WO2023184920A1 - Virtualization implementation method and apparatus, electronic device, non-volatile readable storage medium, and arm platform - Google Patents
Virtualization implementation method and apparatus, electronic device, non-volatile readable storage medium, and arm platform Download PDFInfo
- Publication number
- WO2023184920A1 WO2023184920A1 PCT/CN2022/123583 CN2022123583W WO2023184920A1 WO 2023184920 A1 WO2023184920 A1 WO 2023184920A1 CN 2022123583 W CN2022123583 W CN 2022123583W WO 2023184920 A1 WO2023184920 A1 WO 2023184920A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- virtual machine
- execution environment
- vftpm
- target
- trusted execution
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 160
- 238000012545 processing Methods 0.000 claims abstract description 109
- 230000008569 process Effects 0.000 claims abstract description 77
- 230000015654 memory Effects 0.000 claims description 138
- 230000006870 function Effects 0.000 claims description 66
- 230000006378 damage Effects 0.000 claims description 58
- 238000005516 engineering process Methods 0.000 claims description 31
- 238000005192 partition Methods 0.000 claims description 29
- 238000004590 computer program Methods 0.000 claims description 15
- 238000000638 solvent extraction Methods 0.000 claims description 6
- 208000009115 Anorectal Malformations Diseases 0.000 description 77
- 238000007726 management method Methods 0.000 description 18
- 238000010586 diagram Methods 0.000 description 10
- 238000004891 communication Methods 0.000 description 5
- 230000004044 response Effects 0.000 description 5
- 230000002085 persistent effect Effects 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 238000012827 research and development Methods 0.000 description 3
- 230000001131 transforming effect Effects 0.000 description 3
- 238000013519 translation Methods 0.000 description 3
- 238000013473 artificial intelligence Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000005538 encapsulation Methods 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000011423 initialization method Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45575—Starting, stopping, suspending or resuming virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45583—Memory management, e.g. access or allocation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Definitions
- This application relates to the field of computer technology, and in particular to a virtualization implementation method, device, electronic equipment, non-volatile readable storage medium and ARM platform.
- ARM Advanced RISC (Reduced Instruction Set Computer) Machines, RISC microprocessor
- cloud computing ARM computers have developed rapidly in mobile devices, desktops, servers and other fields. Based on ARM Virtualization technology is also developing rapidly in the field of cloud computing. While ARM virtualization technology is developing rapidly, ARM-related technical security and trust issues need to be solved urgently. For this reason, starting from ARMv8, ARM has divided the ARM execution environment into SW (Secure World) through TrustZone (Trust Zone) trusted technology. , safe world) and NW (Normal World, normal world).
- SW Secure World
- TrustZone TrustZone
- NW Normal World, normal world
- the execution environment in the normal world is also called REE (Rich Execution Environment, rich execution environment), and the execution environment in the safe world is also called TEE (Trusted execution environment, trusted execution environment).
- REE Real Execution Environment, rich execution environment
- TEE Trusted execution environment, trusted execution environment
- the programs running in REE are generally BIOS (Basic Input Output System, Basic Input and Output System)/UEFI (Unified Extensible Firmware Interface, Unified Extensible Firmware Interface) system firmware and normal operating systems such as Linux and Windows.
- BIOS Basic Input Output System
- UEFI Unified Extensible Firmware Interface
- normal operating systems such as Linux and Windows.
- TEEOS Trusted execution environment operating system, trusted operating system
- TEEOS Global Platform, global platform standard.
- OPTEE Open-source Portable Trusted execution environment
- the GP standard clearly stipulates the framework and security requirements of TEE, and separately defines the interface functions, data types and data structures provided by the REE side, and the interface functions, data types and data structures provided by the TEE side for developers to use. clear regulations and definitions.
- TPM Trusted Platform Module
- fTPM firmware Trusted Platform Module, firmware-based trusted platform module
- ARMv8 divides CPU (central processing unit, central processing unit) abnormal interrupts into four layers, as shown in Figure 1.
- the EL0 layer is the application layer
- the EL1 layer is the system layer
- EL2 is the virtualization layer
- EL3 is the firmware layer.
- fTPM is a TA (Trust Application) running in TEEOS.
- the left side of Figure 1 is the REE side, and the right side is the TEE side.
- REE side APP Application, application
- Rich OS Rich Operating System, all-round operating system. Rich OS can be Windows, Unix, Linux and other operating systems.
- RPMB Replay Protected Memory Block
- EMMC Embedded Multi Media Card
- Rich OS FS Fe System, file system
- file system is the file system provided by rich OS.
- the TA on the TEE side is Trust Application, which runs on TEEOS and complies with GP standards; the TEEOS on the TEE side is an operating system that complies with GP specifications, and can be the OS provided by the manufacturer or OPTEEOS; the implementation of fTPM is to implement a fTPM TA (fTPM Trust Application) is used to implement the computing function of TPM.
- fTPM Trust Application fTPM Trust Application
- Rich OS RPMB or rich OS FS file system is used as the trusted storage of fTPM, and the secure storage function of TEE is used to read and write shared memory. Store TPM's persistent data in this securely encrypted RPMB or Rich OS FS.
- TEE and REE must pass the SMC (System Management Controller) command of the firmware/Secure Monitor (security monitor) of the EL3 layer to control the NS (Secure Read and Write) flag bit equal to 0 or After being equal to 1, the ARM CPU can enter the REE environment or TEE environment. During the entire process, the switching of the operating environment and the transmission of data are handled by the firmware/Secure Monitor.
- SMC System Management Controller
- the Hypervisor (Virtual Machine Monitor) layer of the El2 layer on the REE side is the virtualization layer, which is used to convert the IPA (Internet Protocol Address, Internet Protocol Address, refers to the virtual machine physical address of the virtual machine) of the virtual machine into PA ( Physical Address, real physical address), in the current implementation of fTPM, the Hypervisor layer is not used, so virtualization is not implemented in the entire fTPM implementation.
- fTPM cannot provide virtual machines running on ARM physical hosts. TPM service.
- the implementation of fTPM in related technologies can only be implemented on the ARM physical host and cannot be used by the virtual machine on the ARM host.
- Embodiments of the present application provide a virtualization implementation method, device, electronic device, non-volatile readable storage medium and ARM platform, and realize firmware-based trusted platform virtualization on the ARM platform.
- embodiments of the present application provide a virtualization implementation method, including:
- the ARM platform running the target virtual machine configured with vfTPM virtual firmware Trusted Platform Module, virtual firmware-based trusted platform module
- vfTPM virtual firmware Trusted Platform Module, virtual firmware-based trusted platform module
- the instruction carrying the real physical address converted from the virtual physical address of the target virtual machine and the identification information of the target virtual machine is encapsulated, and the current running state is switched to the trusted execution environment.
- the corresponding target virtual machine trusted execution environment context is called to process the target vfTPM request, and a result feedback instruction carrying the storage address and identification information of the processing result is sent;
- target virtual machine trusted execution environment context after calling the corresponding target virtual machine trusted execution environment context to process the target vfTPM request, it also includes:
- the operating system of the rich execution environment converts the storage address into what the virtual machine considers to be a physical address, and sends the physical address to the target virtual machine based on the identification information.
- the method after sending the physical address to the target virtual machine based on the identification information, the method also includes:
- the kernel of the target virtual machine converts the physical address into a virtual machine memory address, and transmits the virtual machine memory address to the operating system of the target virtual machine.
- the target virtual machine reads the processing result of the vfTPM request based on the virtual machine memory address.
- initialize the reduced instruction set computer ARM platform running the target virtual machine configured with the virtual firmware-based trusted platform module vfTPM function including:
- the ARM platform is powered on and the target firmware and trusted execution environment operating system of the ARM platform are loaded;
- the rich execution environment is initialized.
- configure memory for the trusted execution environment operating system and perform memory initialization processing including:
- the memory of the trusted execution environment operating system is divided into running memory and virtual request execution memory; the running memory is used to process the underlying requests, and the virtual request execution memory is used to process the vfTPM request of the virtual machine;
- dedicated memory is used to store the data of the vfTPM.
- the method also includes: pre-allocating a storage area in the dedicated memory for each virtual machine for storing each virtual machine's own data. vfTPM data.
- initialize the rich execution environment including:
- initialize the rich execution environment including:
- the virtual machine monitor is used as a virtual machine with a preset identification, and the corresponding virtual machine trusted execution environment instance and virtual machine trusted execution environment context are assigned to the virtual machine monitor;
- the target virtual machine before receiving the vfTPM request of the target virtual machine, it also includes:
- the rich execution environment issues virtual machine creation instructions and assigns corresponding identification information to the target virtual machine configured with the vfTPM function;
- the trusted execution environment operating system allocates the target virtual machine trusted execution environment context, the target virtual machine trusted execution environment instance and the memory space to the target virtual machine based on the virtual machine creation instructions; through the target virtual machine trusted execution environment The execution environment instance loads the vfTPM trusted application, starts the TPM, and initializes the memory space and vfTPM of the target virtual machine;
- methods also include:
- initialize the memory space including:
- the target virtual machine has a corresponding target storage space in the flash memory chip, allocate the target storage space to the vfTPM function of the target virtual machine;
- target storage space is allocated for the vfTPM function of the target virtual machine through the storage driver;
- the target storage space is used as the NVRAM of the vfTPM of the target virtual machine; and the read and write functions of the target storage space are executed by the target virtual machine in a trusted execution environment.
- methods also include:
- each virtual machine's vfTPM is given a partition for NVRAM storage.
- the flash chip driver on the trusted execution environment operating system is set to allow only the read and write permissions for the flash chip on the trusted execution environment side; and the target storage space is set to only allow the target virtual machine operation.
- the destruction identification of the virtual machine to be destroyed is obtained by parsing the virtual machine destruction instruction
- the trusted execution environment operating system sends the virtual machine destruction instruction to the destroyed virtual machine trusted execution environment instance corresponding to the virtual machine to be destroyed based on the destruction identification; the destroyed virtual machine trusted execution environment instance deletes the destroyed virtual machine The machine trusts the execution environment context, and deletes the storage partition of the flash memory chip corresponding to the virtual machine to be destroyed; feeds back the virtual machine destruction completion instruction carrying the destruction identification;
- the virtual machine to be destroyed is deleted according to the virtual machine destruction completion instruction and destruction identification.
- the trusted execution environment operating system sends the virtual machine shutdown instruction to the shutdown virtual machine trusted execution environment instance corresponding to the virtual machine to be shut down based on the shutdown identifier; the shutdown virtual machine trusted execution environment instance deletes the shutdown virtual machine Machine trusted execution environment context, and update the vfTPM that shuts down the virtual machine in the trusted execution environment; feedback the virtual machine shutdown completion instruction carrying the shutdown flag;
- the virtual machine to be shut down is shut down according to the virtual machine shutdown completion instruction and shutdown identifier.
- embodiments of the present application provide a virtualization implementation device, including:
- the initialization processing module is set to perform initialization processing on the ARM platform running the target virtual machine configured with the vfTPM function based on the virtualization type in advance;
- the virtualization request delivery module is configured to encapsulate the instruction carrying the real physical address converted from the virtual physical address of the target virtual machine and the identification information of the target virtual machine when receiving the target vfTPM request of the target virtual machine. And switch the current running state to a trusted execution environment;
- the virtualization request processing module is configured to call the corresponding target virtual machine trusted execution environment context to process the target vfTPM request based on the identification information in the trusted execution environment, and send the storage address and identification information carrying the processing result. Result feedback instructions;
- the processing result feedback module is set to encapsulate the result feedback instruction and switch the current running state to the rich execution environment; in the rich execution environment, the storage address and identification information are obtained by parsing the result feedback instruction, and according to the identification information, the converted The storage address is sent to the target virtual machine.
- Embodiments of the present application also provide an electronic device, including a processor, and the processor is configured to implement the steps of the preceding virtualization implementation method when executing a computer program stored in the memory.
- Embodiments of the present application also provide a non-volatile readable storage medium.
- a computer program is stored on the non-volatile readable storage medium.
- the steps of the previous virtualization implementation method are implemented. .
- the embodiment of the present application also provides an ARM platform, which is configured to implement the steps of any of the above virtualization implementation methods when executing a computer program, which includes an application layer, a system layer, a virtualization layer and a firmware layer;
- the application layer includes multiple virtual machine applications located in the rich execution environment, and a trusted application set located in the trusted execution environment.
- the trusted application set includes trusted applications set to implement the vfTPM function;
- the system layer includes the host processing module located in the rich execution environment and the trusted management module located in the trusted execution environment;
- the virtualization layer including the virtual machine monitor located in the rich execution environment;
- the firmware layer includes a firmware processing module.
- the firmware processing module is configured to receive instructions from the host processing module, virtual machine monitor and trusted management module; performs running state switching, and forwards the received instructions during the running state switching process. virtual machine identification information.
- the ARM platform can be initialized accordingly for different virtualization technologies, thereby supporting the implementation of multiple virtualization technologies of the ARM platform.
- the rich execution environment After receiving the vfTPM request issued by the upper-layer virtual machine, the rich execution environment encapsulates the real physical address converted by the virtual machine and the identification of the virtual machine so that it can be processed when switching to the trusted execution environment.
- the trusted execution environment After the state switch, the trusted execution environment calls the matching virtual machine context to process the request based on the identifier, and encapsulates the request processing result and the identifier again.
- the rich execution environment After switching to the rich execution environment, the rich execution environment sends the vfTPM request processing result to This virtual machine enables fTPM to support virtual machines on the ARM platform, which not only saves research and development costs, but also improves the security of cloud computing products.
- embodiments of this application also provide corresponding implementation devices, electronic equipment, non-volatile readable storage media and ARM platforms for the virtualization implementation method, making the method more practical.
- Devices, electronic equipment, non-volatile Readable storage media and ARM platforms have corresponding advantages.
- Figure 1 is a schematic framework diagram of an exemplary application scenario in the related technology provided by the embodiment of this application;
- Figure 2 is a schematic flow chart of a virtualization implementation method provided by an embodiment of the present application.
- Figure 3 is a structural diagram of the virtualization implementation device provided by the embodiment of the present application in an optional implementation manner
- Figure 4 is a schematic structural diagram of an electronic device provided by an embodiment of the present application in an implementation manner
- Figure 5 is an optional implementation structure diagram of the ARM platform provided by the embodiment of the present application.
- Figure 6 is a structural diagram of another optional implementation of the ARM platform provided by the embodiment of the present application.
- Figure 7 is an optional implementation structure diagram of the trusted management module provided by the embodiment of the present application.
- Figure 8 is a schematic flow chart of the ARM platform initialization method provided by the embodiment of the present application.
- Figure 9 is a schematic flowchart of a virtual machine creation method provided by an embodiment of the present application.
- Figure 10 is a schematic diagram of the vfTPM request and response flow provided by the embodiment of this application.
- Figure 2 is a schematic flow chart of a virtualization implementation method provided by an embodiment of the present application.
- the embodiment of the present application is applied to the ARM platform.
- the virtual machine is deployed in a rich execution environment.
- the fTPM that implements TPM computing and storage resources in TrustZone runs in a trusted application TA in the trusted execution environment.
- the trusted execution environment includes multiple TAs, that is, the trusted execution environment.
- the computing function and implementation of the virtual machine's vfTPM rely on fTPM, that is, the virtual machine's vfTPM request processing is implemented in a trusted execution environment. Based on this, the process from when a virtual machine sends a vfTPM request to when it receives the vfTPM request processing result may include the following:
- the virtualization type refers to the virtualization technology supported by the ARM platform, or the ARM virtualization platform.
- the virtualization type includes but is not limited to KVM (Kernel-based Virtual Machine, system virtualization module) and Xen.
- KVM Kernel-based Virtual Machine, system virtualization module
- Xen Xen.
- the rich execution environment issues virtual machine creation instructions, and the rich execution environment also assigns unique identification information to each virtual machine as information that uniquely identifies the virtual machine.
- the ARM platform performs creation operations in the rich execution environment and the trusted execution environment simultaneously, creates a virtual machine in the application layer of the rich execution environment, and creates a virtual machine corresponding to the virtual machine in the rich execution environment in the trusted execution environment.
- the machine has a trusted execution environment instance and a trusted execution environment context.
- the trusted execution environment context is used to process vfTPM requests corresponding to virtual machines in the rich execution environment.
- the virtual machine mounted on the ARM platform needs to be configured with the vfTPM (Virtual firmware Trusted Platform Module, virtual firmware-based trusted platform module) function.
- the ARM platform can run multiple virtual machines, and each virtual machine can be based on different virtualization types.
- the target virtual machine is any virtual machine running on the ARM platform. In order not to cause ambiguity, this embodiment will require virtual machines for vfTPM calculation.
- the virtual machine that issues the vfTPM request is called the target virtual machine.
- the number of target virtual machines can be multiple or one, which does not affect the implementation of this application.
- S202 When receiving the target vfTPM request of the target virtual machine, encapsulate the instruction carrying the real physical address converted from the virtual physical address of the target virtual machine and the identification information of the target virtual machine, and switch the current running state to trusted execution environment.
- any virtual machine running on the ARM platform can issue a vfTPM request to realize the computing function of the virtual machine vfTPM.
- the operating system of the virtual machine sends a vfTPM request.
- the vfTPM request issued by the target virtual machine is called the target vfTPM request in this embodiment.
- the operating system kernel of the virtual machine converts the vfTPM request and the virtual machine virtual memory address VA into the virtual machine physical address IPA considered by the virtual machine.
- the operating system of the rich execution environment receives the vfTPM request, and the operating system of the rich execution environment converts the vfTPM request and the virtual memory address VA of the virtual machine into the physical address IPA of the virtual machine.
- the physical address IPA is converted into a real physical address.
- the operating system of the rich execution environment is the system layer.
- the functional module that realizes the running state switching is located at the firmware layer. In order to transmit the request command across layers, the request command, including the converted
- the commands of the real physical address and the identification information of the target virtual machine are parameterized, that is, passed across layers in the form of parameters through fixed functions.
- the firmware layer After sending the converted real physical address and the identification information of the target virtual machine to the firmware layer, the firmware layer encapsulates the real physical address and the identification information of the target virtual machine. After the encapsulation is completed, the firmware layer executes the SMC instruction to convert the current operating environment Switch to a trusted execution environment.
- S203 In the trusted execution environment, according to the identification information, call the corresponding target virtual machine trusted execution environment context to process the target vfTPM request, and send a result feedback instruction carrying the storage address and identification information of the processing result.
- the trusted execution environment After switching the current running environment to a trusted execution environment in the previous step, the trusted execution environment obtains the encapsulated instruction and obtains the real physical address of the target virtual machine and the identification information of the target virtual machine by parsing the instruction. According to the identification information, obtain the virtual machine trusted execution environment instance and context assigned in the trusted execution environment when the target virtual machine is created, and perform vfTPM data calculation on the target vfTPM request by calling the virtual machine trusted execution environment instance and context. Obtain the processing result and store the processing result. The storage address storing the processing result and the identification information of the target virtual machine are sent to the firmware layer as the result feedback instruction. After receiving the result feedback instruction, the firmware layer will encapsulate the result feedback instruction.
- the firmware layer passes Execute the SMC instruction to switch the current running environment to the rich execution environment.
- the trusted execution environment allocates shared memory, and the processing results can be stored in the shared memory.
- the storage address of the result feedback instruction is the shared memory address.
- S204 Encapsulate the result feedback instruction and switch the current running state to the rich execution environment; in the rich execution environment, obtain the storage address and identification information by parsing the result feedback instruction, and send the converted storage address to the target virtual machine according to the identification information. machine.
- the operating system of the rich execution environment obtains the encapsulated result feedback instruction, obtains the storage address and identification information by parsing the result feedback instruction, and the operating system of the rich execution environment converts the storage address into a virtual
- the physical address considered by the machine is sent to the corresponding target virtual machine based on the identification information.
- the target virtual machine kernel converts the physical address into a virtual machine memory address and transmits the virtual machine memory address to the target virtual machine.
- the target virtual machine reads the processing result of the vfTPM request based on this address.
- the ARM platform is initialized accordingly for different virtualization technologies, thereby supporting the implementation of multiple virtualization technologies of the ARM platform.
- the rich execution environment After receiving the vfTPM request issued by the upper-layer virtual machine, the rich execution environment encapsulates the real physical address converted by the virtual machine and the identification of the virtual machine so that it can be processed when switching to the trusted execution environment.
- the trusted execution environment After the state switch, the trusted execution environment calls the matching virtual machine context to process the request based on the identifier, and encapsulates the request processing result and the identifier again.
