所述基本输入输出系统获取所述待测主机在资源启动时的初始运行特征值,并将所述初始运行特征值作为所述待测主机的基准值进行存储。If so, obtain the initial operating characteristic value of the host under test when the resource is started through the basic input output system, and store the initial operating characteristic value as the reference value of the host under test.
  3. 根据权利要求1或2所述的可信状态确定方法,其特征在于,所述获取虚拟数据中心的待测主机在资源启动时的运行特征值包括:The method for determining a trusted state according to claim 1 or 2, wherein said obtaining the operating characteristic value of the host under test of the virtual data center when the resource is started comprises:
    初始化TPM可信平台模块;Initialize the TPM trusted platform module;
    获取所述基本输入输出系统的Boot Block的特征值、所述基本输入输出系统的Option ROM的特征值、OS Loader的特征值、OS Kernel的特征值中的至少一者,并记录至所述TPM可信平台模块的PCR寄存器。Obtain at least one of the feature value of the Boot Block of the basic input output system, the feature value of the Option ROM of the basic input output system, the feature value of the OS Loader, and the feature value of the OS Kernel, and record it to the TPM The PCR register of the Trusted Platform Module.
  4. 根据权利要求3所述的可信状态确定方法,其特征在于,所述将所述运行特征值与所述基准值进行对比,并根据对比结果确定所述待测主机的可信状态,包括:The method for determining the trusted state of claim 3, wherein the comparing the operating characteristic value with the reference value, and determining the trusted state of the host under test according to the comparison result, comprises:
    将所述基本输入输出系统的Boot Block的特征值与Boot Block基准值进行对比,得到第一对比结果;将所述基本输入输出系统的Option ROM的特征值与Option ROM基准值进行对比,得到第二对比结果;将OS Loader的特征值与OS Loader基准值进行对比,得到第三对比结果;将OS Kernel的特征值与OS Kernel的基准值进行对比,得到第四对比结果;The feature value of the Boot Block of the basic input output system is compared with the Boot Block reference value to obtain the first comparison result; the feature value of the Option ROM of the basic input output system is compared with the Option ROM reference value to obtain the first comparison result. 2. Comparison result: Compare the characteristic value of OS Loader with the reference value of OS Loader to obtain the third comparison result; compare the characteristic value of OS Kernel with the reference value of OS Kernel to obtain the fourth comparison result;
    若所述第一对比结果、所述第二对比结果、所述第三对比结果、所述第四对比结果均为相同,则判定所述待测主机为可信主机;若存在任意一者的对比结果为不相同,则判定所述待测主机为不可信主机。If the first comparison result, the second comparison result, the third comparison result, and the fourth comparison result are all the same, the host to be tested is determined to be a trusted host; if any one of them exists If the comparison result is not the same, it is determined that the host to be tested is an untrusted host.
  5. 一种虚拟数据中心的可信状态确定装置,其特征在于,所述可信状态确定装置基于计算池可信管控组件,所述可信状态确定装置包括:A device for determining a trusted state of a virtual data center is characterized in that the device for determining a trusted state is based on a computing pool trusted management and control component, and the device for determining a trusted state includes:
    特征值获取模块,用于通过基本输入输出系统获取虚拟数据中心的待测主机在资源启动时的运行特征值;其中,所述待测主机为服务器或者部署在服务器上的虚拟主机,所述基本输入输出系统为所述服务器或者所述虚拟主机的可信基本输入输出系统;The characteristic value acquisition module is used to acquire the operating characteristic value of the host under test of the virtual data center when the resource is started through the basic input output system; wherein, the host under test is a server or a virtual host deployed on the server, and the basic The input and output system is a trusted basic input and output system of the server or the virtual host;
    基准值获取模块,用于获取与所述待测主机对应的基准值;所述基准值为通过基本输入输出系统预先存储的所述待测主机在资源首次创建时的初始运行特征值;所述基准值与所述运行特征值的数据类型相同;The reference value acquisition module is configured to acquire a reference value corresponding to the host to be tested; the reference value is the initial operating characteristic value of the host to be tested that is pre-stored through the basic input output system when the resource is first created; The reference value is the same as the data type of the operating characteristic value;
    对比模块,用于将所述运行特征值与所述基准值进行对比,并根据对比结果确定所述待测主机的可信状态。The comparison module is used to compare the operating characteristic value with the reference value, and determine the trusted state of the host under test according to the comparison result.
  6. 根据权利要求5所述的可信状态确定装置,其特征在于,还包括:The device for determining a trusted state according to claim 5, further comprising:
    判断模块,用于判断所述待测主机是否为新建主机;The judging module is used to judge whether the host to be tested is a newly-built host;
    所述特征值获取模块,具体用于在所述待测主机不为新建主机时,通过基本输入输出系统获取虚拟数据中心的待测主机在资源启动时的运行特征值;The characteristic value obtaining module is specifically configured to obtain the operating characteristic value of the host under test in the virtual data center when the resource is started through the basic input output system when the host under test is not a newly-built host;
    初始运行特征值获取模块,用于在所述待测主机为新建主机时,通过所述基本输入输出系统获取所述待测主机在资源启动时的初始运行特征值;An initial operating characteristic value obtaining module, configured to obtain the initial operating characteristic value of the host under test when the resource is started through the basic input output system when the host under test is a newly-built host;
    存储模块,用于将所述初始运行特征值作为所述待测主机的基准值进行存储。The storage module is configured to store the initial operating characteristic value as the reference value of the host to be tested.
  7. 根据权利要求5或6所述的可信状态确定装置,其特征在于,所述特征值获取模块包括:The trusted state determining device according to claim 5 or 6, wherein the characteristic value obtaining module comprises:
    初始化单元,用于初始化TPM可信平台模块;The initialization unit is used to initialize the TPM trusted platform module;
    特征值获取单元,用于获取所述基本输入输出系统的Boot Block的特征值、所述基本输入输出系统的Option ROM的特征值、OS Loader的特征值、OS Kernel的特征值中的至少一者,并记录至所述TPM可信平台模块的PCR寄存器。The feature value obtaining unit is used to obtain at least one of the feature value of the Boot Block of the basic input output system, the feature value of the Option ROM of the basic input output system, the feature value of the OS Loader, and the feature value of the OS Kernel , And record it in the PCR register of the TPM trusted platform module.
  8. 根据权利要求7所述的可信状态确定装置,其特征在于,所述对比模块包括:The device for determining a trusted state according to claim 7, wherein the comparison module comprises:
    对比单元,用于将所述基本输入输出系统的Boot Block的特征值与Boot Block基准值进行对比,得到第一对比结果;将所述基本输入输出系统的Option ROM的特征值与Option ROM基准值进行对比,得到第二对比结果;将OS Loader的特征值与OS Loader基准值进行对比,得到第三对比结果;将OS Kernel的特征值与OS Kernel的基准值进行对比,得到第四对比结果;The comparison unit is used to compare the feature value of the Boot Block of the basic input output system with the reference value of the Boot Block to obtain a first comparison result; compare the feature value of the Option ROM of the basic input output system with the reference value of Option ROM Make a comparison to obtain the second comparison result; compare the characteristic value of the OS Loader with the OS Loader reference value to obtain the third comparison result; compare the characteristic value of the OS Kernel with the reference value of the OS Kernel to obtain the fourth comparison result;
    判定单元,用于在所述第一对比结果、所述第二对比结果、所述第三对比结果、所述第四对比结果均为相同时,判定所述待测主机为可信主机;若存在任意一者的对比结果为不相同,则判定所述待测主机为不可信主机。A determining unit, configured to determine that the host to be tested is a trusted host when the first comparison result, the second comparison result, the third comparison result, and the fourth comparison result are all the same; If the comparison result of any one is different, it is determined that the host to be tested is an untrusted host.
  9. 一种虚拟数据中心的可信状态确定设备,其特征在于,包括:A device for determining the trusted state of a virtual data center is characterized in that it includes:
    存储器,用于存储计算机程序;Memory, used to store computer programs;
    处理器,用于执行所述计算机程序时实现如权利要求1至4任一项所述的可信状态确定方法的步骤。The processor is configured to implement the steps of the trusted state determination method according to any one of claims 1 to 4 when the computer program is executed.
  10. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如权利要求1至4任一项所述的可信状态确定方法的步骤。A computer-readable storage medium, wherein a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the trusted state according to any one of claims 1 to 4 is realized Determine the steps of the method.
PCT/CN2020/087107 2020-03-06 2020-04-27 Method and apparatus for determining trusted state of virtual data center, device and storage medium WO2021174655A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010152749.3A CN111352702A (en) 2020-03-06 2020-03-06 Method, device, equipment and storage medium for determining credible state of virtual data center
CN202010152749.3 2020-03-06