- the rich execution environment After switching to the rich execution environment, the rich execution environment sends the vfTPM request processing result to This virtual machine enables fTPM to support virtual machines on the ARM platform, which not only saves research and development costs, but also improves the security of cloud computing products.
- the ARM platform is powered on and the target firmware and trusted execution environment operating system of the ARM platform are loaded.
- the trusted execution environment operating system starts, memory is configured for the trusted execution environment operating system and memory initialization is performed; based on the virtualization type to which the target virtual machine belongs, the rich execution environment is initialized.
- the process of configuring memory and performing memory initialization processing may include:
- the running memory is used to process the underlying requests, and the running memory is responsible for processing the underlying implementation, such as SMC instruction processing, memory management class, thread management, etc.
- the virtual request execution memory is used to process the vfTPM request of the virtual machine, that is, it is responsible for request processing, loading TA, executing TA and other functions.
- Private memory is used to store vfTPM data. If the private memory is large enough, each virtual machine has a corresponding partition to store its own vfTPM data. A storage area can be allocated in advance for each virtual machine in the private memory. That is, partitioning the private memory.
- the initialization process of the rich execution environment is different.
- the virtual machine monitor can be used as a virtual machine, so the virtual machine monitor needs to be used as a virtual machine during the initialization process. Carry out corresponding initialization processing.
- This embodiment provides corresponding rich execution environment initialization processes for KVM and Xen respectively, which may include the following content:
- the target virtual machine uses QEMU KVM (Quick Emulator Kernal-based Virtual Machine, virtual operating system simulator system virtualization module) virtualization technology, the loading of the rich execution environment operating system is completed.
- QEMU KVM Quadick Emulator Kernal-based Virtual Machine, virtual operating system simulator system virtualization module
- the target virtual machine uses Xen virtualization technology
- start the Xen virtualization image file while starting the BIOS during the startup process, the virtual machine monitor is used as a virtual machine with a preset identification, and the corresponding virtual machine monitor is allocated
- the vfTPM trusted application is loaded through the virtual machine trusted execution environment instance;
- the storage driver is used to read the proprietary memory Write, and allocate a dedicated storage area for the Xen virtual machine monitor in the dedicated memory; return the processing result of the vfTPM request of the virtual machine monitor to the virtual machine monitor, and start the virtual machine monitor.
- the ARM platform needs to create a virtual machine.
- the above embodiment does not limit the creation of a virtual machine.
- This application also provides an optional creation method of a virtual machine, which may include the following:
- the rich execution environment issues virtual machine creation instructions and assigns corresponding identification information to the target virtual machine configured with the vfTPM function;
- the trusted execution environment operating system allocates the target virtual machine trusted execution environment context, the target virtual machine trusted execution environment instance and the memory space to the target virtual machine based on the virtual machine creation instructions; through the target virtual machine trusted execution environment The execution environment instance loads the vfTPM trusted application, starts the TPM, and initializes the memory space and vfTPM of the target virtual machine;
- this application can save the storage of fTPM on a special flash memory, so that it can only be stored on the TEE. read in.
- the implementation process of initializing the memory space during the virtual machine creation process may include:
- the target storage space is allocated to the vfTPM function of the target virtual machine; if the target virtual machine has a corresponding storage partition in the flash memory chip, then when the remaining storage space of the flash memory chip is If the space is greater than the preset space threshold, allocate target storage space for the vfTPM function of the target virtual machine through the storage driver; bind the target storage space to the identification information.
- the target storage space is used as the NVRAM of the vfTPM of the target virtual machine; and the read and write functions of the target storage space are executed by the target virtual machine in a trusted execution environment.
- the preset spatial threshold can be flexibly selected according to actual application scenarios, and this application does not impose any restrictions on this.
- each virtual machine's vfTPM is provided with a partition for NVRAM storage.
- the read and write permissions for flash can only be operated on the TEE side, and only the virtual machine can operate the flash partition corresponding to the corresponding virtual machine ID, that is, the target storage space, effectively improving the overall security performance.
- the destruction identification of the virtual machine to be destroyed is obtained by parsing the virtual machine destruction instruction
- the trusted execution environment operating system sends the virtual machine destruction instruction to the destroyed virtual machine trusted execution environment instance corresponding to the virtual machine to be destroyed based on the destruction identification; the destroyed virtual machine trusted execution environment instance deletes the destroyed virtual machine The machine trusts the execution environment context, and deletes the storage partition of the flash memory chip corresponding to the virtual machine to be destroyed; feeds back the virtual machine destruction completion instruction carrying the destruction identification;
- the virtual machine to be destroyed is deleted according to the virtual machine destruction completion instruction and destruction identification.
- the virtual machine that needs to be destroyed is called a virtual machine to be destroyed, and the identification information of the virtual machine to be destroyed is called a destruction identification.
- the virtual machine instance and context corresponding to the virtual machine to be destroyed in the trusted execution environment are called the destroyed virtual machine trusted execution environment instance, and the virtual machine trusted execution environment context is destroyed.
- This application also provides a method for shutting down the virtual machine, which may include the following:
- the trusted execution environment operating system sends the virtual machine shutdown instruction to the shutdown virtual machine trusted execution environment instance corresponding to the virtual machine to be shut down based on the shutdown identifier; the shutdown virtual machine trusted execution environment instance deletes the shutdown virtual machine Machine trusted execution environment context, and update the vfTPM that shuts down the virtual machine in the trusted execution environment; feedback the virtual machine shutdown completion instruction carrying the shutdown flag;
- the virtual machine to be shut down is shut down according to the virtual machine shutdown completion instruction and shutdown identifier.
- the virtual machine that needs to be shut down is called a virtual machine to be shut down, and the identification information of the virtual machine to be shut down is called a shutdown identifier.
- the virtual machine instance and context corresponding to the virtual machine to be shut down in the trusted execution environment are called the closed virtual machine trusted execution environment instance, and the virtual machine trusted execution environment context is closed.
- the embodiments of the present application also provide corresponding devices for the virtualization implementation method, making the method more practical. Among them, the device can be described separately from the perspective of functional modules and the perspective of hardware.
- the virtualization implementation device provided by the embodiment of the present application is introduced below.
- the virtualization implementation device described below and the virtualization implementation method described above may be mutually referenced.
- Figure 3 is a structural diagram of a virtualization implementation device provided by an embodiment of the present application in an optional implementation manner.
- the device may include:
- the initialization processing module 301 is configured to perform initialization processing on the ARM platform running the target virtual machine configured with the vfTPM function based on the virtualization type in advance;
- the virtualization request issuing module 302 is configured to encapsulate the instruction carrying the real physical address converted from the virtual physical address of the target virtual machine and the identification information of the target virtual machine when receiving the target vfTPM request of the target virtual machine. , and switch the current running state to a trusted execution environment;
- the virtualization request processing module 303 is configured to call the corresponding target virtual machine trusted execution environment context to process the target vfTPM request according to the identification information in the trusted execution environment, and send the storage address and identification information carrying the processing results. Result feedback instructions;
- the processing result feedback module 304 is configured to encapsulate the result feedback instruction and switch the current running state to the rich execution environment; in the rich execution environment, the storage address and identification information are obtained by parsing the result feedback instruction, and according to the identification information, the converted The storage address is sent to the target virtual machine.
- the above device may further include a storage module configured to store the processing results in the shared memory.
- the above-mentioned initialization processing module 301 may also include: powering on the ARM platform and loading the target firmware of the ARM platform and the trusted execution environment operating system; when the trusted execution environment operates The system starts, configures memory for the trusted execution environment operating system and performs memory initialization processing; based on the virtualization type of the target virtual machine, the rich execution environment is initialized.
- the above-mentioned initialization processing module 301 can also be used to: divide the memory of the trusted execution environment operating system into running memory and virtual request execution memory; the running memory is used to process underlying requests, virtual request The requested execution memory is used to process the vfTPM request of the virtual machine; in the flash memory chip, a dedicated memory for implementing the vfTPM function is configured for the trusted execution environment operating system; the storage driver is loaded into the trusted execution environment operating system, and the storage driver is used Initialize the private memory and partition the private memory.
- the above-mentioned initialization processing module 301 can also be set to: if the target virtual machine adopts QEMU KVM virtualization technology, complete the loading of the rich execution environment operating system.
- the above-mentioned initialization processing module 301 can also be set to: if the target virtual machine adopts Xen virtualization technology, start the Xen virtualization image file while starting the BIOS; During the startup process, the virtual machine monitor is used as a virtual machine with a preset identification, and the corresponding virtual machine trusted execution environment instance and virtual machine trusted execution environment context are assigned to the virtual machine monitor; through the virtual machine trusted execution environment instance Load the vfTPM trusted application; during the loading process of the vfTPM trusted application, use the storage driver to read and write the private memory, and allocate a dedicated storage area for the Xen virtual machine monitor in the private memory; change the virtual machine monitor's The processing result of the vfTPM request is returned to the virtual machine monitor, and the virtual machine monitor is started.
- the above-mentioned device may also include a virtual machine creation module, configured to issue virtual machine creation instructions for a rich execution environment, and allocate the target virtual machine configured with the vfTPM function.
- a virtual machine creation module configured to issue virtual machine creation instructions for a rich execution environment, and allocate the target virtual machine configured with the vfTPM function.
- Corresponding identification information encapsulate the identification information and virtual machine creation instructions, and switch the current running state to the trusted execution environment; in the trusted execution environment, the trusted execution environment operating system allocates the target virtual machine to the target virtual machine based on the virtual machine creation instructions.
- the target virtual machine trusted execution environment context the target virtual machine trusted execution environment instance and the memory space; load the vfTPM trusted application through the target virtual machine trusted execution environment instance, start the TPM, and initialize the memory space and the vfTPM of the target virtual machine; Encapsulate the initialization result and identification information of the vfTPM of the target virtual machine, and switch the current running state to the rich execution environment to complete the creation of the target virtual machine in the rich execution environment based on the initialization result.
- the above virtual machine creation module may also be configured to: if the target virtual machine has a corresponding target storage space in the flash memory chip, allocate the target storage space to the target virtual machine. vfTPM function; if the target virtual machine has a corresponding storage partition in the flash memory chip, when the remaining storage space of the flash memory chip is greater than the preset space threshold, the target storage space is allocated for the vfTPM function of the target virtual machine through the storage driver; the target storage space is It is bound with the identification information; the target storage space is used as the NVRAM of the vfTPM of the target virtual machine; and the read and write functions of the target storage space are executed by the target virtual machine in a trusted execution environment.
- the above-mentioned device may also include a virtual machine destruction module, for example, which is configured to, when a virtual machine destruction instruction is received, in the rich execution environment, by parsing the virtual machine destruction instruction, Obtain the destruction identification of the virtual machine to be destroyed; encapsulate the parameterized virtual machine destruction instruction and destruction identification, and switch the current running state to a trusted execution environment; in the trusted execution environment, the trusted execution environment operating system is based on Destroy the identifier and send the virtual machine destruction instruction to the destroyed virtual machine trusted execution environment instance corresponding to the virtual machine to be destroyed; destroy the virtual machine trusted execution environment instance to delete the virtual machine trusted execution environment context and delete the corresponding virtual machine to be destroyed In the storage partition of the flash memory chip; feedback the virtual machine destruction completion instruction carrying the destruction identification; encapsulate the parameterized virtual machine destruction completion instruction and destruction identification, and switch the current running state to the rich execution environment; in the rich execution environment, Delete the virtual machine to be destroyed according to the virtual machine destruction completion instruction and destruction
- a virtual machine destruction module for example,
- the above-mentioned device may also include a virtual machine shutdown module, which is configured to, when receiving a virtual machine shutdown instruction, in a rich execution environment, by parsing the virtual machine shutdown instruction, Obtain the shutdown identifier of the virtual machine to be shut down; encapsulate the parameterized virtual machine shutdown instruction and shutdown identifier, and switch the current running state to a trusted execution environment; in the trusted execution environment, the trusted execution environment operating system is based on Shut down the identifier and send the virtual machine shutdown instruction to the shutdown virtual machine trusted execution environment instance corresponding to the virtual machine to be shut down; the shutdown virtual machine trusted execution environment instance deletes the shutdown virtual machine trusted execution environment context, and updates the shutdown virtual machine in the trustable execution environment instance.
- a virtual machine shutdown module which is configured to, when receiving a virtual machine shutdown instruction, in a rich execution environment, by parsing the virtual machine shutdown instruction, Obtain the shutdown identifier of the virtual machine to be shut down; encapsulate the parameterized virtual machine shutdown instruction and shutdown identifier, and switch the current
- vfTPM in the execution environment; feedback the virtual machine shutdown completion instruction carrying the shutdown flag; encapsulate the parameterized virtual machine shutdown completion instruction and shutdown flag, and switch the current running state to the rich execution environment; in the rich execution environment, Shut down the virtual machine to be shut down according to the virtual machine shutdown completion instruction and shutdown identifier.
- each functional module of the virtualization implementation device in the embodiment of this application can be implemented according to the method in the above method embodiment.
- the implementation process can be referred to the relevant description of the above method embodiment, and will not be described again here.
- FIG. 4 is a schematic structural diagram of an electronic device provided by an embodiment of the present application in an implementation manner.
- the electronic device includes a memory 40, which is configured to store a computer program; and a processor 41, which is configured to implement the steps of the virtualization implementation method mentioned in any of the above embodiments when executing the computer program.
- the processor 41 may include one or more processing cores, such as a 4-core processor or an 8-core processor.
- the processor 41 may also be a controller, a microcontroller, a microprocessor or other data processing chips.
- the processor 41 can adopt at least one hardware form among DSP (Digital Signal Processing, digital signal processing), FPGA (Field-Programmable Gate Array, field programmable gate array), and PLA (Programmable Logic Array, programmable logic array). accomplish.
- the processor 41 may also include a main processor and a co-processor.
- the main processor is a processor configured to process data in the wake-up state, also called a CPU (Central Processing Unit, central processing unit); a co-processor It is a low-power processor configured to process data in standby mode.
- the processor 41 may be integrated with a GPU (Graphics Processing Unit, image processor), and the GPU is configured to be responsible for rendering and drawing content that needs to be displayed on the display screen.
- the processor 41 may also include an AI (Artificial Intelligence, artificial intelligence) processor, which is configured to process computing operations related to machine learning.
- AI Artificial Intelligence, artificial intelligence
- Memory 40 may include one or more computer non-volatile readable storage media, which may be non-transitory.
- the memory 40 may also include high-speed random access memory and non-volatile memory, such as one or more magnetic disk storage devices and flash memory storage devices.
- the memory 40 in some embodiments may be an internal storage unit of the electronic device, such as a hard drive of a server.
- the memory 40 may also be an external storage device of an electronic device, such as a plug-in hard disk, a smart memory card (Smart Media Card, SMC), a secure digital (Secure Digital, SD) card, or a flash memory equipped on a server. Flash Card, etc.
- the memory 40 may also include both an internal storage unit of the electronic device and an external storage device.
- the memory 40 may not only be configured to store application software installed on the electronic device and various types of data, such as codes for programs that execute vfTPM calculation processing methods, etc., but may also be configured to temporarily store data that has been output or is to be output.
- the memory 40 is at least configured to store the following computer program 401. After the computer program is loaded and executed by the processor 41, the relevant steps of the virtualization implementation method disclosed in any of the foregoing embodiments can be implemented.
- the resources stored in the memory 40 may also include the operating system 402, data 403, etc., and the storage method may be short-term storage or permanent storage.
- the operating system 402 may include Windows, Unix, Linux, etc.
- Data 403 may include but is not limited to data corresponding to virtualization implementation results, etc.
- the above-mentioned electronic device may also include a display screen 42, an input and output interface 43, a communication interface 44 or a network interface, a power supply 45 and a communication bus 46.
- the display screen 42 and the input/output interface 43 such as a keyboard belong to the user interface, and optional user interfaces may also include standard wired interfaces, wireless interfaces, etc.
- the display may be an LED display, a liquid crystal display, a touch-controlled liquid crystal display, an OLED (Organic Light-Emitting Diode, organic light-emitting diode) touch device, etc.
- the display which may also appropriately be called a display screen or display unit, is configured to display information processed in the electronic device and is configured to display a visual user interface.
- the communication interface 44 may optionally include a wired interface and/or a wireless interface, such as a WI-FI interface, a Bluetooth interface, etc., and is usually configured to establish communication connections between electronic devices and other electronic devices.
- the communication bus 46 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus, etc.
- PCI peripheral component interconnect
- EISA extended industry standard architecture
- the bus can be divided into address bus, data bus, control bus, etc. For ease of presentation, only one thick line is used in Figure 4, but it does not mean that there is only one bus or one type of bus.
- FIG. 4 does not limit the electronic device, and may include more or fewer components than shown, for example, it may also include sensors 47 that implement various functions.
- each functional module of the electronic device in the embodiment of the present application can be implemented according to the method in the above method embodiment, and the implementation process can be referred to the relevant description of the above method embodiment, which will not be described again here.
- the virtualization implementation method in the above embodiment is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium.
- the technical solution of the present application is essentially or contributes to the existing technology, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , execute all or part of the steps of the methods of various embodiments of this application.
- the aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), electrically erasable programmable ROM, register, hard disk, multimedia Cards, card-type memories (such as SD or DX memories, etc.), magnetic memories, removable disks, CD-ROMs, magnetic disks or optical disks and other media that can store program codes.
- embodiments of the present application also provide a non-volatile readable storage medium that stores a computer program.
- the computer program is executed by the processor, the steps of the virtualization implementation method in any of the above embodiments are performed.
- the embodiment of the present application also provides an ARM platform. Please refer to Figure 5.
- the ARM platform is used to implement the steps of the virtualization implementation method of any of the above embodiments when executing a computer program.
- the ARM platform may include an application layer 501, a system layer 502, virtualization layer 503 and firmware layer 504.
- the application layer 501 may include multiple virtual machine applications located in a rich execution environment, and a trusted application set located in a trusted execution environment.
- the trusted application set includes trusted applications used to implement vfTPM functions.
- the system layer 502 may include a host processing module located in a rich execution environment and a trusted management module located in a trusted execution environment.
- Virtualization layer 503 includes a virtual machine monitor located in a rich execution environment.
- the firmware layer 504 may include a firmware processing module, which is configured to receive instructions from the host processing module, the virtual machine monitor, and the trusted management module; the firmware layer 504 simultaneously performs running state switching, and performs the running state switching process. forward the virtual machine identification information in the received instruction.
- KVM Kernel-based Virtual Machine, system virtualization module
- Xen virtualization technology is supported.
- the host processing module is designed to realize memory address translation of the virtual machine during the KVM virtualization implementation process.
- the host processing module completes the conversion between IPA and PA, which is the implementation of stage 2 in ARM virtualization implementation.
- the request stage that is, the vfTPM request sent by the virtual machine operating system
- the request command of the virtual machine operating system that is, GustOS
- the converted physical memory address are parameterized through the host processing module, that is, through a fixed function in the form of parameters.
- the system layer is passed across layers to the firmware layer, and the virtual machine identifier VMID is passed to the firmware processing module of the firmware layer 504.
- the vfTPM request processing result forwarded by the firmware processing module will be received. , forwarded to the corresponding virtual machine according to the VMID.
- the virtual machine monitor also known as the Hypervisor, translates the IPA address into a PA address during the stage2 translation process implemented by the virtual machine monitor in ARM virtualization during the Xen virtualization implementation process.
- the request stage that is, the vfTPM request sent by the virtual machine operating system
- the request parameters and memory address of the GuestOS are parameterized through the hypervisor, and the attached VMID is passed to the firmware processing module.
- the vfTPM forwarded by the firmware processing module is received.
- the Hypervisor's request is consistent with the virtual machine request, but it does not have a stage2 translation process.
- the firmware processing module of the firmware layer 504 accepts requests from the host processing module, Hypervisor, and trusted management module. Through SMC instructions, it changes the value of the NS bit and switches the TEE or REE operating environment. During the conversion process of the SMC request, the received VMID is passed together for forwarding.
- the TEE side includes a trusted management module and a trusted application set.
- the trusted application set includes a module used to implement the vfTPM function. Multiple trusted applications, with fTPM modules built into each trusted application, thereby running multiple fTPM instances in a trusted execution environment.
- the fTPM module also known as the vfTPM module, is set as an implementation method of fTPM used as a virtual machine. It realizes the virtualization of computing and the virtualization of persistent storage.
- the computing function of vfTPM can be implemented using any modern method. There is technology, and this application does not impose any limitations on this.
- the trusted management module may include a storage driver and a virtual machine data processing module.
- the virtual machine data processing module may be the vmContext module shown in Figure 6.
- the virtual machine data processing module corresponds to the virtual machine one-to-one, that is, one virtual machine corresponds to one
- the virtual machine data processing module is configured to process the vfTPM request of the corresponding virtual machine, and stores the virtual machine trusted execution environment instance and its context of the corresponding virtual machine.
- the trusted management module of this embodiment is improved on the basis of the original TEEOS.
- the original TEEOS instance is divided into two parts. One part can be called the running memory Nexus, and the other part is called the virtual request execution memory vm part.
- the running memory part is responsible for handling the underlying implementation, such as SMC instruction processing, memory management class, thread management, etc.
- the virtual request execution memory is responsible for request processing, loading TA, executing TA and other functions.
- One vm tee instance corresponds to a REE side
- the memory processing functions of running memory are differentiated and modified.
- the processing of Nexus instances of running memory can be corresponding to .nex_data, .nex_bss, .nex_nozi, .nex_heap, etc. still use the original memory to process requests for vm tee instances.
- multiple fTPM instances can be run in TrustZone to provide TPM functions for virtual machines, and the TPM functions of each virtual machine do not affect each other, so as to achieve Virtual machine isolation capabilities.
- this embodiment also provides an optional fTPM storage method, that is, the fTPM is stored in a special flash memory so that it can only be read in the TEE.
- the storage driver also known as the NV Driver module shown in Figure 6, can implement a driver that implements the problem of reading and writing special flash, which implements functions such as flash partitioning, flash reading and writing, and permission control, providing fTPM with NVRAM persists storage objects.
- the principle is to partition the flash and provide each virtual machine vfTPM with a partition for NVRAM storage.
- the read and write permissions for flash can only be operated on the TEE side, and only vm can operate the flash partition corresponding to the corresponding VMID.
- each functional module of the ARM platform in the embodiment of this application can be implemented according to the method in the above method embodiment.
- the implementation process can be referred to the relevant description of the above method embodiment, which will not be described again here.
- this application also provides a schematic example in conjunction with Figures 8-11.
- This schematic example includes the initialization process of the ARM platform , virtual machine creation process, virtual machine request and response process, and virtual machine destruction and shutdown process.
- TEE OS is the trusted execution environment operating system
- NV Driver is the storage driver
- VMID is the virtual machine identification information
- vm tee Instances and contexts are virtual machine trusted execution environment instances and virtual machine trusted execution environment instance contexts
- vm represents virtual machines
- RichOS represents rich execution environment operating systems
- NVRVM Non-Volatile Random Access Memory, non-volatile random access memory
- Hypervisor represents the virtual machine monitor of the virtualization layer
- GuestOS represents the virtual machine operating system, which can include the following:
- the initialization process of the ARM platform may include the following:
- A1 Power on the ARM platform.
- A2 Firmware loading.
- the device is initialized, including turning on the TrustZone function and loading the Firmware/SecureMonitor firmware management module.
- the firmware management module implements the VMID forwarding function.
- TEEOS is loaded. Find the TEE OS image firmware from the firmware storage flash and load it. In the TEE, configure the memory for the TEE OS and initialize the NV Driver.
- A4 Use NVDriver to initialize the flash chip used for fTPM. This initialization process includes but is not limited to metadata generation, flash encryption key generation, encryption key storage, permission settings, and partition permission processing.
- A6 If it is Xen virtualization, search for the Xen virtualization image file and start it along with the BIOS.
- A8 The vm tee instance loads vfTPM TA.
- A10 Return the data processed by vfTPM to the Xen Hypervisor through the vfTPM request and response process;
- A10 The hypervisor enters the startup process and completes startup.
- the virtual machine creation process may include:
- R1 RichOS or Hypervisor initiates an instruction to create a virtual machine and requires that the virtual machine be configured with vfTPM.
- the firmware processing module receives the request to create a virtual machine, encapsulates the request parameters, appends the VMID to the SMC command, sends the SMC_VM_CREATE command, sends the command to TEEOS on the TEE side, and switches the operating environment to TEE.
- the Nexus TEE on the TEEOS side receives the SMC command and analyzes this virtual machine which requires a vfTPM device.
- TEEOS allocates a vm tee instance and context to the virtual machine.
- the vm tee context is used to handle all requests related to the virtual machine, including the loading and execution of vfTPM.
- NVRVM Load fTPM TA and perform vfTPM initialization operation.
- NVRVM also needs to be initialized.
- the initialization process of NVRVM includes: using NV Driver to complete the allocation of flash partition. If the virtual machine has a corresponding flash partition, this partition will be directly allocated to vfTPM for use as NVRVM. If the vfTPM of the virtual machine does not have a corresponding flash partition, then NV Driver creates a partition for the virtual machine when the flash space is sufficient, and performs NVRVM initialization operations on this partition according to TPM specifications.
- NVRVM initialization is completed, continue to complete other initialization work of the TPM specification.
- vfTPM request and response process for the virtual machine can be as follows:
- GustOS kernel (virtual machine operating system kernel) converts vfTPM request instructions and VA into IPA.
- C3 RichOS or Hypervisor converts the instructions sent by GuestOS into PA, and appends the VMID and sends them to the firmware processing module.
- the firmware processing module encapsulates the instruction, attaches the VMID, executes the SMC instruction, and switches the running state to TEEOS.
- TEEOS processes the vfTPM request according to the VMID assigned to the corresponding vm tee context.
- TEEOS allocates shared memory, saves the processing results in the shared memory, and sends the shared memory address and VMID to the firmware processing module.
- firmware processing module After the firmware processing module encapsulates the request parameters, it executes the SMC instruction to switch the execution environment to REE, and sends the result to the Hypervisor or RichOS.
- C8 RichOS or Hypervisor converts the shared memory address to IPA and returns the result to the corresponding virtual machine based on the VMID.
- the virtual machine kernel converts the IPA into VA and hands it over to the GuestOS APP for processing.
- GustOS APP obtains the processing result of vfTPM request.
- the virtual machine destruction and shutdown process can be as follows:
- D1 The user issues an instruction to destroy or shut down the virtual machine through the application layer. RichOS or Hypervisor receives the instruction to destroy or shut down the virtual machine and releases the vfTPM resources by executing the execution.
- D2 Convert the instruction parameters of the virtual machine to be processed, that is, the virtual machine to be destroyed or the virtual machine to be shut down, and forward it to the firmware processing module with the VMID attached.
- D3 The firmware processing module encapsulates the instructions generated by D2, appends the VMID, executes the SMC_VM_DESTROY instruction, and switches the running state to TEEOS.
- TEEOS accepts the instruction to destroy or shut down the virtual machine, and sends it to the corresponding vm tee based on the parameters and VMID of this instruction.
- D5 Determine whether the command is to completely destroy and delete the virtual machine or to shut down the virtual system normally.
- D6 If it is a command to shut down the virtual machine system, refresh the vfTPM data on the TEE side and delete the vm context;
- the embodiment of the present application completes TEEOS's support for virtualization by transforming TEEOS, and supports KVM and Xen virtualization technology; by improving the implementation method of fTPM, it realizes fTPM's virtual machine on the ARM platform support; by improving the storage method of fTPM, the storage of fTPM is saved on a special flash memory, so that it can only be read in TEE, which enhances its security; the storage method of fTPM is virtualized, Solved the virtualization problem of fTPM.
- the TPM function is implemented based on firmware on the ARM platform, and virtualization is implemented, which can be used by ARM virtual machines. It can save physical costs at the research and development level.
- the implementation of fTPM virtualization can improve the security of cloud computing products and improve the cloud computing. Competitiveness in the computing industry.
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
A virtualization implementation method and apparatus, an electronic device, a non-volatile readable storage medium, and an ARM platform, which are applied to the technical field of computers. The method comprises: on the basis of a virtualization type, initializing, in advance, an ARM platform running a virtual machine for which a vfTPM function is configured; when a vfTPM request of the virtual machine is received, encapsulating an instruction comprising a real physical address and identification information of the virtual machine, and switching a running state to a trusted execution environment; in the trusted execution environment, calling a corresponding virtual machine trusted execution environment context to process the vfTPM request according to the identification information, feeding back a storage address for the processing result and the identification information of the virtual machine, and switching the current running state to a rich execution environment; in the rich execution environment, performing resolution to obtain a storage address and identification information, and sending the converted storage address to the corresponding virtual machine according to the identification information, so that firmware-based trusted platform virtualization is realized on the ARM platform.
Description
相关申请的交叉引用Cross-references to related applications
本申请要求于2022年03月31日提交中国专利局,申请号为202210334870.7,申请名称为“虚拟化实现方法、装置、电子设备、介质及ARM平台”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application requires the priority of the Chinese patent application submitted to the China Patent Office on March 31, 2022, with the application number 202210334870.7, and the application name is "Virtualization Implementation Method, Device, Electronic Equipment, Medium and ARM Platform", and its entire content incorporated herein by reference.
本申请涉及计算机技术领域,特别是涉及一种虚拟化实现方法、装置、电子设备、非易失性可读存储介质及ARM平台。This application relates to the field of computer technology, and in particular to a virtualization implementation method, device, electronic equipment, non-volatile readable storage medium and ARM platform.
随着ARM(Advanced RISC(Reduced Instruction Set Computer,精简指令集计算机)Machines,RISC微处理器)技术与云计算的发展,ARM计算机在移动设备、桌面、服务器等领域得到了飞速的发展,基于ARM的虚拟化技术也在云计算领域迅猛发展。在ARM虚拟化技术得到快速发展的同时,ARM相关的技术安全可信问题亟需解决,为此ARM公司从ARMv8开始,通过TrustZone(信任区)可信技术将ARM执行环境划分为SW(Secure World,安全世界)和NW(Normal World,正常世界)。其中正常世界的执行环境又被称为REE(Rich Execution Environment,富执行环境),安全世界的执行环境又被称为TEE(Trusted execution environment,可信执行环境),REE中运行的程序一般为BIOS(Basic Input Output System,基本输入输出系统)/UEFI(Unified Extensible Firmware Interface,统一可扩展固件接口)系统固件和正常的操作系统如Linux、Windows。TEE侧有专门的操作系统一般称为TEEOS(Trusted execution environment operating system,可信操作系统)。对于TEEOS,各个厂商有不同的实现方式,一般都遵循GP标准(Global Platform,全球平台标准),例如TEEOS依据GP标准的一种开源的实现方式称为OPTEE(Open-source Portable Trusted execution environment)。GP标准对TEE的框架和安全需求做出了明确的规定,并分别对REE侧提供的接口函数,数据类型和数据结构,对TEE侧提供给开发者使用的接口函数、数据类型、数据结构进行了明确的规定和定义。With the development of ARM (Advanced RISC (Reduced Instruction Set Computer) Machines, RISC microprocessor) technology and cloud computing, ARM computers have developed rapidly in mobile devices, desktops, servers and other fields. Based on ARM Virtualization technology is also developing rapidly in the field of cloud computing. While ARM virtualization technology is developing rapidly, ARM-related technical security and trust issues need to be solved urgently. For this reason, starting from ARMv8, ARM has divided the ARM execution environment into SW (Secure World) through TrustZone (Trust Zone) trusted technology. , safe world) and NW (Normal World, normal world). The execution environment in the normal world is also called REE (Rich Execution Environment, rich execution environment), and the execution environment in the safe world is also called TEE (Trusted execution environment, trusted execution environment). The programs running in REE are generally BIOS (Basic Input Output System, Basic Input and Output System)/UEFI (Unified Extensible Firmware Interface, Unified Extensible Firmware Interface) system firmware and normal operating systems such as Linux and Windows. There is a special operating system on the TEE side, generally called TEEOS (Trusted execution environment operating system, trusted operating system). For TEEOS, various manufacturers have different implementation methods, and generally follow the GP standard (Global Platform, global platform standard). For example, an open source implementation method of TEEOS based on the GP standard is called OPTEE (Open-source Portable Trusted execution environment). The GP standard clearly stipulates the framework and security requirements of TEE, and separately defines the interface functions, data types and data structures provided by the REE side, and the interface functions, data types and data structures provided by the TEE side for developers to use. clear regulations and definitions.
TPM(Trusted Platform Module,可信平台模块)为符合TPM标准,可有效保护计算 机,防止非法访问的安全物理芯片,该芯片具有独有的计算资源和存储资源,从而可起到物理空间隔离、防止非法入侵及篡改的作用。fTPM(firmware Trusted Platform Module,基于固件的可信平台模块)依托ARM的TrustZone技术,在TrustZone中实现TPM的计算和存储资源,从而也实现了物理隔离的功能。ARMv8将CPU(central processing unit,中央处理器)异常中断分为4层,如图1所示,EL0层为应用层,EL1层为系统层,EL2为虚拟化层,EL3为固件层。相关技术中,fTPM为运行在TEEOS中的一个TA(Trust Application,可信应用)中,图1左边为REE侧,右边为TEE侧。REE侧APP(Application,应用程序)是Rich OS(Rich Operating System,全能操作系统)中运行的软件应用,Rich OS可以是Windows、Unix、Linux等操作系统。RPMB(Replay Protected Memory Block,重放保护内存块)是一种EMMC(Embedded Multi Media Card,嵌入式多媒体控制器)提供的一个具有安全特性的分区。Rich OS FS(File System,文件系统)为rich OS提供的文件系统。TEE侧的TA是Trust Application,其运行在TEEOS之上,符合GP标准;TEE侧的TEEOS是符合GP规范的操作系统,可以是厂商提供的OS或OPTEEOS;fTPM的实现方式是在TEEOS中实现一个fTPM TA(fTPM Trust Application),用于实现TPM的计算功能,在Rich OS中使用RPMB或rich OS FS文件系统作为fTPM的可信存储,使用TEE的安全存储功能,以共享内存的读写方式,将TPM的持久化数据存储在这个安全加密的RPMB或Rich OS FS中。TPM (Trusted Platform Module, Trusted Platform Module) is a secure physical chip that complies with TPM standards and can effectively protect computers and prevent illegal access. The chip has unique computing resources and storage resources, which can achieve physical space isolation and prevent The role of illegal intrusion and tampering. fTPM (firmware Trusted Platform Module, firmware-based trusted platform module) relies on ARM's TrustZone technology to implement TPM's computing and storage resources in TrustZone, thereby also realizing the function of physical isolation. ARMv8 divides CPU (central processing unit, central processing unit) abnormal interrupts into four layers, as shown in Figure 1. The EL0 layer is the application layer, the EL1 layer is the system layer, EL2 is the virtualization layer, and EL3 is the firmware layer. In related technologies, fTPM is a TA (Trust Application) running in TEEOS. The left side of Figure 1 is the REE side, and the right side is the TEE side. REE side APP (Application, application) is a software application running in Rich OS (Rich Operating System, all-round operating system). Rich OS can be Windows, Unix, Linux and other operating systems. RPMB (Replay Protected Memory Block) is a partition with security features provided by EMMC (Embedded Multi Media Card). Rich OS FS (File System, file system) is the file system provided by rich OS. The TA on the TEE side is Trust Application, which runs on TEEOS and complies with GP standards; the TEEOS on the TEE side is an operating system that complies with GP specifications, and can be the OS provided by the manufacturer or OPTEEOS; the implementation of fTPM is to implement a fTPM TA (fTPM Trust Application) is used to implement the computing function of TPM. In Rich OS, RPMB or rich OS FS file system is used as the trusted storage of fTPM, and the secure storage function of TEE is used to read and write shared memory. Store TPM's persistent data in this securely encrypted RPMB or Rich OS FS.
TEE与REE进行交互必须通过EL3层的firmware(固件)/Secure Monitor(安全监控器)的SMC(System Management Controller,系统管理控制器)指令,对控制NS(安全读写)标识位进行等于0或等于1处理后,ARM CPU才能进入REE环境或TEE环境,整个过程中运行环境的切换和数据的传输都是由firmware/Secure Monitor进行处理的。REE侧的El2层的Hypervisor(虚拟机监视器)层为虚拟化层,其用于将虚拟机的IPA(Internet Protocol Address,互联网协议地址,是指虚拟机的虚拟机物理地址)转换成PA(Physical Address,真实物理地址),在fTPM的现有实现过程中,并没有使用Hypervisor层,所以整个fTPM的实现方式上并没有实现虚拟化,fTPM自然就不可为ARM物理主机上运行的虚拟机提供TPM服务。也就是说,相关技术中的fTPM的实现方式只能在ARM物理主机上实现,不能供ARM主机上的虚拟机使用。The interaction between TEE and REE must pass the SMC (System Management Controller) command of the firmware/Secure Monitor (security monitor) of the EL3 layer to control the NS (Secure Read and Write) flag bit equal to 0 or After being equal to 1, the ARM CPU can enter the REE environment or TEE environment. During the entire process, the switching of the operating environment and the transmission of data are handled by the firmware/Secure Monitor. The Hypervisor (Virtual Machine Monitor) layer of the El2 layer on the REE side is the virtualization layer, which is used to convert the IPA (Internet Protocol Address, Internet Protocol Address, refers to the virtual machine physical address of the virtual machine) of the virtual machine into PA ( Physical Address, real physical address), in the current implementation of fTPM, the Hypervisor layer is not used, so virtualization is not implemented in the entire fTPM implementation. Naturally, fTPM cannot provide virtual machines running on ARM physical hosts. TPM service. In other words, the implementation of fTPM in related technologies can only be implemented on the ARM physical host and cannot be used by the virtual machine on the ARM host.
鉴于此,如何在ARM平台上实现基于固件的可信平台虚拟化,是所属领域技术人员需要解决的技术问题。In view of this, how to implement firmware-based trusted platform virtualization on the ARM platform is a technical problem that technicians in the field need to solve.
发明内容Contents of the invention
本申请实施例提供了一种虚拟化实现方法、装置、电子设备、非易失性可读存储介质及ARM平台,在ARM平台上实现了基于固件的可信平台虚拟化。Embodiments of the present application provide a virtualization implementation method, device, electronic device, non-volatile readable storage medium and ARM platform, and realize firmware-based trusted platform virtualization on the ARM platform.
为解决上述技术问题,本申请实施例提供以下技术方案:In order to solve the above technical problems, the embodiments of this application provide the following technical solutions:
本申请实施例一方面提供了一种虚拟化实现方法,包括:On the one hand, embodiments of the present application provide a virtualization implementation method, including:
预先基于虚拟化类型,对运行着配置vfTPM(virtual firmware Trusted Platform Module,虚拟的基于固件的可信平台模块)功能的目标虚拟机的ARM平台进行初始化处理;Based on the virtualization type, the ARM platform running the target virtual machine configured with vfTPM (virtual firmware Trusted Platform Module, virtual firmware-based trusted platform module) function is initialized in advance;
当接收到目标虚拟机的目标vfTPM请求,将携带由目标虚拟机的虚拟物理地址所转换的真实物理地址、和目标虚拟机的标识信息的指令进行封装,并切换当前运行状态至可信执行环境;When receiving the target vfTPM request from the target virtual machine, the instruction carrying the real physical address converted from the virtual physical address of the target virtual machine and the identification information of the target virtual machine is encapsulated, and the current running state is switched to the trusted execution environment. ;
在可信执行环境中,根据标识信息,调用相应的目标虚拟机可信执行环境上下文对目标vfTPM请求进行处理,并发送携带处理结果的存储地址及标识信息的结果反馈指令;In the trusted execution environment, based on the identification information, the corresponding target virtual machine trusted execution environment context is called to process the target vfTPM request, and a result feedback instruction carrying the storage address and identification information of the processing result is sent;
对结果反馈指令进行封装,并切换当前运行状态至富执行环境;在富执行环境,通过解析结果反馈指令得到存储地址和标识信息,按照标识信息,将转换后的存储地址发送至目标虚拟机。Encapsulate the result feedback instruction and switch the current running state to the rich execution environment; in the rich execution environment, the storage address and identification information are obtained by parsing the result feedback instruction, and the converted storage address is sent to the target virtual machine according to the identification information.
可选的,调用相应的目标虚拟机可信执行环境上下文对目标vfTPM请求进行处理之后,还包括:Optionally, after calling the corresponding target virtual machine trusted execution environment context to process the target vfTPM request, it also includes:
将处理结果存储至共享内存中。Store the processing results in shared memory.
可选的,按照标识信息,将转换后的存储地址发送至目标虚拟机,包括:Optionally, send the converted storage address to the target virtual machine according to the identification information, including:
富执行环境的操作系统将存储地址转换为虚拟机所认为的物理地址,基于标识信息将物理地址发送至目标虚拟机。The operating system of the rich execution environment converts the storage address into what the virtual machine considers to be a physical address, and sends the physical address to the target virtual machine based on the identification information.