Publications (1)

Publication Number Publication Date
WO2021174655A1 true WO2021174655A1 (en) 2021-09-10

Family

ID=71195977

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/087107 WO2021174655A1 (en) 2020-03-06 2020-04-27 Method and apparatus for determining trusted state of virtual data center, device and storage medium

Country Status (2)

Country Link
CN (1) CN111352702A (en)
WO (1) WO2021174655A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114595097A (en) * 2022-03-04 2022-06-07 北京工业大学 Method for identifying fault starting program in trusted starting process
CN116700899A (en) * 2023-06-14 2023-09-05 北京志凌海纳科技有限公司 Compatibility solving method and system of Option ROM in virtual machine thermomigration process

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112099909B (en) * 2020-08-27 2021-06-11 海光信息技术股份有限公司 Virtual machine memory measurement method, device, processor chip and system
CN113315805A (en) * 2021-04-08 2021-08-27 中国科学院信息工程研究所 Group verification method and system for cloud infrastructure trusted device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104219211A (en) * 2013-06-03 2014-12-17 中国移动通信集团公司 Detection method and detection device for network security in cloud computing network
CN104461683A (en) * 2014-11-07 2015-03-25 华为技术有限公司 Verification method, device and system for virtual machine illegal configuration
US20160234207A1 (en) * 2012-10-04 2016-08-11 Roger A. Bauchspies Virtual verification
CN108923970A (en) * 2018-06-30 2018-11-30 深圳中软华泰信息技术有限公司 It is a kind of for evaluating and testing the method and system of cloud platform credibility
US20180365431A1 (en) * 2014-12-05 2018-12-20 GeoLang Ltd. Symbol string matching mechanism

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160234207A1 (en) * 2012-10-04 2016-08-11 Roger A. Bauchspies Virtual verification
CN104219211A (en) * 2013-06-03 2014-12-17 中国移动通信集团公司 Detection method and detection device for network security in cloud computing network
CN104461683A (en) * 2014-11-07 2015-03-25 华为技术有限公司 Verification method, device and system for virtual machine illegal configuration
US20180365431A1 (en) * 2014-12-05 2018-12-20 GeoLang Ltd. Symbol string matching mechanism
CN108923970A (en) * 2018-06-30 2018-11-30 深圳中软华泰信息技术有限公司 It is a kind of for evaluating and testing the method and system of cloud platform credibility

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114595097A (en) * 2022-03-04 2022-06-07 北京工业大学 Method for identifying fault starting program in trusted starting process
CN114595097B (en) * 2022-03-04 2024-03-26 北京工业大学 Method for identifying fault starting program in trusted starting process
CN116700899A (en) * 2023-06-14 2023-09-05 北京志凌海纳科技有限公司 Compatibility solving method and system of Option ROM in virtual machine thermomigration process
CN116700899B (en) * 2023-06-14 2023-11-14 北京志凌海纳科技有限公司 Compatibility solving method and system of Option ROM in virtual machine thermomigration process

Also Published As

Publication number Publication date
CN111352702A (en) 2020-06-30

Similar Documents

Publication Publication Date Title
WO2021174655A1 (en) Method and apparatus for determining trusted state of virtual data center, device and storage medium
JP5978365B2 (en) System and method for performing network access control in a virtual environment
US9075995B2 (en) Dynamically loaded measured environment for secure code launch
US10146571B2 (en) Apparatus for hardware accelerated runtime integrity measurement
US9465652B1 (en) Hardware-based mechanisms for updating computer systems
US9563457B2 (en) Enabling a secure environment through operating system switching
US9202062B2 (en) Virtual machine validation
US9501289B2 (en) Method of a UEFI firmware and computer system thereof
US8516481B2 (en) Virtual machine manager system and methods
US9081600B2 (en) Virtual machine validation
US8321931B2 (en) Method and apparatus for sequential hypervisor invocation
US20150317472A1 (en) User trusted device for detecting a virtualized environment
JP2008097597A (en) High integrity firmware
US10025587B2 (en) Method of bootup and installation, and computer system thereof
US9779248B1 (en) Protection of secured boot secrets for operating system reboot
US11977631B2 (en) Hypervisor level signature checks for encrypted trusted execution environments
US11321077B1 (en) Live updating of firmware behavior
US10491736B2 (en) Computer system and method thereof for bluetooth data sharing between UEFI firmware and OS
US10684904B2 (en) Information handling systems and methods to selectively control ownership of a hardware based watchdog timer (WDT)
Algawi et al. Creating modern blue pills and red pills
US11243840B2 (en) System and method of utilizing a recovery operating system
Zhang et al. A multi-core security architecture based on EFI
Terzić et al. BASIC INPUT/OUTPUT SYSTEM BIOS FUNCTIONS AND MODIFICATIONS
Kinebuchi et al. Ensuring System Integrity using Limited Local Memory

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20922687

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20922687

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 20922687

Country of ref document: EP

Kind code of ref document: A1