可选的,在基于标识信息将物理地址发送至目标虚拟机之后,方法还包括:Optionally, after sending the physical address to the target virtual machine based on the identification information, the method also includes:
目标虚拟机的内核将物理地址转换为虚拟机内存地址,并将虚拟机内存地址传输至目标虚拟机的操作系统中,目标虚拟机基于虚拟机内存地址读取vfTPM请求的处理结果。The kernel of the target virtual machine converts the physical address into a virtual machine memory address, and transmits the virtual machine memory address to the operating system of the target virtual machine. The target virtual machine reads the processing result of the vfTPM request based on the virtual machine memory address.
可选的,基于虚拟化类型,对运行着配置虚拟的基于固件的可信平台模块vfTPM功能的目标虚拟机的精简指令集计算机ARM平台进行初始化处理,包括:Optionally, based on the virtualization type, initialize the reduced instruction set computer ARM platform running the target virtual machine configured with the virtual firmware-based trusted platform module vfTPM function, including:
ARM平台上电,并加载ARM平台的目标固件和可信执行环境操作系统;The ARM platform is powered on and the target firmware and trusted execution environment operating system of the ARM platform are loaded;
当可信执行环境操作系统启动,为可信执行环境操作系统配置内存并进行内存初始化处理;When the trusted execution environment operating system starts, configure memory for the trusted execution environment operating system and perform memory initialization processing;
基于目标虚拟机所属的虚拟化类型,对富执行环境进行初始化处理。Based on the virtualization type to which the target virtual machine belongs, the rich execution environment is initialized.
可选的,为可信执行环境操作系统配置内存并进行内存初始化处理,包括:Optionally, configure memory for the trusted execution environment operating system and perform memory initialization processing, including:
将可信执行环境操作系统的内存划分为运行内存和虚拟请求执行内存;运行内存用于处理底层请求,虚拟请求执行内存用于处理虚拟机的vfTPM请求;The memory of the trusted execution environment operating system is divided into running memory and virtual request execution memory; the running memory is used to process the underlying requests, and the virtual request execution memory is used to process the vfTPM request of the virtual machine;
在闪存芯片中,为可信执行环境操作系统配置用于实现vfTPM功能的专有内存;In the flash memory chip, configure the proprietary memory for the trusted execution environment operating system to implement the vfTPM function;
加载存储驱动器至可信执行环境操作系统中,利用存储驱动器对专有内存进行初始化处理,并对专有内存进行分区处理。Load the storage driver into the trusted execution environment operating system, use the storage driver to initialize the private memory, and partition the private memory.
可选的,专有内存用于存储所述vfTPM的数据,所述方法还包括:预先为每个虚拟机在所述专有内存中分配一块存储区间,用于存储所述每个虚拟机自己的vfTPM数据。Optionally, dedicated memory is used to store the data of the vfTPM. The method also includes: pre-allocating a storage area in the dedicated memory for each virtual machine for storing each virtual machine's own data. vfTPM data.
可选的,基于目标虚拟机所属的虚拟化类型,对富执行环境进行初始化处理,包括:Optionally, based on the virtualization type of the target virtual machine, initialize the rich execution environment, including:
若目标虚拟机采用QEMU KVM虚拟化技术,则完成对富执行环境操作系统的加载。If the target virtual machine uses QEMU KVM virtualization technology, the loading of the rich execution environment operating system is completed.
可选的,基于目标虚拟机所属的虚拟化类型,对富执行环境进行初始化处理,包括:Optionally, based on the virtualization type of the target virtual machine, initialize the rich execution environment, including:
若目标虚拟机采用Xen虚拟化技术,则在启动BIOS的同时启动Xen虚拟化的镜像文件;If the target virtual machine uses Xen virtualization technology, start the Xen virtualization image file while starting the BIOS;
在启动过程中,将虚拟机监视器作为具有预设标识的虚拟机,为虚拟机监视器分配对应的虚拟机可信执行环境实例及虚拟机可信执行环境上下文;During the startup process, the virtual machine monitor is used as a virtual machine with a preset identification, and the corresponding virtual machine trusted execution environment instance and virtual machine trusted execution environment context are assigned to the virtual machine monitor;
通过虚拟机可信执行环境实例加载vfTPM可信应用;在vfTPM可信应用的加载过程中,利用存储驱动器对专有内存进行读写,并在专有内存中为Xen虚拟机监视器分配专属存储区域;Load the vfTPM trusted application through the virtual machine trusted execution environment instance; during the loading process of the vfTPM trusted application, use the storage driver to read and write the private memory, and allocate dedicated storage for the Xen virtual machine monitor in the private memory area;
将虚拟机监视器的vfTPM请求的处理结果返回至虚拟机监视器,启动虚拟机监视器。Return the processing result of the vfTPM request of the virtual machine monitor to the virtual machine monitor, and start the virtual machine monitor.
可选的,当接收到目标虚拟机的vfTPM请求之前,还包括:Optionally, before receiving the vfTPM request of the target virtual machine, it also includes:
富执行环境下发虚拟机创建指令,并为配置有vfTPM功能的目标虚拟机分配相应的标识信息;The rich execution environment issues virtual machine creation instructions and assigns corresponding identification information to the target virtual machine configured with the vfTPM function;
将标识信息和虚拟机创建指令进行封装,并切换当前运行状态至可信执行环境;Encapsulate the identification information and virtual machine creation instructions, and switch the current running state to a trusted execution environment;
在可信执行环境,可信执行环境操作系统基于虚拟机创建指令,为目标虚拟机分配目标虚拟机可信执行环境上下文、目标虚拟机可信执行环境实例和内存空间;通过目标虚拟机可信执行环境实例加载vfTPM可信应用,启动TPM,并初始化内存空间和目标虚拟机的vfTPM;In the trusted execution environment, the trusted execution environment operating system allocates the target virtual machine trusted execution environment context, the target virtual machine trusted execution environment instance and the memory space to the target virtual machine based on the virtual machine creation instructions; through the target virtual machine trusted execution environment The execution environment instance loads the vfTPM trusted application, starts the TPM, and initializes the memory space and vfTPM of the target virtual machine;
将目标虚拟机的vfTPM的初始化结果和标识信息进行封装,并切换当前运行状态至富执行环境,以基于初始化结果,在富执行环境完成目标虚拟机的创建操作。Encapsulate the initialization result and identification information of the vfTPM of the target virtual machine, and switch the current running state to the rich execution environment to complete the creation of the target virtual machine in the rich execution environment based on the initialization result.
可选的,方法还包括:Optionally, methods also include:
将vfTPM的存储保存在flash闪存上,使其只能在可信执行环境中进行读取。Save the storage of vfTPM on flash memory so that it can only be read in the trusted execution environment.
可选的,初始化内存空间,包括:Optional, initialize the memory space, including:
若目标虚拟机在闪存芯片中有相应的目标存储空间,则将目标存储空间分配给目标虚拟机的vfTPM功能;If the target virtual machine has a corresponding target storage space in the flash memory chip, allocate the target storage space to the vfTPM function of the target virtual machine;
若目标虚拟机在闪存芯片中有相应的存储分区,则当闪存芯片的剩余存储空间大于预设空间阈值,通过存储驱动器为目标虚拟机的vfTPM功能分配目标存储空间;If the target virtual machine has a corresponding storage partition in the flash memory chip, when the remaining storage space of the flash memory chip is greater than the preset space threshold, target storage space is allocated for the vfTPM function of the target virtual machine through the storage driver;
将目标存储空间与标识信息进行绑定;Bind the target storage space and identification information;
其中,目标存储空间作为目标虚拟机的vfTPM的NVRAM;且目标存储空间的读写功能由目标虚拟机在可信执行环境中执行。Among them, the target storage space is used as the NVRAM of the vfTPM of the target virtual machine; and the read and write functions of the target storage space are executed by the target virtual machine in a trusted execution environment.
可选的,方法还包括:Optionally, methods also include:
通过在闪存芯片上进行分区,为每个虚拟机的vfTPM提供一个分区,用于进行NVRAM存储。By partitioning on the flash chip, each virtual machine's vfTPM is given a partition for NVRAM storage.
可选的,可信执行环境操作系统上的闪存芯片驱动程序被设置为只允许在在可信执行环境侧,对闪存芯片的读写设置权限;并且目标存储空间被设置为只允许被目标虚拟机操作。Optionally, the flash chip driver on the trusted execution environment operating system is set to allow only the read and write permissions for the flash chip on the trusted execution environment side; and the target storage space is set to only allow the target virtual machine operation.
可选的,对运行着配置vfTPM功能的目标虚拟机的ARM平台进行初始化处理之后,还包括:Optionally, after initializing the ARM platform running the target virtual machine configured with the vfTPM function, it also includes:
当接收到虚拟机销毁指令,在富执行环境中,通过解析虚拟机销毁指令,得到获取待销毁虚拟机的销毁标识;When a virtual machine destruction instruction is received, in the rich execution environment, the destruction identification of the virtual machine to be destroyed is obtained by parsing the virtual machine destruction instruction;
将参数化处理的虚拟机销毁指令以及销毁标识进行封装,并切换当前运行状态为可信执行环境;Encapsulate the parameterized virtual machine destruction instructions and destruction identifiers, and switch the current running state to a trusted execution environment;
在可信执行环境中,可信执行环境操作系统基于销毁标识,将虚拟机销毁指令发送至待销毁虚拟机对应的销毁虚拟机可信执行环境实例;销毁虚拟机可信执行环境实例删除销毁虚拟机可信执行环境上下文,并删除待销毁虚拟机对应在闪存芯片的存储分区;反馈携带销毁标识的虚拟机销毁完成指令;In the trusted execution environment, the trusted execution environment operating system sends the virtual machine destruction instruction to the destroyed virtual machine trusted execution environment instance corresponding to the virtual machine to be destroyed based on the destruction identification; the destroyed virtual machine trusted execution environment instance deletes the destroyed virtual machine The machine trusts the execution environment context, and deletes the storage partition of the flash memory chip corresponding to the virtual machine to be destroyed; feeds back the virtual machine destruction completion instruction carrying the destruction identification;
将参数化处理的虚拟机销毁完成指令以及销毁标识进行封装,并切换当前运行状态为富执行环境;Encapsulate the parameterized virtual machine destruction completion instructions and destruction identification, and switch the current running state to a rich execution environment;
在富执行环境中,根据虚拟机销毁完成指令和销毁标识,删除待销毁虚拟机。In the rich execution environment, the virtual machine to be destroyed is deleted according to the virtual machine destruction completion instruction and destruction identification.
可选的,对运行着配置vfTPM功能的目标虚拟机的ARM平台进行初始化处理之后,还包括:Optionally, after initializing the ARM platform running the target virtual machine configured with the vfTPM function, it also includes:
当接收到虚拟机关闭指令,在富执行环境中,通过解析虚拟机关闭指令,得到获取待关闭虚拟机的关闭标识;When receiving a virtual machine shutdown instruction, in the rich execution environment, by parsing the virtual machine shutdown instruction, the shutdown identifier of the virtual machine to be shut down is obtained;
将参数化处理的虚拟机关闭指令以及关闭标识进行封装,并切换当前运行状态为可信执行环境;Encapsulate the parameterized virtual machine shutdown instructions and shutdown flags, and switch the current running state to a trusted execution environment;
在可信执行环境中,可信执行环境操作系统基于关闭标识,将虚拟机关闭指令发送至待关闭虚拟机对应的关闭虚拟机可信执行环境实例;关闭虚拟机可信执行环境实例删除关闭虚拟机可信执行环境上下文,并更新关闭虚拟机在可信执行环境中的vfTPM;反馈携带关闭标识的虚拟机关闭完成指令;In the trusted execution environment, the trusted execution environment operating system sends the virtual machine shutdown instruction to the shutdown virtual machine trusted execution environment instance corresponding to the virtual machine to be shut down based on the shutdown identifier; the shutdown virtual machine trusted execution environment instance deletes the shutdown virtual machine Machine trusted execution environment context, and update the vfTPM that shuts down the virtual machine in the trusted execution environment; feedback the virtual machine shutdown completion instruction carrying the shutdown flag;
将参数化处理的虚拟机关闭完成指令以及关闭标识进行封装,并切换当前运行状态为富执行环境;Encapsulate the parameterized virtual machine shutdown completion instructions and shutdown flags, and switch the current running state to a rich execution environment;
在富执行环境中,根据虚拟机关闭完成指令和关闭标识,关闭待关闭虚拟机。In a rich execution environment, the virtual machine to be shut down is shut down according to the virtual machine shutdown completion instruction and shutdown identifier.
本申请实施例另一方面提供了一种虚拟化实现装置,包括:On the other hand, embodiments of the present application provide a virtualization implementation device, including:
初始化处理模块,被设置为预先基于虚拟化类型,对运行着配置vfTPM功能的目标虚拟机的ARM平台进行初始化处理;The initialization processing module is set to perform initialization processing on the ARM platform running the target virtual machine configured with the vfTPM function based on the virtualization type in advance;
虚拟化请求下发模块,被设置为当接收到目标虚拟机的目标vfTPM请求,将携带由目标虚拟机的虚拟物理地址所转换的真实物理地址、和目标虚拟机的标识信息的指令进行封装,并切换当前运行状态至可信执行环境;The virtualization request delivery module is configured to encapsulate the instruction carrying the real physical address converted from the virtual physical address of the target virtual machine and the identification information of the target virtual machine when receiving the target vfTPM request of the target virtual machine. And switch the current running state to a trusted execution environment;
虚拟化请求处理模块,被设置为在可信执行环境中,根据标识信息,调用相应的目标虚拟机可信执行环境上下文对目标vfTPM请求进行处理,并发送携带处理结果的存储地址及标识信息的结果反馈指令;The virtualization request processing module is configured to call the corresponding target virtual machine trusted execution environment context to process the target vfTPM request based on the identification information in the trusted execution environment, and send the storage address and identification information carrying the processing result. Result feedback instructions;
处理结果反馈模块,被设置为对结果反馈指令进行封装,并切换当前运行状态至富执行环境;在富执行环境,通过解析结果反馈指令得到存储地址和标识信息,按照标识信息,将转换后的存储地址发送至目标虚拟机。The processing result feedback module is set to encapsulate the result feedback instruction and switch the current running state to the rich execution environment; in the rich execution environment, the storage address and identification information are obtained by parsing the result feedback instruction, and according to the identification information, the converted The storage address is sent to the target virtual machine.
本申请实施例还提供了一种电子设备,包括处理器,处理器被设置为执行存储器中存储的计算机程序时实现如前任一项虚拟化实现方法的步骤。Embodiments of the present application also provide an electronic device, including a processor, and the processor is configured to implement the steps of the preceding virtualization implementation method when executing a computer program stored in the memory.
本申请实施例还提供了一种非易失性可读存储介质,非易失性可读存储介质上存储有计算机程序,计算机程序被处理器执行时实现如前任一项虚拟化实现方法的步骤。Embodiments of the present application also provide a non-volatile readable storage medium. A computer program is stored on the non-volatile readable storage medium. When the computer program is executed by the processor, the steps of the previous virtualization implementation method are implemented. .
本申请实施例最后还提供了一种ARM平台,被设置为执行计算机程序时实现如上任一项虚拟化实现方法的步骤,其包括应用层、系统层、虚拟化层和固件层;Finally, the embodiment of the present application also provides an ARM platform, which is configured to implement the steps of any of the above virtualization implementation methods when executing a computer program, which includes an application layer, a system layer, a virtualization layer and a firmware layer;
应用层,包括位于富执行环境中的多个虚拟机应用程序,和位于可信执行环境的可信应用集,可信应用集包括被设置为实现vfTPM功能的可信应用;The application layer includes multiple virtual machine applications located in the rich execution environment, and a trusted application set located in the trusted execution environment. The trusted application set includes trusted applications set to implement the vfTPM function;
系统层,包括位于富执行环境中的宿主机处理模块,和位于可信执行环境的可信管理模 块;The system layer includes the host processing module located in the rich execution environment and the trusted management module located in the trusted execution environment;
虚拟化层,包括位于富执行环境中的虚拟机监视器;The virtualization layer, including the virtual machine monitor located in the rich execution environment;
固件层,包括固件处理模块,固件处理模块被设置为接收宿主机处理模块、虚拟机监视器和可信管理模块的指令;执行运行状态的切换,并在执行运行状态切换过程中转发接收指令中的虚拟机标识信息。The firmware layer includes a firmware processing module. The firmware processing module is configured to receive instructions from the host processing module, virtual machine monitor and trusted management module; performs running state switching, and forwards the received instructions during the running state switching process. virtual machine identification information.
本申请实施例提供的技术方案的优点在于,对于不同虚拟化技术对ARM平台进行相应的初始化,从而可支持ARM平台的多种虚拟化技术的实现。富执行环境在接收到上层虚拟机下发的vfTPM请求之后,封装虚拟机转换所得的真实物理地址以及该虚拟机的标识,以便在切换至可信执行环境时被处理。状态切换之后,可信执行环境基于该标识调用相匹配的虚拟机上下文处理该请求,并将请求处理结果以及标识再次封装,切换至富执行环境之后,富执行环境将该vfTPM请求处理结果发送至该虚拟机,从而实现了fTPM在ARM平台上对虚拟机的支持,不仅可节约研发成本,还可提高云计算的产品的安全性。The advantage of the technical solution provided by the embodiment of the present application is that the ARM platform can be initialized accordingly for different virtualization technologies, thereby supporting the implementation of multiple virtualization technologies of the ARM platform. After receiving the vfTPM request issued by the upper-layer virtual machine, the rich execution environment encapsulates the real physical address converted by the virtual machine and the identification of the virtual machine so that it can be processed when switching to the trusted execution environment. After the state switch, the trusted execution environment calls the matching virtual machine context to process the request based on the identifier, and encapsulates the request processing result and the identifier again. After switching to the rich execution environment, the rich execution environment sends the vfTPM request processing result to This virtual machine enables fTPM to support virtual machines on the ARM platform, which not only saves research and development costs, but also improves the security of cloud computing products.
此外,本申请实施例还针对虚拟化实现方法提供了相应的实现装置、电子设备、非易失性可读存储介质及ARM平台,使得方法更具有实用性,装置、电子设备、非易失性可读存储介质及ARM平台具有相应的优点。In addition, the embodiments of this application also provide corresponding implementation devices, electronic equipment, non-volatile readable storage media and ARM platforms for the virtualization implementation method, making the method more practical. Devices, electronic equipment, non-volatile Readable storage media and ARM platforms have corresponding advantages.
应当理解的是,以上的一般描述和后文的细节描述仅是示例性的,并不能限制本公开。It should be understood that the above general description and the following detailed description are only exemplary and do not limit the present disclosure.
为了更清楚的说明本申请实施例或相关技术的技术方案,下面将对实施例或相关技术描述中所需要使用的附图作简单的介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly explain the embodiments of the present application or the technical solutions of related technologies, the drawings needed to be used in the description of the embodiments or related technologies will be briefly introduced below. Obviously, the drawings in the following description are only for the purpose of the present application. For some embodiments, those of ordinary skill in the art can also obtain other drawings based on these drawings without exerting creative efforts.
图1为本申请实施例提供的相关技术中的一个示例性应用场景的框架示意图;Figure 1 is a schematic framework diagram of an exemplary application scenario in the related technology provided by the embodiment of this application;
图2为本申请实施例提供的一种虚拟化实现方法的流程示意图;Figure 2 is a schematic flow chart of a virtualization implementation method provided by an embodiment of the present application;
图3为本申请实施例提供的虚拟化实现装置在一种可选的实施方式下的结构图;Figure 3 is a structural diagram of the virtualization implementation device provided by the embodiment of the present application in an optional implementation manner;
图4为本申请实施例提供的电子设备在一种实施方式下的结构示意图;Figure 4 is a schematic structural diagram of an electronic device provided by an embodiment of the present application in an implementation manner;
图5为本申请实施例提供的ARM平台的一种可选的实施方式结构图;Figure 5 is an optional implementation structure diagram of the ARM platform provided by the embodiment of the present application;
图6为本申请实施例提供的ARM平台的另一种可选的实施方式结构图;Figure 6 is a structural diagram of another optional implementation of the ARM platform provided by the embodiment of the present application;
图7为本申请实施例提供的可信管理模块的一种可选的实施方式结构图;Figure 7 is an optional implementation structure diagram of the trusted management module provided by the embodiment of the present application;
图8为本申请实施例提供的ARM平台初始化方法的流程示意图;Figure 8 is a schematic flow chart of the ARM platform initialization method provided by the embodiment of the present application;
图9为本申请实施例提供的虚拟机创建方法的流程示意图;Figure 9 is a schematic flowchart of a virtual machine creation method provided by an embodiment of the present application;
图10为本申请实施例提供的vfTPM请求及响应流程示意图;Figure 10 is a schematic diagram of the vfTPM request and response flow provided by the embodiment of this application;
图11为本申请实施例提供的虚拟机销毁关闭流程示意图。Figure 11 is a schematic diagram of the virtual machine destruction and shutdown process provided by the embodiment of the present application.
为了使本技术领域的人员更好地理解本申请方案,下面结合附图和可选的实施方式对本申请作进行的详细说明。显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to enable those skilled in the art to better understand the solution of the present application, the present application will be described in detail below with reference to the drawings and optional implementation modes. Obviously, the described embodiments are only some of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative efforts fall within the scope of protection of this application.
本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”、“第三”、“第四”等是用于区别不同的对象,而不是用于描述特定的顺序。此外术语“包括”和“具有”以及他们任何变形,意图在于覆盖不排他的包含。例如包含了一系列步骤或单元的过程、方法、系统、产品或设备没有限定于已列出的步骤或单元,而是可包括没有列出的步骤或单元。The terms "first", "second", "third", "fourth", etc. in the description and claims of this application and the above-mentioned drawings are used to distinguish different objects, rather than to describe specific objects. order. In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusion. For example, a process, method, system, product or device that includes a series of steps or units is not limited to the listed steps or units, but may include unlisted steps or units.
在介绍了本申请实施例的技术方案后,下面详细的说明本申请的各种非限制性实施方式。After introducing the technical solutions of the embodiments of the present application, various non-limiting implementations of the present application are described in detail below.
首先请参见图2,图2为本申请实施例提供的一种虚拟化实现方法的流程示意图,本申请实施例应用于ARM平台,基于TrustZone可信技术,ARM执行环境可包括可信执行环境和富执行环境,其可通过SMC指令更改NS位的值切换ARM执行环境处于可信执行环境或处于富执行环境。举例来说,可信执行环境的NS=0,富执行环境的NS=1。虚拟机部署在富执行环境,在TrustZone中实现TPM的计算和存储资源的fTPM运行在可信执行环境中的一个可信应用TA中,可信执行环境包括多个TA,也即可信执行环境包括多个fTPM实例,虚拟机的vfTPM的计算功能和实现依赖fTPM,也即虚拟机的vfTPM请求处理是在可信执行环境中实现的。基于此,虚拟机下发vfTPM请求到收到vfTPM请求处理结果的过程,可包括以下内容:First, please refer to Figure 2. Figure 2 is a schematic flow chart of a virtualization implementation method provided by an embodiment of the present application. The embodiment of the present application is applied to the ARM platform. Based on TrustZone trusted technology, the ARM execution environment may include a trusted execution environment and Rich execution environment, which can switch the ARM execution environment to a trusted execution environment or a rich execution environment by changing the value of the NS bit through the SMC instruction. For example, NS=0 for the trusted execution environment and NS=1 for the rich execution environment. The virtual machine is deployed in a rich execution environment. The fTPM that implements TPM computing and storage resources in TrustZone runs in a trusted application TA in the trusted execution environment. The trusted execution environment includes multiple TAs, that is, the trusted execution environment. Including multiple fTPM instances, the computing function and implementation of the virtual machine's vfTPM rely on fTPM, that is, the virtual machine's vfTPM request processing is implemented in a trusted execution environment. Based on this, the process from when a virtual machine sends a vfTPM request to when it receives the vfTPM request processing result may include the following:
S201:预先基于虚拟化类型,对运行着配置vfTPM功能的目标虚拟机的ARM平台进行初始化处理。S201: Based on the virtualization type, initialize the ARM platform running the target virtual machine configured with the vfTPM function in advance.
在本步骤中,虚拟化类型是指ARM平台所支持的虚拟化技术,或者是说ARM的虚拟化平台,虚拟化类型包括但并不限制于KVM(Kernel-based Virtual Machine,系统虚拟化模块)及Xen。富执行环境下发虚拟机创建指令,富执行环境同时为每个虚拟机分配唯一的标识信息,作为唯一标识该虚拟机的信息。响应该虚拟机创建指令,ARM平台在富执行环境和 可信执行环境同时执行创建操作,在富执行环境的应用层创建虚拟机,在可信执行环境创建与富执行环境的虚拟机对应的虚拟机可信执行环境实例及可信执行环境上下文,可信执行环境上下文用于处理对应在富执行环境的虚拟机的vfTPM请求。为了实现了fTPM在ARM平台上对虚拟机的支持,搭载在ARM平台的虚拟机的需要配置vfTPM(Virtual firmware Trusted Platform Module,虚拟的基于固件的可信平台模块)功能。ARM平台可运行多台虚拟机,各虚拟机可基于不同的虚拟化类型,目标虚拟机为运行于ARM平台的任意一台虚拟机,为了不引起歧义,本实施例将需要进行vfTPM计算的虚拟机也即下发vfTPM请求的虚拟机,称为目标虚拟机。目标虚拟机的数量可为多个,也可为1个,这均不影响本申请的实现。In this step, the virtualization type refers to the virtualization technology supported by the ARM platform, or the ARM virtualization platform. The virtualization type includes but is not limited to KVM (Kernel-based Virtual Machine, system virtualization module) and Xen. The rich execution environment issues virtual machine creation instructions, and the rich execution environment also assigns unique identification information to each virtual machine as information that uniquely identifies the virtual machine. In response to the virtual machine creation instruction, the ARM platform performs creation operations in the rich execution environment and the trusted execution environment simultaneously, creates a virtual machine in the application layer of the rich execution environment, and creates a virtual machine corresponding to the virtual machine in the rich execution environment in the trusted execution environment. The machine has a trusted execution environment instance and a trusted execution environment context. The trusted execution environment context is used to process vfTPM requests corresponding to virtual machines in the rich execution environment. In order to implement fTPM support for virtual machines on the ARM platform, the virtual machine mounted on the ARM platform needs to be configured with the vfTPM (Virtual firmware Trusted Platform Module, virtual firmware-based trusted platform module) function. The ARM platform can run multiple virtual machines, and each virtual machine can be based on different virtualization types. The target virtual machine is any virtual machine running on the ARM platform. In order not to cause ambiguity, this embodiment will require virtual machines for vfTPM calculation. The virtual machine that issues the vfTPM request is called the target virtual machine. The number of target virtual machines can be multiple or one, which does not affect the implementation of this application.
S202:当接收到目标虚拟机的目标vfTPM请求,将携带由目标虚拟机的虚拟物理地址所转换的真实物理地址、和目标虚拟机的标识信息的指令进行封装,并切换当前运行状态至可信执行环境。S202: When receiving the target vfTPM request of the target virtual machine, encapsulate the instruction carrying the real physical address converted from the virtual physical address of the target virtual machine and the identification information of the target virtual machine, and switch the current running state to trusted execution environment.
对于完成初始化的ARM平台,运行于ARM平台的任何一台虚拟机均可下发vfTPM请求,以实现虚拟机vfTPM的计算功能。在富执行环境中,虚拟机的操作系统发送vfTPM请求,为了不引起歧义,目标虚拟机下发的vfTPM请求,本实施例称为目标vfTPM请求。虚拟机的操作系统内核将该vfTPM请求及虚拟机虚拟内存地址VA转换为虚拟机认为的虚拟机物理地址IPA,富执行环境的操作系统接收到该vfTPM请求,富执行环境的操作系统将虚拟机物理地址IPA转换为真实的物理地址,富执行环境的操作系统为系统层,实现运行状态切换的功能模块位于固件层,为了将请求命令跨层传输,需要先对请求命令也即包括转换后的真实物理地址与目标虚拟机的标识信息的命令进行参数化处理,也即通过固定函数以参数形式进行跨层传递。将转换后的真实物理地址与目标虚拟机的标识信息发送至固件层之后,固件层对真实物理地址与目标虚拟机的标识信息进行封装,封装完成之后,固件层通过执行SMC指令将当前运行环境切换至可信执行环境。For the ARM platform that has completed initialization, any virtual machine running on the ARM platform can issue a vfTPM request to realize the computing function of the virtual machine vfTPM. In a rich execution environment, the operating system of the virtual machine sends a vfTPM request. To avoid ambiguity, the vfTPM request issued by the target virtual machine is called the target vfTPM request in this embodiment. The operating system kernel of the virtual machine converts the vfTPM request and the virtual machine virtual memory address VA into the virtual machine physical address IPA considered by the virtual machine. The operating system of the rich execution environment receives the vfTPM request, and the operating system of the rich execution environment converts the vfTPM request and the virtual memory address VA of the virtual machine into the physical address IPA of the virtual machine. The physical address IPA is converted into a real physical address. The operating system of the rich execution environment is the system layer. The functional module that realizes the running state switching is located at the firmware layer. In order to transmit the request command across layers, the request command, including the converted The commands of the real physical address and the identification information of the target virtual machine are parameterized, that is, passed across layers in the form of parameters through fixed functions. After sending the converted real physical address and the identification information of the target virtual machine to the firmware layer, the firmware layer encapsulates the real physical address and the identification information of the target virtual machine. After the encapsulation is completed, the firmware layer executes the SMC instruction to convert the current operating environment Switch to a trusted execution environment.
S203:在可信执行环境中,根据标识信息,调用相应的目标虚拟机可信执行环境上下文对目标vfTPM请求进行处理,并发送携带处理结果的存储地址及标识信息的结果反馈指令。S203: In the trusted execution environment, according to the identification information, call the corresponding target virtual machine trusted execution environment context to process the target vfTPM request, and send a result feedback instruction carrying the storage address and identification information of the processing result.
在上个步骤将当前运行环境切换为可信执行环境之后,可信执行环境获取封装后指令,通过解析该指令得到目标虚拟机的真实物理地址和目标虚拟机的标识信息。根据该标识信息,获取目标虚拟机创建时在可信执行环境中所分配的虚拟机可信执行环境实例及上下文,通过调用虚拟机可信执行环境实例及上下文对目标vfTPM请求进行vfTPM数据计算,得到处理结果,并存储该处理结果。将存储该处理结果的存储地址及目标虚拟机的标识信息作为结果反馈指令,发送至固件层,固件层在接收到结果反馈指令之后,将对结果反馈指令进行封 装,封装完成之后,固件层通过执行SMC指令将当前运行环境切换至富执行环境。为了提高效率,降低资源效率,可信执行环境分配共享内存,可将该处理结果存储至该共享内存中,相应的,结果反馈指令的存储地址即为共享内存地址。After switching the current running environment to a trusted execution environment in the previous step, the trusted execution environment obtains the encapsulated instruction and obtains the real physical address of the target virtual machine and the identification information of the target virtual machine by parsing the instruction. According to the identification information, obtain the virtual machine trusted execution environment instance and context assigned in the trusted execution environment when the target virtual machine is created, and perform vfTPM data calculation on the target vfTPM request by calling the virtual machine trusted execution environment instance and context. Obtain the processing result and store the processing result. The storage address storing the processing result and the identification information of the target virtual machine are sent to the firmware layer as the result feedback instruction. After receiving the result feedback instruction, the firmware layer will encapsulate the result feedback instruction. After the encapsulation is completed, the firmware layer passes Execute the SMC instruction to switch the current running environment to the rich execution environment. In order to improve efficiency and reduce resource efficiency, the trusted execution environment allocates shared memory, and the processing results can be stored in the shared memory. Correspondingly, the storage address of the result feedback instruction is the shared memory address.
S204:对结果反馈指令进行封装,并切换当前运行状态至富执行环境;在富执行环境,通过解析结果反馈指令得到存储地址和标识信息,按照标识信息,将转换后的存储地址发送至目标虚拟机。S204: Encapsulate the result feedback instruction and switch the current running state to the rich execution environment; in the rich execution environment, obtain the storage address and identification information by parsing the result feedback instruction, and send the converted storage address to the target virtual machine according to the identification information. machine.
本步骤在切换运行环境至富执行环境之后,富执行环境的操作系统获取封装后的结果反馈指令,通过解析结果反馈指令获取存储地址和标识信息,富执行环境的操作系统将存储地址转换为虚拟机所认为的物理地址,基于标识信息将该物理地址发送至对应的目标虚拟机,目标虚拟机内核将该物理地址转换为虚拟机内存地址,并将该虚拟机内存地址传输至目标虚拟机的操作系统中,目标虚拟机基于该地址读取vfTPM请求的处理结果。In this step, after switching the running environment to the rich execution environment, the operating system of the rich execution environment obtains the encapsulated result feedback instruction, obtains the storage address and identification information by parsing the result feedback instruction, and the operating system of the rich execution environment converts the storage address into a virtual The physical address considered by the machine is sent to the corresponding target virtual machine based on the identification information. The target virtual machine kernel converts the physical address into a virtual machine memory address and transmits the virtual machine memory address to the target virtual machine. In the operating system, the target virtual machine reads the processing result of the vfTPM request based on this address.
在本申请实施例提供的技术方案中,对于不同虚拟化技术对ARM平台进行相应的初始化,从而可支持ARM平台的多种虚拟化技术的实现。富执行环境在接收到上层虚拟机下发的vfTPM请求之后,封装虚拟机转换所得的真实物理地址以及该虚拟机的标识,以便在切换至可信执行环境时被处理。状态切换之后,可信执行环境基于该标识调用相匹配的虚拟机上下文处理该请求,并将请求处理结果以及标识再次封装,切换至富执行环境之后,富执行环境将该vfTPM请求处理结果发送至该虚拟机,从而实现了fTPM在ARM平台上对虚拟机的支持,不仅可节约研发成本,还可提高云计算的产品的安全性。In the technical solution provided by the embodiment of this application, the ARM platform is initialized accordingly for different virtualization technologies, thereby supporting the implementation of multiple virtualization technologies of the ARM platform. After receiving the vfTPM request issued by the upper-layer virtual machine, the rich execution environment encapsulates the real physical address converted by the virtual machine and the identification of the virtual machine so that it can be processed when switching to the trusted execution environment. After the state switch, the trusted execution environment calls the matching virtual machine context to process the request based on the identifier, and encapsulates the request processing result and the identifier again. After switching to the rich execution environment, the rich execution environment sends the vfTPM request processing result to This virtual machine enables fTPM to support virtual machines on the ARM platform, which not only saves research and development costs, but also improves the security of cloud computing products.
需要说明的是,本申请中各步骤间没有严格的先后执行顺序,只要符合逻辑上的顺序,则这些步骤可以同时执行,也可按照某种预设顺序执行,图2只是一种示意方式,并不代表只能是这样的执行顺序。It should be noted that there is no strict order of execution between the steps in this application. As long as they comply with the logical order, these steps can be executed at the same time or in a certain preset order. Figure 2 is only a schematic method. It does not mean that this is the only execution order.
上述实施例对ARM平台的初始化流程并不做任何限定,本实施例还给出ARM平台的初始化的一种可选的实施方式,可包括下述内容:The above embodiment does not limit the initialization process of the ARM platform in any way. This embodiment also provides an optional implementation method for the initialization of the ARM platform, which may include the following:
ARM平台上电,并加载ARM平台的目标固件和可信执行环境操作系统。当可信执行环境操作系统启动,为可信执行环境操作系统配置内存并进行内存初始化处理;基于目标虚拟机所属的虚拟化类型,对富执行环境进行初始化处理。The ARM platform is powered on and the target firmware and trusted execution environment operating system of the ARM platform are loaded. When the trusted execution environment operating system starts, memory is configured for the trusted execution environment operating system and memory initialization is performed; based on the virtualization type to which the target virtual machine belongs, the rich execution environment is initialized.
其中,平台上电过程与ARM芯片及其固件有关,可基于现有流程进行平台上电。目标固件是指需要在ARM平台初始化过程中启动的固件,如开启TrustZone功能,加载Firmware/Secure Monitor固件管理模块。Among them, the platform power-on process is related to the ARM chip and its firmware, and the platform can be powered on based on the existing process. The target firmware refers to the firmware that needs to be started during the initialization process of the ARM platform, such as turning on the TrustZone function and loading the Firmware/Secure Monitor firmware management module.
现有技术通常将fTPM的持久化存储存放在REE侧,这会增加安全风险,为了提高安全性 能,本申请可将fTPM的存储保存在特殊的flash闪存上,使其只能在TEE中进行读取。相应的,对于可信执行环境操作系统配置内存并进行内存初始化处理的过程可包括:Existing technology usually stores the persistent storage of fTPM on the REE side, which increases security risks. In order to improve security performance, this application can store the storage of fTPM on a special flash memory so that it can only be read in the TEE. Pick. Correspondingly, for the trusted execution environment operating system, the process of configuring memory and performing memory initialization processing may include:
将可信执行环境操作系统的内存划分为运行内存和虚拟请求执行内存;在闪存芯片中,为可信执行环境操作系统配置用于实现vfTPM功能的专有内存;加载存储驱动器至可信执行环境操作系统中,利用存储驱动器对专有内存进行初始化处理,并对专有内存进行分区处理。Divide the memory of the trusted execution environment operating system into running memory and virtual request execution memory; configure the dedicated execution memory for the trusted execution environment operating system to implement the vfTPM function in the flash memory chip; load the storage driver to the trusted execution environment In the operating system, the storage driver is used to initialize the private memory and partition the private memory.
在本实施例,运行内存用于处理底层请求,运行内存负责处理底层的实现,如SMC指令处理,内存管理类,线程管理等。虚拟请求执行内存用于处理虚拟机的vfTPM请求,也即负责请求的处理、加载TA、执行TA等功能。专有内存是用于存储vfTPM的数据,如果专有内存足够大,每个虚拟机具有相应的分区存储自己的vfTPM数据,可预先为每个虚拟机在专有内存中分配一块存储区间,也即对专有内存进行分区处理。In this embodiment, the running memory is used to process the underlying requests, and the running memory is responsible for processing the underlying implementation, such as SMC instruction processing, memory management class, thread management, etc. The virtual request execution memory is used to process the vfTPM request of the virtual machine, that is, it is responsible for request processing, loading TA, executing TA and other functions. Private memory is used to store vfTPM data. If the private memory is large enough, each virtual machine has a corresponding partition to store its own vfTPM data. A storage area can be allocated in advance for each virtual machine in the private memory. That is, partitioning the private memory.
对于不同的虚拟化类型,富执行环境的初始化处理流程不同,举例来说,对于Xen,虚拟机监视器可作为一个虚拟机来使用,所以在初始化过程中需要将虚拟机监视器作为一个虚拟机进行相应的初始化处理。本实施例分别针对KVM和Xen,提供了相应的富执行环境的初始化流程,可包括下述内容:For different virtualization types, the initialization process of the rich execution environment is different. For example, for Xen, the virtual machine monitor can be used as a virtual machine, so the virtual machine monitor needs to be used as a virtual machine during the initialization process. Carry out corresponding initialization processing. This embodiment provides corresponding rich execution environment initialization processes for KVM and Xen respectively, which may include the following content:
若目标虚拟机采用QEMU KVM(Quick Emulator Kernal-based Virtual Machine,虚拟操作系统模拟器系统虚拟化模块)虚拟化技术,则完成对富执行环境操作系统的加载。If the target virtual machine uses QEMU KVM (Quick Emulator Kernal-based Virtual Machine, virtual operating system simulator system virtualization module) virtualization technology, the loading of the rich execution environment operating system is completed.
若目标虚拟机采用Xen虚拟化技术,则在启动BIOS的同时启动Xen虚拟化的镜像文件;在启动过程中,将虚拟机监视器作为具有预设标识的虚拟机,为虚拟机监视器分配对应的虚拟机可信执行环境实例及虚拟机可信执行环境上下文;通过虚拟机可信执行环境实例加载vfTPM可信应用;在vfTPM可信应用的加载过程中,利用存储驱动器对专有内存进行读写,并在专有内存中为Xen虚拟机监视器分配专属存储区域;将虚拟机监视器的vfTPM请求的处理结果返回至虚拟机监视器,启动虚拟机监视器。If the target virtual machine uses Xen virtualization technology, start the Xen virtualization image file while starting the BIOS; during the startup process, the virtual machine monitor is used as a virtual machine with a preset identification, and the corresponding virtual machine monitor is allocated The virtual machine trusted execution environment instance and the virtual machine trusted execution environment context; the vfTPM trusted application is loaded through the virtual machine trusted execution environment instance; during the loading process of the vfTPM trusted application, the storage driver is used to read the proprietary memory Write, and allocate a dedicated storage area for the Xen virtual machine monitor in the dedicated memory; return the processing result of the vfTPM request of the virtual machine monitor to the virtual machine monitor, and start the virtual machine monitor.
不可避免的,ARM平台需要创建虚拟机,上述实施例并未对虚拟机的创建进行限定,本申请还提供了虚拟机的一种可选的创建方式,可包括下述内容:Inevitably, the ARM platform needs to create a virtual machine. The above embodiment does not limit the creation of a virtual machine. This application also provides an optional creation method of a virtual machine, which may include the following:
富执行环境下发虚拟机创建指令,并为配置有vfTPM功能的目标虚拟机分配相应的标识信息;The rich execution environment issues virtual machine creation instructions and assigns corresponding identification information to the target virtual machine configured with the vfTPM function;
将标识信息和虚拟机创建指令进行封装,并切换当前运行状态至可信执行环境;Encapsulate the identification information and virtual machine creation instructions, and switch the current running state to a trusted execution environment;
在可信执行环境,可信执行环境操作系统基于虚拟机创建指令,为目标虚拟机分配目标虚拟机可信执行环境上下文、目标虚拟机可信执行环境实例和内存空间;通过目标虚拟机可 信执行环境实例加载vfTPM可信应用,启动TPM,并初始化内存空间和目标虚拟机的vfTPM;In the trusted execution environment, the trusted execution environment operating system allocates the target virtual machine trusted execution environment context, the target virtual machine trusted execution environment instance and the memory space to the target virtual machine based on the virtual machine creation instructions; through the target virtual machine trusted execution environment The execution environment instance loads the vfTPM trusted application, starts the TPM, and initializes the memory space and vfTPM of the target virtual machine;
将目标虚拟机的vfTPM的初始化结果和标识信息进行封装,并切换当前运行状态至富执行环境,以基于初始化结果,在富执行环境完成目标虚拟机的创建操作。Encapsulate the initialization result and identification information of the vfTPM of the target virtual machine, and switch the current running state to the rich execution environment to complete the creation of the target virtual machine in the rich execution environment based on the initialization result.
可选的,为了提高安全性能,针对现有技术将fTPM的持久化存储存放在REE侧所存在的安全风险,本申请可将fTPM的存储保存在特殊的flash闪存上,使其只能在TEE中进行读取。相应的,在虚拟机创建过程中的初始化内存空间的实现过程可包括:Optionally, in order to improve security performance, in view of the security risks of storing the persistent storage of fTPM on the REE side in the existing technology, this application can save the storage of fTPM on a special flash memory, so that it can only be stored on the TEE. read in. Correspondingly, the implementation process of initializing the memory space during the virtual machine creation process may include:
若目标虚拟机在闪存芯片中有相应的目标存储空间,则将目标存储空间分配给目标虚拟机的vfTPM功能;若目标虚拟机在闪存芯片中有相应的存储分区,则当闪存芯片的剩余存储空间大于预设空间阈值,通过存储驱动器为目标虚拟机的vfTPM功能分配目标存储空间;将目标存储空间与标识信息进行绑定。If the target virtual machine has a corresponding target storage space in the flash memory chip, the target storage space is allocated to the vfTPM function of the target virtual machine; if the target virtual machine has a corresponding storage partition in the flash memory chip, then when the remaining storage space of the flash memory chip is If the space is greater than the preset space threshold, allocate target storage space for the vfTPM function of the target virtual machine through the storage driver; bind the target storage space to the identification information.
其中,目标存储空间作为目标虚拟机的vfTPM的NVRAM;且目标存储空间的读写功能由目标虚拟机在可信执行环境中执行。预设空间阈值可根据实际应用场景进行灵活选择,本申请对此不做任何限定。通过在flash闪存芯片上进行分区,为每个虚拟机的vfTPM提供一个分区,用于进行NVRAM存储。作为TEEOS上的flash驱动程序,对flash的读写设置权限,只有在TEE侧才可操作,并且只有虚拟机才可操作对应虚拟机标识对应的flash分区即目标存储空间,有效提升整体安全性能。Among them, the target storage space is used as the NVRAM of the vfTPM of the target virtual machine; and the read and write functions of the target storage space are executed by the target virtual machine in a trusted execution environment. The preset spatial threshold can be flexibly selected according to actual application scenarios, and this application does not impose any restrictions on this. By partitioning on the flash memory chip, each virtual machine's vfTPM is provided with a partition for NVRAM storage. As a flash driver on TEEOS, the read and write permissions for flash can only be operated on the TEE side, and only the virtual machine can operate the flash partition corresponding to the corresponding virtual machine ID, that is, the target storage space, effectively improving the overall security performance.
实际应用场景中,虚拟机创建之后,并不是一直处于运行状态中,会根据实际需求将虚拟机设置为运行状态或者销毁已创建的虚拟机,为了提高实用性,提升用户使用体验,基于上述实施例,本申请还提供了虚拟机销毁实现方式,可包括下述内容:In actual application scenarios, after a virtual machine is created, it is not always in a running state. The virtual machine will be set to a running state or the created virtual machine will be destroyed according to actual needs. In order to improve practicality and user experience, based on the above implementation For example, this application also provides a virtual machine destruction implementation method, which can include the following content:
当接收到虚拟机销毁指令,在富执行环境中,通过解析虚拟机销毁指令,得到获取待销毁虚拟机的销毁标识;When a virtual machine destruction instruction is received, in the rich execution environment, the destruction identification of the virtual machine to be destroyed is obtained by parsing the virtual machine destruction instruction;
将参数化处理的虚拟机销毁指令以及销毁标识进行封装,并切换当前运行状态为可信执行环境;Encapsulate the parameterized virtual machine destruction instructions and destruction identifiers, and switch the current running state to a trusted execution environment;
在可信执行环境中,可信执行环境操作系统基于销毁标识,将虚拟机销毁指令发送至待销毁虚拟机对应的销毁虚拟机可信执行环境实例;销毁虚拟机可信执行环境实例删除销毁虚拟机可信执行环境上下文,并删除待销毁虚拟机对应在闪存芯片的存储分区;反馈携带销毁标识的虚拟机销毁完成指令;In the trusted execution environment, the trusted execution environment operating system sends the virtual machine destruction instruction to the destroyed virtual machine trusted execution environment instance corresponding to the virtual machine to be destroyed based on the destruction identification; the destroyed virtual machine trusted execution environment instance deletes the destroyed virtual machine The machine trusts the execution environment context, and deletes the storage partition of the flash memory chip corresponding to the virtual machine to be destroyed; feeds back the virtual machine destruction completion instruction carrying the destruction identification;
将参数化处理的虚拟机销毁完成指令以及销毁标识进行封装,并切换当前运行状态为富执行环境;Encapsulate the parameterized virtual machine destruction completion instructions and destruction identification, and switch the current running state to a rich execution environment;
在富执行环境中,根据虚拟机销毁完成指令和销毁标识,删除待销毁虚拟机。In the rich execution environment, the virtual machine to be destroyed is deleted according to the virtual machine destruction completion instruction and destruction identification.
在本实施例中,为了不引起歧义,将需要进行销毁的虚拟机称为待销毁虚拟机,将待销毁虚拟机的标识信息称为销毁标识。待销毁虚拟机对应在可信执行环境中的虚拟机实例及上下文称为销毁虚拟机可信执行环境实例,销毁虚拟机可信执行环境上下文。In this embodiment, to avoid ambiguity, the virtual machine that needs to be destroyed is called a virtual machine to be destroyed, and the identification information of the virtual machine to be destroyed is called a destruction identification. The virtual machine instance and context corresponding to the virtual machine to be destroyed in the trusted execution environment are called the destroyed virtual machine trusted execution environment instance, and the virtual machine trusted execution environment context is destroyed.
实际应用场景中,虚拟机创建之后,并不是一直处于运行状态中,会根据实际需求将虚拟机设置为运行状态或者是处于关闭状态,为了提高实用性,提升用户使用体验,基于上述实施例,本申请还提供了虚拟机关闭的实现方式,可包括下述内容:In actual application scenarios, after a virtual machine is created, it is not always in a running state. The virtual machine will be set to a running state or shut down according to actual needs. In order to improve practicality and user experience, based on the above embodiment, This application also provides a method for shutting down the virtual machine, which may include the following:
当接收到虚拟机关闭指令,在富执行环境中,通过解析虚拟机关闭指令,得到获取待关闭虚拟机的关闭标识;When receiving a virtual machine shutdown instruction, in the rich execution environment, by parsing the virtual machine shutdown instruction, the shutdown identifier of the virtual machine to be shut down is obtained;
将参数化处理的虚拟机关闭指令以及关闭标识进行封装,并切换当前运行状态为可信执行环境;Encapsulate the parameterized virtual machine shutdown instructions and shutdown flags, and switch the current running state to a trusted execution environment;
在可信执行环境中,可信执行环境操作系统基于关闭标识,将虚拟机关闭指令发送至待关闭虚拟机对应的关闭虚拟机可信执行环境实例;关闭虚拟机可信执行环境实例删除关闭虚拟机可信执行环境上下文,并更新关闭虚拟机在可信执行环境中的vfTPM;反馈携带关闭标识的虚拟机关闭完成指令;In the trusted execution environment, the trusted execution environment operating system sends the virtual machine shutdown instruction to the shutdown virtual machine trusted execution environment instance corresponding to the virtual machine to be shut down based on the shutdown identifier; the shutdown virtual machine trusted execution environment instance deletes the shutdown virtual machine Machine trusted execution environment context, and update the vfTPM that shuts down the virtual machine in the trusted execution environment; feedback the virtual machine shutdown completion instruction carrying the shutdown flag;
将参数化处理的虚拟机关闭完成指令以及关闭标识进行封装,并切换当前运行状态为富执行环境;Encapsulate the parameterized virtual machine shutdown completion instructions and shutdown flags, and switch the current running state to a rich execution environment;
在富执行环境中,根据虚拟机关闭完成指令和关闭标识,关闭待关闭虚拟机。In a rich execution environment, the virtual machine to be shut down is shut down according to the virtual machine shutdown completion instruction and shutdown identifier.
在本实施例中,为了不引起歧义,将需要进行关闭的虚拟机称为待关闭虚拟机,将待关闭虚拟机的标识信息称为关闭标识。待关闭虚拟机对应在可信执行环境中的虚拟机实例及上下文称为关闭虚拟机可信执行环境实例,关闭虚拟机可信执行环境上下文。In this embodiment, in order to avoid ambiguity, the virtual machine that needs to be shut down is called a virtual machine to be shut down, and the identification information of the virtual machine to be shut down is called a shutdown identifier. The virtual machine instance and context corresponding to the virtual machine to be shut down in the trusted execution environment are called the closed virtual machine trusted execution environment instance, and the virtual machine trusted execution environment context is closed.
本申请实施例还针对虚拟化实现方法提供了相应的装置,使得方法更具有实用性。其中,装置可从功能模块的角度和硬件的角度分别说明。下面对本申请实施例提供的虚拟化实现装置进行介绍,下文描述的虚拟化实现装置与上文描述的虚拟化实现方法可相互对应参照。The embodiments of the present application also provide corresponding devices for the virtualization implementation method, making the method more practical. Among them, the device can be described separately from the perspective of functional modules and the perspective of hardware. The virtualization implementation device provided by the embodiment of the present application is introduced below. The virtualization implementation device described below and the virtualization implementation method described above may be mutually referenced.
基于功能模块的角度,参见图3,图3为本申请实施例提供的虚拟化实现装置在一种可选的实施方式下的结构图,该装置可包括:From the perspective of functional modules, see Figure 3. Figure 3 is a structural diagram of a virtualization implementation device provided by an embodiment of the present application in an optional implementation manner. The device may include:
初始化处理模块301,被设置为预先基于虚拟化类型,对运行着配置vfTPM功能的目标虚拟机的ARM平台进行初始化处理;The initialization processing module 301 is configured to perform initialization processing on the ARM platform running the target virtual machine configured with the vfTPM function based on the virtualization type in advance;
虚拟化请求下发模块302,被设置为当接收到目标虚拟机的目标vfTPM请求,将携带由目标虚拟机的虚拟物理地址所转换的真实物理地址、和目标虚拟机的标识信息的指令进行封 装,并切换当前运行状态至可信执行环境;The virtualization request issuing module 302 is configured to encapsulate the instruction carrying the real physical address converted from the virtual physical address of the target virtual machine and the identification information of the target virtual machine when receiving the target vfTPM request of the target virtual machine. , and switch the current running state to a trusted execution environment;
虚拟化请求处理模块303,被设置为在可信执行环境中,根据标识信息,调用相应的目标虚拟机可信执行环境上下文对目标vfTPM请求进行处理,并发送携带处理结果的存储地址及标识信息的结果反馈指令;The virtualization request processing module 303 is configured to call the corresponding target virtual machine trusted execution environment context to process the target vfTPM request according to the identification information in the trusted execution environment, and send the storage address and identification information carrying the processing results. Result feedback instructions;
处理结果反馈模块304,被设置为对结果反馈指令进行封装,并切换当前运行状态至富执行环境;在富执行环境,通过解析结果反馈指令得到存储地址和标识信息,按照标识信息,将转换后的存储地址发送至目标虚拟机。The processing result feedback module 304 is configured to encapsulate the result feedback instruction and switch the current running state to the rich execution environment; in the rich execution environment, the storage address and identification information are obtained by parsing the result feedback instruction, and according to the identification information, the converted The storage address is sent to the target virtual machine.
可选的,在本实施例的一些实施方式中,上述装置还可以包括存储模块,被设置为将处理结果存储至共享内存中。Optionally, in some implementations of this embodiment, the above device may further include a storage module configured to store the processing results in the shared memory.
可选的,在本实施例的另一些实施方式中,上述初始化处理模块301还可包括:ARM平台上电,并加载ARM平台的目标固件和可信执行环境操作系统;当可信执行环境操作系统启动,为可信执行环境操作系统配置内存并进行内存初始化处理;基于目标虚拟机所属的虚拟化类型,对富执行环境进行初始化处理。Optionally, in other implementations of this embodiment, the above-mentioned initialization processing module 301 may also include: powering on the ARM platform and loading the target firmware of the ARM platform and the trusted execution environment operating system; when the trusted execution environment operates The system starts, configures memory for the trusted execution environment operating system and performs memory initialization processing; based on the virtualization type of the target virtual machine, the rich execution environment is initialized.
作为上述实施例的一种可选的实施方式,上述初始化处理模块301还可用于:将可信执行环境操作系统的内存划分为运行内存和虚拟请求执行内存;运行内存用于处理底层请求,虚拟请求执行内存用于处理虚拟机的vfTPM请求;在闪存芯片中,为可信执行环境操作系统配置用于实现vfTPM功能的专有内存;加载存储驱动器至可信执行环境操作系统中,利用存储驱动器对专有内存进行初始化处理,并对专有内存进行分区处理。As an optional implementation of the above embodiment, the above-mentioned initialization processing module 301 can also be used to: divide the memory of the trusted execution environment operating system into running memory and virtual request execution memory; the running memory is used to process underlying requests, virtual request The requested execution memory is used to process the vfTPM request of the virtual machine; in the flash memory chip, a dedicated memory for implementing the vfTPM function is configured for the trusted execution environment operating system; the storage driver is loaded into the trusted execution environment operating system, and the storage driver is used Initialize the private memory and partition the private memory.
作为上述实施例的另一种可选的实施方式,上述初始化处理模块301还可被设置为:若目标虚拟机采用QEMU KVM虚拟化技术,则完成对富执行环境操作系统的加载。As another optional implementation of the above embodiment, the above-mentioned initialization processing module 301 can also be set to: if the target virtual machine adopts QEMU KVM virtualization technology, complete the loading of the rich execution environment operating system.
作为上述实施例的再一种可选的实施方式,上述初始化处理模块301还可被设置为:若目标虚拟机采用Xen虚拟化技术,则在启动BIOS的同时启动Xen虚拟化的镜像文件;在启动过程中,将虚拟机监视器作为具有预设标识的虚拟机,为虚拟机监视器分配对应的虚拟机可信执行环境实例及虚拟机可信执行环境上下文;通过虚拟机可信执行环境实例加载vfTPM可信应用;在vfTPM可信应用的加载过程中,利用存储驱动器对专有内存进行读写,并在专有内存中为Xen虚拟机监视器分配专属存储区域;将虚拟机监视器的vfTPM请求的处理结果返回至虚拟机监视器,启动虚拟机监视器。As another optional implementation of the above embodiment, the above-mentioned initialization processing module 301 can also be set to: if the target virtual machine adopts Xen virtualization technology, start the Xen virtualization image file while starting the BIOS; During the startup process, the virtual machine monitor is used as a virtual machine with a preset identification, and the corresponding virtual machine trusted execution environment instance and virtual machine trusted execution environment context are assigned to the virtual machine monitor; through the virtual machine trusted execution environment instance Load the vfTPM trusted application; during the loading process of the vfTPM trusted application, use the storage driver to read and write the private memory, and allocate a dedicated storage area for the Xen virtual machine monitor in the private memory; change the virtual machine monitor's The processing result of the vfTPM request is returned to the virtual machine monitor, and the virtual machine monitor is started.
可选的,在本实施例的其他一些实施方式中,上述装置例如还可以包括虚拟机创建模块,被设置为富执行环境下发虚拟机创建指令,并为配置有vfTPM功能的目标虚拟机分配相应的标识信息;将标识信息和虚拟机创建指令进行封装,并切换当前运行状态至可信执行环 境;在可信执行环境,可信执行环境操作系统基于虚拟机创建指令,为目标虚拟机分配目标虚拟机可信执行环境上下文、目标虚拟机可信执行环境实例和内存空间;通过目标虚拟机可信执行环境实例加载vfTPM可信应用,启动TPM,并初始化内存空间和目标虚拟机的vfTPM;将目标虚拟机的vfTPM的初始化结果和标识信息进行封装,并切换当前运行状态至富执行环境,以基于初始化结果,在富执行环境完成目标虚拟机的创建操作。Optionally, in some other implementations of this embodiment, the above-mentioned device may also include a virtual machine creation module, configured to issue virtual machine creation instructions for a rich execution environment, and allocate the target virtual machine configured with the vfTPM function. Corresponding identification information; encapsulate the identification information and virtual machine creation instructions, and switch the current running state to the trusted execution environment; in the trusted execution environment, the trusted execution environment operating system allocates the target virtual machine to the target virtual machine based on the virtual machine creation instructions. The target virtual machine trusted execution environment context, the target virtual machine trusted execution environment instance and the memory space; load the vfTPM trusted application through the target virtual machine trusted execution environment instance, start the TPM, and initialize the memory space and the vfTPM of the target virtual machine; Encapsulate the initialization result and identification information of the vfTPM of the target virtual machine, and switch the current running state to the rich execution environment to complete the creation of the target virtual machine in the rich execution environment based on the initialization result.
作为上述实施例的一种可选的实施方式,上述虚拟机创建模块还可被设置为:若目标虚拟机在闪存芯片中有相应的目标存储空间,则将目标存储空间分配给目标虚拟机的vfTPM功能;若目标虚拟机在闪存芯片中有相应的存储分区,则当闪存芯片的剩余存储空间大于预设空间阈值,通过存储驱动器为目标虚拟机的vfTPM功能分配目标存储空间;将目标存储空间与标识信息进行绑定;其中,目标存储空间作为目标虚拟机的vfTPM的NVRAM;且目标存储空间的读写功能由目标虚拟机在可信执行环境中执行。As an optional implementation of the above embodiment, the above virtual machine creation module may also be configured to: if the target virtual machine has a corresponding target storage space in the flash memory chip, allocate the target storage space to the target virtual machine. vfTPM function; if the target virtual machine has a corresponding storage partition in the flash memory chip, when the remaining storage space of the flash memory chip is greater than the preset space threshold, the target storage space is allocated for the vfTPM function of the target virtual machine through the storage driver; the target storage space is It is bound with the identification information; the target storage space is used as the NVRAM of the vfTPM of the target virtual machine; and the read and write functions of the target storage space are executed by the target virtual machine in a trusted execution environment.
可选的,在本实施例的其他一些实施方式中,上述装置例如还可以包括虚拟机销毁模块,被设置为当接收到虚拟机销毁指令,在富执行环境中,通过解析虚拟机销毁指令,得到获取待销毁虚拟机的销毁标识;将参数化处理的虚拟机销毁指令以及销毁标识进行封装,并切换当前运行状态为可信执行环境;在可信执行环境中,可信执行环境操作系统基于销毁标识,将虚拟机销毁指令发送至待销毁虚拟机对应的销毁虚拟机可信执行环境实例;销毁虚拟机可信执行环境实例删除销毁虚拟机可信执行环境上下文,并删除待销毁虚拟机对应在闪存芯片的存储分区;反馈携带销毁标识的虚拟机销毁完成指令;将参数化处理的虚拟机销毁完成指令以及销毁标识进行封装,并切换当前运行状态为富执行环境;在富执行环境中,根据虚拟机销毁完成指令和销毁标识,删除待销毁虚拟机。Optionally, in some other implementations of this embodiment, the above-mentioned device may also include a virtual machine destruction module, for example, which is configured to, when a virtual machine destruction instruction is received, in the rich execution environment, by parsing the virtual machine destruction instruction, Obtain the destruction identification of the virtual machine to be destroyed; encapsulate the parameterized virtual machine destruction instruction and destruction identification, and switch the current running state to a trusted execution environment; in the trusted execution environment, the trusted execution environment operating system is based on Destroy the identifier and send the virtual machine destruction instruction to the destroyed virtual machine trusted execution environment instance corresponding to the virtual machine to be destroyed; destroy the virtual machine trusted execution environment instance to delete the virtual machine trusted execution environment context and delete the corresponding virtual machine to be destroyed In the storage partition of the flash memory chip; feedback the virtual machine destruction completion instruction carrying the destruction identification; encapsulate the parameterized virtual machine destruction completion instruction and destruction identification, and switch the current running state to the rich execution environment; in the rich execution environment, Delete the virtual machine to be destroyed according to the virtual machine destruction completion instruction and destruction identification.
可选的,在本实施例的其他一些实施方式中,上述装置例如还可以包括虚拟机关闭模块,被设置为当接收到虚拟机关闭指令,在富执行环境中,通过解析虚拟机关闭指令,得到获取待关闭虚拟机的关闭标识;将参数化处理的虚拟机关闭指令以及关闭标识进行封装,并切换当前运行状态为可信执行环境;在可信执行环境中,可信执行环境操作系统基于关闭标识,将虚拟机关闭指令发送至待关闭虚拟机对应的关闭虚拟机可信执行环境实例;关闭虚拟机可信执行环境实例删除关闭虚拟机可信执行环境上下文,并更新关闭虚拟机在可信执行环境中的vfTPM;反馈携带关闭标识的虚拟机关闭完成指令;将参数化处理的虚拟机关闭完成指令以及关闭标识进行封装,并切换当前运行状态为富执行环境;在富执行环境中,根据虚拟机关闭完成指令和关闭标识,关闭待关闭虚拟机。Optionally, in some other implementations of this embodiment, the above-mentioned device may also include a virtual machine shutdown module, which is configured to, when receiving a virtual machine shutdown instruction, in a rich execution environment, by parsing the virtual machine shutdown instruction, Obtain the shutdown identifier of the virtual machine to be shut down; encapsulate the parameterized virtual machine shutdown instruction and shutdown identifier, and switch the current running state to a trusted execution environment; in the trusted execution environment, the trusted execution environment operating system is based on Shut down the identifier and send the virtual machine shutdown instruction to the shutdown virtual machine trusted execution environment instance corresponding to the virtual machine to be shut down; the shutdown virtual machine trusted execution environment instance deletes the shutdown virtual machine trusted execution environment context, and updates the shutdown virtual machine in the trustable execution environment instance. vfTPM in the execution environment; feedback the virtual machine shutdown completion instruction carrying the shutdown flag; encapsulate the parameterized virtual machine shutdown completion instruction and shutdown flag, and switch the current running state to the rich execution environment; in the rich execution environment, Shut down the virtual machine to be shut down according to the virtual machine shutdown completion instruction and shutdown identifier.
本申请实施例虚拟化实现装置的各功能模块的功能可根据上述方法实施例中的方法实 现,其实现过程可以参照上述方法实施例的相关描述,此处不再赘述。The functions of each functional module of the virtualization implementation device in the embodiment of this application can be implemented according to the method in the above method embodiment. The implementation process can be referred to the relevant description of the above method embodiment, and will not be described again here.
由上可知,本申请实施例可实现ARM平台的虚拟机的TPM功能。It can be seen from the above that the embodiments of the present application can realize the TPM function of the virtual machine of the ARM platform.
上文中提到的虚拟化实现装置是从功能模块的角度描述,可选的,本申请还提供一种电子设备,是从硬件角度描述。图4为本申请实施例提供的电子设备在一种实施方式下的结构示意图。如图4所示,该电子设备包括存储器40,被设置为存储计算机程序;处理器41,被设置为执行计算机程序时实现如上述任一实施例提到的虚拟化实现方法的步骤。The virtualization implementation device mentioned above is described from the perspective of functional modules. Optionally, this application also provides an electronic device, which is described from the perspective of hardware. FIG. 4 is a schematic structural diagram of an electronic device provided by an embodiment of the present application in an implementation manner. As shown in Figure 4, the electronic device includes a memory 40, which is configured to store a computer program; and a processor 41, which is configured to implement the steps of the virtualization implementation method mentioned in any of the above embodiments when executing the computer program.
其中,处理器41可以包括一个或多个处理核心,比如4核心处理器、8核心处理器,处理器41还可为控制器、微控制器、微处理器或其他数据处理芯片等。处理器41可以采用DSP(Digital Signal Processing,数字信号处理)、FPGA(Field-Programmable Gate Array,现场可编程门阵列)、PLA(Programmable Logic Array,可编程逻辑阵列)中的至少一种硬件形式来实现。处理器41也可以包括主处理器和协处理器,主处理器是被设置为对在唤醒状态下的数据进行处理的处理器,也称CPU(Central Processing Unit,中央处理器);协处理器是被设置为对在待机状态下的数据进行处理的低功耗处理器。在一些实施例中,处理器41可以集成有GPU(Graphics Processing Unit,图像处理器),GPU被设置为负责显示屏所需要显示的内容的渲染和绘制。一些实施例中,处理器41还可以包括AI(Artificial Intelligence,人工智能)处理器,该AI处理器被设置为处理有关机器学习的计算操作。The processor 41 may include one or more processing cores, such as a 4-core processor or an 8-core processor. The processor 41 may also be a controller, a microcontroller, a microprocessor or other data processing chips. The processor 41 can adopt at least one hardware form among DSP (Digital Signal Processing, digital signal processing), FPGA (Field-Programmable Gate Array, field programmable gate array), and PLA (Programmable Logic Array, programmable logic array). accomplish. The processor 41 may also include a main processor and a co-processor. The main processor is a processor configured to process data in the wake-up state, also called a CPU (Central Processing Unit, central processing unit); a co-processor It is a low-power processor configured to process data in standby mode. In some embodiments, the processor 41 may be integrated with a GPU (Graphics Processing Unit, image processor), and the GPU is configured to be responsible for rendering and drawing content that needs to be displayed on the display screen. In some embodiments, the processor 41 may also include an AI (Artificial Intelligence, artificial intelligence) processor, which is configured to process computing operations related to machine learning.
存储器40可以包括一个或多个计算机非易失性可读存储介质,该计算机非易失性可读存储介质可以是非暂态的。存储器40还可包括高速随机存取存储器以及非易失性存储器,比如一个或多个磁盘存储设备、闪存存储设备。存储器40在一些实施例中可以是电子设备的内部存储单元,例如服务器的硬盘。存储器40在另一些实施例中也可以是电子设备的外部存储设备,例如服务器上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)等。可选的,存储器40还可以既包括电子设备的内部存储单元也包括外部存储设备。存储器40不仅可以被设置为存储安装于电子设备的应用软件及各类数据,例如:执行vfTPM计算处理方法的程序的代码等,还可以被设置为暂时地存储已经输出或者将要输出的数据。本实施例中,存储器40至少被设置为存储以下计算机程序401,其中,该计算机程序被处理器41加载并执行之后,能够实现前述任一实施例公开的虚拟化实现方法的相关步骤。另外,存储器40所存储的资源还可以包括操作系统402和数据403等,存储方式可以是短暂存储或者永久存储。其中,操作系统402可以包括Windows、Unix、Linux等。数据403可以包括但不限于虚拟化实现结果对应的数据等。Memory 40 may include one or more computer non-volatile readable storage media, which may be non-transitory. The memory 40 may also include high-speed random access memory and non-volatile memory, such as one or more magnetic disk storage devices and flash memory storage devices. The memory 40 in some embodiments may be an internal storage unit of the electronic device, such as a hard drive of a server. In other embodiments, the memory 40 may also be an external storage device of an electronic device, such as a plug-in hard disk, a smart memory card (Smart Media Card, SMC), a secure digital (Secure Digital, SD) card, or a flash memory equipped on a server. Flash Card, etc. Optionally, the memory 40 may also include both an internal storage unit of the electronic device and an external storage device. The memory 40 may not only be configured to store application software installed on the electronic device and various types of data, such as codes for programs that execute vfTPM calculation processing methods, etc., but may also be configured to temporarily store data that has been output or is to be output. In this embodiment, the memory 40 is at least configured to store the following computer program 401. After the computer program is loaded and executed by the processor 41, the relevant steps of the virtualization implementation method disclosed in any of the foregoing embodiments can be implemented. In addition, the resources stored in the memory 40 may also include the operating system 402, data 403, etc., and the storage method may be short-term storage or permanent storage. Among them, the operating system 402 may include Windows, Unix, Linux, etc. Data 403 may include but is not limited to data corresponding to virtualization implementation results, etc.
在一些实施例中,上述电子设备还可包括有显示屏42、输入输出接口43、通信接口44或 者称为网络接口、电源45以及通信总线46。其中,显示屏42、输入输出接口43比如键盘(Keyboard)属于用户接口,可选的用户接口还可以包括标准的有线接口、无线接口等。可选地,在一些实施例中,显示器可以是LED显示器、液晶显示器、触控式液晶显示器以及OLED(Organic Light-Emitting Diode,有机发光二极管)触摸器等。显示器也可以适当的称为显示屏或显示单元,被设置为显示在电子设备中处理的信息以及被设置为显示可视化的用户界面。通信接口44可选的可以包括有线接口和/或无线接口,如WI-FI接口、蓝牙接口等,通常被设置为在电子设备与其他电子设备之间建立通信连接。通信总线46可以是外设部件互连标准(peripheral component interconnect,简称PCI)总线或扩展工业标准结构(extended industry standard architecture,简称EISA)总线等。该总线可以分为地址总线、数据总线、控制总线等。为便于表示,图4中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。In some embodiments, the above-mentioned electronic device may also include a display screen 42, an input and output interface 43, a communication interface 44 or a network interface, a power supply 45 and a communication bus 46. Among them, the display screen 42 and the input/output interface 43 such as a keyboard belong to the user interface, and optional user interfaces may also include standard wired interfaces, wireless interfaces, etc. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-controlled liquid crystal display, an OLED (Organic Light-Emitting Diode, organic light-emitting diode) touch device, etc. The display, which may also appropriately be called a display screen or display unit, is configured to display information processed in the electronic device and is configured to display a visual user interface. The communication interface 44 may optionally include a wired interface and/or a wireless interface, such as a WI-FI interface, a Bluetooth interface, etc., and is usually configured to establish communication connections between electronic devices and other electronic devices. The communication bus 46 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus, etc. The bus can be divided into address bus, data bus, control bus, etc. For ease of presentation, only one thick line is used in Figure 4, but it does not mean that there is only one bus or one type of bus.
本领域技术人员可以理解,图4中示出的结构并不构成对该电子设备的限定,可以包括比图示更多或更少的组件,例如还可包括实现各类功能的传感器47。Those skilled in the art can understand that the structure shown in FIG. 4 does not limit the electronic device, and may include more or fewer components than shown, for example, it may also include sensors 47 that implement various functions.
本申请实施例电子设备的各功能模块的功能可根据上述方法实施例中的方法实现,其实现过程可以参照上述方法实施例的相关描述,此处不再赘述。The functions of each functional module of the electronic device in the embodiment of the present application can be implemented according to the method in the above method embodiment, and the implementation process can be referred to the relevant description of the above method embodiment, which will not be described again here.
由上可知,本申请实施例可实现ARM平台的虚拟机的TPM功能。It can be seen from the above that the embodiments of the present application can realize the TPM function of the virtual machine of the ARM platform.
可以理解的是,如果上述实施例中的虚拟化实现方法以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,执行本申请各个实施例方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、电可擦除可编程ROM、寄存器、硬盘、多媒体卡、卡型存储器(例如SD或DX存储器等)、磁性存储器、可移动磁盘、CD-ROM、磁碟或者光盘等各种可以存储程序代码的介质。It can be understood that if the virtualization implementation method in the above embodiment is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or contributes to the existing technology, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , execute all or part of the steps of the methods of various embodiments of this application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), electrically erasable programmable ROM, register, hard disk, multimedia Cards, card-type memories (such as SD or DX memories, etc.), magnetic memories, removable disks, CD-ROMs, magnetic disks or optical disks and other media that can store program codes.
基于此,本申请实施例还提供了一种非易失性可读存储介质,存储有计算机程序,计算机程序被处理器执行时如上任意一实施例虚拟化实现方法的步骤。Based on this, embodiments of the present application also provide a non-volatile readable storage medium that stores a computer program. When the computer program is executed by the processor, the steps of the virtualization implementation method in any of the above embodiments are performed.
本申请实施例最后还提供了一种ARM平台,请参阅图5,ARM平台用于执行计算机程序时实现如上任意一个实施例的虚拟化实现方法的步骤,ARM平台可包括应用层501、系统层502、虚拟化层503和固件层504。Finally, the embodiment of the present application also provides an ARM platform. Please refer to Figure 5. The ARM platform is used to implement the steps of the virtualization implementation method of any of the above embodiments when executing a computer program. The ARM platform may include an application layer 501, a system layer 502, virtualization layer 503 and firmware layer 504.
其中,应用层501可包括位于富执行环境中的多个虚拟机应用程序,和位于可信执行环境的可信应用集,可信应用集包括用于实现vfTPM功能的可信应用。系统层502可包括位于富执行环境中的宿主机处理模块和位于可信执行环境的可信管理模块。虚拟化层503包括位于富执行环境中的虚拟机监视器。固件层504可包括固件处理模块,固件处理模块被设置为接收宿主机处理模块、虚拟机监视器和可信管理模块的指令;固件层504同时执行运行状态的切换,并在执行运行状态切换过程中转发接收指令中的虚拟机标识信息。The application layer 501 may include multiple virtual machine applications located in a rich execution environment, and a trusted application set located in a trusted execution environment. The trusted application set includes trusted applications used to implement vfTPM functions. The system layer 502 may include a host processing module located in a rich execution environment and a trusted management module located in a trusted execution environment. Virtualization layer 503 includes a virtual machine monitor located in a rich execution environment. The firmware layer 504 may include a firmware processing module, which is configured to receive instructions from the host processing module, the virtual machine monitor, and the trusted management module; the firmware layer 504 simultaneously performs running state switching, and performs the running state switching process. forward the virtual machine identification information in the received instruction.
在本实施例中,同时支持KVM(Kernel-based Virtual Machine,系统虚拟化模块)及Xen虚拟化技术。基于此,宿主机处理模块针对在KVM虚拟化实现过程中,实现对虚拟机的内存地址转换。也就是说,宿主机处理模块完成IPA与PA之间转换,是ARM虚拟化实现中stage2的实现。在请求也即虚拟机操作系统发送的vfTPM请求阶段,通过宿主机处理模块将虚拟机操作系统也即GustOS的请求命令及转换后的物理内存地址进行参数化,也即通过固定函数以参数形式从系统层跨层传递至固件层,附带虚拟机标识符VMID传递给固件层504的固件处理模块,在接受请求也即响应固件处理模块的请求时,将接收固件处理模块转发过来的vfTPM请求处理结果,根据VMID转发给对应的虚拟机。In this embodiment, both KVM (Kernel-based Virtual Machine, system virtualization module) and Xen virtualization technology are supported. Based on this, the host processing module is designed to realize memory address translation of the virtual machine during the KVM virtualization implementation process. In other words, the host processing module completes the conversion between IPA and PA, which is the implementation of stage 2 in ARM virtualization implementation. In the request stage, that is, the vfTPM request sent by the virtual machine operating system, the request command of the virtual machine operating system, that is, GustOS, and the converted physical memory address are parameterized through the host processing module, that is, through a fixed function in the form of parameters. The system layer is passed across layers to the firmware layer, and the virtual machine identifier VMID is passed to the firmware processing module of the firmware layer 504. When accepting the request, that is, responding to the request of the firmware processing module, the vfTPM request processing result forwarded by the firmware processing module will be received. , forwarded to the corresponding virtual machine according to the VMID.
虚拟机监视器也即Hypervisor,针对Xen虚拟化实现过程中,虚拟机监视器在ARM虚拟化中实现的stage2翻译过程,将IPA地址翻译成PA地址。在请求也即也即虚拟机操作系统发送的vfTPM请求阶段,通过Hypervisor将GuestOS的请求参数,内存地址参数化,附加VMID传递给固件处理模块,在接收阶段,将接收固件处理模块转发过来的vfTPM处理结果,根据VMID转发给对应的虚拟机或者Xen Hypervisor本身。与KVM不同的是,XenHypervisor的VMID=0,代表Hypervisor本身,Hypervisor的请求与虚拟机请求保持一致,但是其没有stage2翻译过程。The virtual machine monitor, also known as the Hypervisor, translates the IPA address into a PA address during the stage2 translation process implemented by the virtual machine monitor in ARM virtualization during the Xen virtualization implementation process. In the request stage, that is, the vfTPM request sent by the virtual machine operating system, the request parameters and memory address of the GuestOS are parameterized through the hypervisor, and the attached VMID is passed to the firmware processing module. In the receiving stage, the vfTPM forwarded by the firmware processing module is received. The processing results are forwarded to the corresponding virtual machine or the Xen Hypervisor itself according to the VMID. Different from KVM, the VMID of XenHypervisor=0, which represents the Hypervisor itself. The Hypervisor's request is consistent with the virtual machine request, but it does not have a stage2 translation process.
固件层504的固件处理模块接受宿主机处理模块,Hypervisor,可信管理模块的请求,通过SMC指令,更改NS位的值,切换TEE或REE运行环境,在SMC请求转换的过程中将附带接收的VMID一起传递转发。The firmware processing module of the firmware layer 504 accepts requests from the host processing module, Hypervisor, and trusted management module. Through SMC instructions, it changes the value of the NS bit and switches the TEE or REE operating environment. During the conversion process of the SMC request, the received VMID is passed together for forwarding.
本实施例通过对可信执行环境操作系统TEEOS进行改造,完成了TEEOS对虚拟化的支持,在TEE侧包括可信管理模块和和可信应用集,可信应用集包括用于实现vfTPM功能的多个可信应用,每个可信应用中内置fTPM模块,从而在可信执行环境中运行多个fTPM实例。fTPM模块,也即vfTPM模块,被设置为作为虚拟机使用的fTPM的一种实现方式,其实现了计算的虚拟化和持久化存储的虚拟化,vfTPM的计算功能的实现可采用任何一种现有技术,本申请对此不做任何限定。可信管理模块可包括存储驱动器和虚拟机数据处理模块,虚拟机数据处理 模块可为图6所示的vmContext模块,虚拟机数据处理模块与虚拟机一一对应,也即一个虚拟机对应有一个虚拟机数据处理模块,该模块被设置为对相应虚拟机的vfTPM请求进行处理,存储有相应虚拟机的虚拟机可信执行环境实例及其上下文。本实施例的可信管理模块是在原有TEEOS的基础上进行改进,可选的,将原有的TEEOS实例分为两部分,一部分可称为运行内存Nexus,一部分称为虚拟请求执行内存vm部分,运行内存部分负责处理底层的实现,如SMC指令处理,内存管理类,线程管理等。虚拟请求执行内存负责请求的处理、加载TA、执行TA等功能,如图7所示,在TEE实现的过程中,有一个Nexus实例和多个vm tee实例,一个vm tee实例对应一个REE侧的虚拟机,为了区分运行内存和虚拟请求执行内存的内存处理和请求,对运行内存的内存处理函数进行区分改造,举例来说,可将运行内存的Nexus实例的处理对应为.nex_data,.nex_bss,.nex_nozi,.nex_heap等,对vm tee实例还是使用原有的内存处理请求。This embodiment completes TEEOS's support for virtualization by transforming the trusted execution environment operating system TEEOS. The TEE side includes a trusted management module and a trusted application set. The trusted application set includes a module used to implement the vfTPM function. Multiple trusted applications, with fTPM modules built into each trusted application, thereby running multiple fTPM instances in a trusted execution environment. The fTPM module, also known as the vfTPM module, is set as an implementation method of fTPM used as a virtual machine. It realizes the virtualization of computing and the virtualization of persistent storage. The computing function of vfTPM can be implemented using any modern method. There is technology, and this application does not impose any limitations on this. The trusted management module may include a storage driver and a virtual machine data processing module. The virtual machine data processing module may be the vmContext module shown in Figure 6. The virtual machine data processing module corresponds to the virtual machine one-to-one, that is, one virtual machine corresponds to one The virtual machine data processing module is configured to process the vfTPM request of the corresponding virtual machine, and stores the virtual machine trusted execution environment instance and its context of the corresponding virtual machine. The trusted management module of this embodiment is improved on the basis of the original TEEOS. Optionally, the original TEEOS instance is divided into two parts. One part can be called the running memory Nexus, and the other part is called the virtual request execution memory vm part. , The running memory part is responsible for handling the underlying implementation, such as SMC instruction processing, memory management class, thread management, etc. The virtual request execution memory is responsible for request processing, loading TA, executing TA and other functions. As shown in Figure 7, in the process of TEE implementation, there is a Nexus instance and multiple vm tee instances. One vm tee instance corresponds to a REE side For virtual machines, in order to distinguish the memory processing and requests of running memory and virtual request execution memory, the memory processing functions of running memory are differentiated and modified. For example, the processing of Nexus instances of running memory can be corresponding to .nex_data, .nex_bss, .nex_nozi, .nex_heap, etc. still use the original memory to process requests for vm tee instances.
本实施例通过对符合GP的标准的可信执行环境进行改造,实现了在TrustZone中可运行多个fTPM实例,来为虚拟机提供TPM功能,而各个虚拟机的TPM功能互不影响,以实现虚拟机的隔离能力。In this embodiment, by transforming the trusted execution environment that complies with GP standards, multiple fTPM instances can be run in TrustZone to provide TPM functions for virtual machines, and the TPM functions of each virtual machine do not affect each other, so as to achieve Virtual machine isolation capabilities.
为了提高安全性能,本实施例还提供了一种可选的fTPM的存储方式,也即将fTPM的存储保存在特殊的flash闪存上,使其只能在TEE中进行读取。相应的,存储驱动器也即图6所示的NV Driver模块,可实现对特殊flash的读写问题实现来的驱动程序,其中实现了flash的分区、flash读写及权限控制等功能,为fTPM提供NVRAM持久化存储对象。其原理是在flash上进行分区,为每个虚拟机vfTPM提供一个分区,用于NVRAM存储。作为TEEOS上的flash驱动程序,对flash的读写设置权限,只有在TEE侧才可操作,并且只有vm才可操作对应VMID对应的flash分区。In order to improve the security performance, this embodiment also provides an optional fTPM storage method, that is, the fTPM is stored in a special flash memory so that it can only be read in the TEE. Correspondingly, the storage driver, also known as the NV Driver module shown in Figure 6, can implement a driver that implements the problem of reading and writing special flash, which implements functions such as flash partitioning, flash reading and writing, and permission control, providing fTPM with NVRAM persists storage objects. The principle is to partition the flash and provide each virtual machine vfTPM with a partition for NVRAM storage. As a flash driver on TEEOS, the read and write permissions for flash can only be operated on the TEE side, and only vm can operate the flash partition corresponding to the corresponding VMID.
本申请实施例ARM平台的各功能模块的功能可根据上述方法实施例中的方法实现,其实现过程可以参照上述方法实施例的相关描述,此处不再赘述。The functions of each functional module of the ARM platform in the embodiment of this application can be implemented according to the method in the above method embodiment. The implementation process can be referred to the relevant description of the above method embodiment, which will not be described again here.
由上可知,本申请实施例可实现ARM平台的虚拟机的TPM功能。It can be seen from the above that the embodiments of the present application can realize the TPM function of the virtual machine of the ARM platform.
为了使所属领域技术人员更加清楚整个技术方案,基于图6所示的ARM平台架构,本申请还结合图8-图11给出了一个示意性例子,在本示意性例子包括ARM平台的初始化流程、虚拟机创建流程、虚拟机请求及响应流程以及虚拟机销毁关闭流程,在本实施例中,TEE OS为可信执行环境操作系统,NV Driver为存储驱动器,VMID为虚拟机标识信息,vm tee实例及上下文为虚拟机可信执行环境实例和虚拟机可信执行环境实例上下文,vm表示虚拟机,RichOS表示富执行环境操作系统,NVRVM(Non-Volatile Random Access Memory,非易失性随机访 问存储器)表示目标存储空间,Hypervisor表示虚拟化层的虚拟机监视器,GuestOS表示虚拟机操作系统,可包括下述内容:In order to make the entire technical solution more clear to those skilled in the art, based on the ARM platform architecture shown in Figure 6, this application also provides a schematic example in conjunction with Figures 8-11. This schematic example includes the initialization process of the ARM platform , virtual machine creation process, virtual machine request and response process, and virtual machine destruction and shutdown process. In this embodiment, TEE OS is the trusted execution environment operating system, NV Driver is the storage driver, VMID is the virtual machine identification information, vm tee Instances and contexts are virtual machine trusted execution environment instances and virtual machine trusted execution environment instance contexts, vm represents virtual machines, RichOS represents rich execution environment operating systems, NVRVM (Non-Volatile Random Access Memory, non-volatile random access memory ) represents the target storage space, Hypervisor represents the virtual machine monitor of the virtualization layer, and GuestOS represents the virtual machine operating system, which can include the following:
其中,ARM平台的初始化流程可包括下述内容:Among them, the initialization process of the ARM platform may include the following:
A1:ARM平台上电。A1: Power on the ARM platform.
A2:固件加载,在固件加载过程中,初始化设备,包括开启TrustZone功能,加载Firmware/SecureMonitor固件管理模块,其中的固件管理模块实现了VMID转发功能。A2: Firmware loading. During the firmware loading process, the device is initialized, including turning on the TrustZone function and loading the Firmware/SecureMonitor firmware management module. The firmware management module implements the VMID forwarding function.
A3:TEEOS加载,从固件存储flash中查找到TEE OS镜像固件并加载,在TEE中,为TEE OS配置内存及初始化NV Driver。A3: TEEOS is loaded. Find the TEE OS image firmware from the firmware storage flash and load it. In the TEE, configure the memory for the TEE OS and initialize the NV Driver.
A4:使用NVDriver对用于fTPM的flash芯片进行初始化处理,此初始化处理包括但并不限制于元数据的生成,flash加密密钥生成,加密密钥保存,权限设置,分区处权限处理。A4: Use NVDriver to initialize the flash chip used for fTPM. This initialization process includes but is not limited to metadata generation, flash encryption key generation, encryption key storage, permission settings, and partition permission processing.
A5:如果是QEMU(虚拟操作系统模拟器)KVM虚拟化,则完成对RichOS的加载。A5: If it is QEMU (virtual operating system emulator) KVM virtualization, the loading of RichOS is completed.
A6:如果是Xen虚拟化,则查找Xen虚拟化的镜像文件,随同BIOS进行启动。A6: If it is Xen virtualization, search for the Xen virtualization image file and start it along with the BIOS.
A7:在BIOS启动过程中,Xen Hypervisor作为vm0,进行处理,执行虚拟机创建流程,在TEE OS中分配vm tee实例及上下文,VMID=0。A7: During the BIOS startup process, Xen Hypervisor acts as vm0 for processing, executes the virtual machine creation process, and allocates vm tee instances and contexts in TEE OS, with VMID=0.
A8:vm tee实例加载vfTPM TA。A8: The vm tee instance loads vfTPM TA.
A9:在TA加载过程中,初始化TPM的nvram,也即通过NV Driver对TPM存储flash读写,在flash上分配一块nvram分区,供VMID=0的vfTPM使用。A9: During the TA loading process, initialize the nvram of the TPM, that is, read and write the TPM storage flash through the NV Driver, and allocate an nvram partition on the flash for use by the vfTPM with VMID=0.
A10:通过vfTPM请求及响应流程将vfTPM处理的数据返回给Xen Hypervisor;A10: Return the data processed by vfTPM to the Xen Hypervisor through the vfTPM request and response process;
A10:Hypervisor进入启动流程,完成启动。A10: The hypervisor enters the startup process and completes startup.
其中,虚拟机的创建流程可包括:Among them, the virtual machine creation process may include:
R1:RichOS或Hypervisor发起创建虚拟机的指令,并要求此虚拟机配置有vfTPM。R1: RichOS or Hypervisor initiates an instruction to create a virtual machine and requires that the virtual machine be configured with vfTPM.
B2:RichOS或Hypervisor调用创建虚拟机的过程中,首先在TEE侧完成vfTPM相关的初始化操作也即初始化流程中的A3和A4,因此RichOS或Hypervisor先将请求参数附带RichOS或Hypervisor分配给此虚拟机的VMID一块传递给固件层的固件处理模块。B2: When RichOS or Hypervisor calls to create a virtual machine, the vfTPM-related initialization operations are first completed on the TEE side, that is, A3 and A4 in the initialization process. Therefore, RichOS or Hypervisor first assigns the request parameters with RichOS or Hypervisor to this virtual machine. A piece of VMID is passed to the firmware processing module of the firmware layer.
B3:固件处理模块接收到虚拟机创建的请求,封装请求参数,并将VMID附加到SMC指令的上,发送SMC_VM_CREATE指令,将指令发送TEE侧的TEEOS,并切换运行环境为TEE。B3: The firmware processing module receives the request to create a virtual machine, encapsulates the request parameters, appends the VMID to the SMC command, sends the SMC_VM_CREATE command, sends the command to TEEOS on the TEE side, and switches the operating environment to TEE.
B4:TEEOS侧的Nexus TEE接收SMC指令,并且分析此虚拟机需要一个vfTPM设备。B4: The Nexus TEE on the TEEOS side receives the SMC command and analyzes this virtual machine which requires a vfTPM device.
B5:TEEOS为该虚拟机分配一个vm tee实例及上下文,vm tee上下文用于处理所有有关该虚拟机的请求包括vfTPM的加载与执行。B5: TEEOS allocates a vm tee instance and context to the virtual machine. The vm tee context is used to handle all requests related to the virtual machine, including the loading and execution of vfTPM.
B6:加载fTPM TA,并执行vfTPM初始化操作。可选的,在初始化操作的过程中,除了启 动TPM外,还需要对NVRVM进行初始化。NVRVM的初始化过程包括:使用NV Driver完成flash分区的分配,如果该虚拟机有对应flash分区,则将此分区直接分配给vfTPM当作NVRVM使用,若该虚拟机的vfTPM没有对应的flash分区,则NV Driver在flash空间充足的条件下,为该虚拟机创建一个分区,并根据TPM规范对此分区实施NVRVM初始化操作。B6: Load fTPM TA and perform vfTPM initialization operation. Optionally, during the initialization process, in addition to starting the TPM, NVRVM also needs to be initialized. The initialization process of NVRVM includes: using NV Driver to complete the allocation of flash partition. If the virtual machine has a corresponding flash partition, this partition will be directly allocated to vfTPM for use as NVRVM. If the vfTPM of the virtual machine does not have a corresponding flash partition, then NV Driver creates a partition for the virtual machine when the flash space is sufficient, and performs NVRVM initialization operations on this partition according to TPM specifications.
B7:NVRVM初始化完成,继续完成TPM规范的其他初始化工作。B7: NVRVM initialization is completed, continue to complete other initialization work of the TPM specification.
B8:完成fTPM初始化工作,将返回结果通过TEEOS和固件处理模块返回给RichOS或Hypervisor层;B8: Complete the fTPM initialization work and return the result to the RichOS or Hypervisor layer through the TEEOS and firmware processing modules;
B9:RichOS完成后续的虚拟机的创建工作。B9: RichOS completes the subsequent creation of virtual machines.
其中,对于虚拟机的vfTPM请求及响应流程可如下内容:Among them, the vfTPM request and response process for the virtual machine can be as follows:
C1:GuestOS发送vfTPM请求。C1: GuestOS sends vfTPM request.
C2:GustOS内核(虚拟机操作系统内核)将vfTPM请求指令及VA转换为IPA。C2: GustOS kernel (virtual machine operating system kernel) converts vfTPM request instructions and VA into IPA.
C3:RichOS或Hypervisor将GuestOS发指令转换成PA,同时附加VMID发送给固件处理模块。C3: RichOS or Hypervisor converts the instructions sent by GuestOS into PA, and appends the VMID and sends them to the firmware processing module.
C4:固件处理模块将指令进行封装,同时附加VMID,执行SMC指令,并切换运行状态到TEEOS。C4: The firmware processing module encapsulates the instruction, attaches the VMID, executes the SMC instruction, and switches the running state to TEEOS.
C5:TEEOS根据VMID分配给对应的vm tee上下文对vfTPM请求进行处理。C5: TEEOS processes the vfTPM request according to the VMID assigned to the corresponding vm tee context.
C6:TEEOS分配共享内存,将处理结果保存在共享内存中,并将共享内存地址及VMID发送给固件处理模块。C6: TEEOS allocates shared memory, saves the processing results in the shared memory, and sends the shared memory address and VMID to the firmware processing module.
C7:固件处理模块对请求参数进行封装后,执行SMC指令切换执行环境到REE,并将结果发送给Hypervisor或RichOS中。C7: After the firmware processing module encapsulates the request parameters, it executes the SMC instruction to switch the execution environment to REE, and sends the result to the Hypervisor or RichOS.
C8:RichOS或Hypervisor将共享内存地址转换为IPA,并根据VMID将结果返回给对应虚拟机。C8: RichOS or Hypervisor converts the shared memory address to IPA and returns the result to the corresponding virtual machine based on the VMID.
C9:虚拟机内核将IPA转换为VA,并交由GuestOS APP进行处理。C9: The virtual machine kernel converts the IPA into VA and hands it over to the GuestOS APP for processing.
C10:GustOS APP获取vfTPM请求的处理结果。C10: GustOS APP obtains the processing result of vfTPM request.
其中,虚拟机销毁关闭流程可如下所示:Among them, the virtual machine destruction and shutdown process can be as follows:
D1:用户通过应用层下发销毁或关闭虚拟机的指令,RichOS或Hypervisor接受到该销毁或关闭虚拟机指令,以通过执行该执行实现对vfTPM资源的释放。D1: The user issues an instruction to destroy or shut down the virtual machine through the application layer. RichOS or Hypervisor receives the instruction to destroy or shut down the virtual machine and releases the vfTPM resources by executing the execution.
D2:将待处理虚拟机即为待销毁虚拟机或待关闭虚拟机的指令参数进行转换,并附加VMID转发给固件处理模块。D2: Convert the instruction parameters of the virtual machine to be processed, that is, the virtual machine to be destroyed or the virtual machine to be shut down, and forward it to the firmware processing module with the VMID attached.
D3:固件处理模块将D2生成的指令进行封装,同时附加VMID,执行SMC_VM_DESTROY指 令,并切换运行状态到TEEOS。D3: The firmware processing module encapsulates the instructions generated by D2, appends the VMID, executes the SMC_VM_DESTROY instruction, and switches the running state to TEEOS.
D4:TEEOS接受销毁或关闭虚拟机的指令,根据此指令的参数及VMID,发送给相应的vm tee。D4: TEEOS accepts the instruction to destroy or shut down the virtual machine, and sends it to the corresponding vm tee based on the parameters and VMID of this instruction.
D5:判断指令是彻底销毁删除虚拟机还是正常关闭虚拟系统的命令。D5: Determine whether the command is to completely destroy and delete the virtual machine or to shut down the virtual system normally.
D6:如果是关闭虚拟机系统的命令,则在TEE侧刷新vfTPM数据,删除vm上下文;D6: If it is a command to shut down the virtual machine system, refresh the vfTPM data on the TEE side and delete the vm context;
D7:如果是销毁虚拟机,则在TEE侧删除vm上下文,同时删除flash上为虚拟机分配的vfTPM的存储分区也即目标存储空间。D7: If the virtual machine is destroyed, delete the vm context on the TEE side and delete the vfTPM storage partition allocated to the virtual machine on the flash, that is, the target storage space.
D8:将处理结果通过TEEOS和固件管理模块返回给RichOS或Hypervisor。D8: Return the processing results to RichOS or Hypervisor through TEEOS and firmware management modules.
D9:RichOS或Hypervisor执行完成vm在REE的销毁或删除操作。D9: RichOS or Hypervisor completes the destruction or deletion of the vm in REE.
由上可知,本申请实施例通过对TEEOS进行改造,完成了TEEOS对虚拟化的支持,支持KVM及Xen虚拟化技术;通过对fTPM的实现方式进行改进,实现了fTPM在ARM平台上对虚拟机的支持;通过对fTPM的存储方式进行改进,将fTPM的存储保存在特殊的flash闪存上,使其只能在TEE中进行读取,增强了其安全性;对fTPM的存储方式实现虚拟化,解决了fTPM的虚拟化问题。从而在ARM平台上基于固件实现了TPM功能,并且实现了虚拟化,可供ARM虚拟机使用,在研发层面可节约物理成本,fTPM虚拟化的实现可提高云计算的产品的安全性,提升云计算产业方面的竞争力。It can be seen from the above that the embodiment of the present application completes TEEOS's support for virtualization by transforming TEEOS, and supports KVM and Xen virtualization technology; by improving the implementation method of fTPM, it realizes fTPM's virtual machine on the ARM platform support; by improving the storage method of fTPM, the storage of fTPM is saved on a special flash memory, so that it can only be read in TEE, which enhances its security; the storage method of fTPM is virtualized, Solved the virtualization problem of fTPM. As a result, the TPM function is implemented based on firmware on the ARM platform, and virtualization is implemented, which can be used by ARM virtual machines. It can save physical costs at the research and development level. The implementation of fTPM virtualization can improve the security of cloud computing products and improve the cloud computing. Competitiveness in the computing industry.
本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其它实施例的不同之处,各个实施例之间相同或相似部分互相参见即可。对于实施例公开的硬件包括装置、电子设备及ARM平台而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。Each embodiment in this specification is described in a progressive manner. Each embodiment focuses on its differences from other embodiments. The same or similar parts between the various embodiments can be referred to each other. As for the hardware disclosed in the embodiments, including devices, electronic equipment and ARM platforms, since they correspond to the methods disclosed in the embodiments, the description is relatively simple. For relevant details, please refer to the description of the method section.
专业人员还可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those skilled in the art may also realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both. In order to clearly illustrate the interoperability of hardware and software, Alternatively, in the above description, the composition and steps of each example have been generally described according to their functions. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each specific application, but such implementations should not be considered beyond the scope of this application.
以上对本申请所提供的一种虚拟化实现方法、装置、电子设备、非易失性可读存储介质及ARM平台进行了详细介绍。本文中应用了可选的个例对本申请的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本申请的方法及其核心思想。应当指出,对于本技术领域的普通技术人员来说,在不脱离本申请原理的前提下,还可以对本申请进行若干改进 和修饰,这些改进和修饰也落入本申请权利要求的保护范围内。The above has introduced in detail a virtualization implementation method, device, electronic equipment, non-volatile readable storage medium and ARM platform provided by this application. This article uses optional examples to illustrate the principles and implementation methods of the present application. The description of the above embodiments is only used to help understand the method and the core idea of the present application. It should be noted that for those of ordinary skill in the art, several improvements and modifications can be made to the present application without departing from the principles of the present application, and these improvements and modifications also fall within the protection scope of the claims of the present application.
Claims (20)
- 一种虚拟化实现方法,包括:A virtualization implementation method, including:预先基于虚拟化类型,对运行着配置虚拟的基于固件的可信平台模块vfTPM功能的目标虚拟机的ARM平台进行初始化处理;Based on the virtualization type, initialize the ARM platform running the target virtual machine configured with the virtual firmware-based trusted platform module vfTPM function in advance;当接收到所述目标虚拟机的目标vfTPM请求,将携带由所述目标虚拟机的虚拟物理地址所转换的真实物理地址、和所述目标虚拟机的标识信息的指令进行封装,并切换当前运行状态至可信执行环境;When receiving the target vfTPM request of the target virtual machine, encapsulate the instruction carrying the real physical address converted from the virtual physical address of the target virtual machine and the identification information of the target virtual machine, and switch the current running status to the trusted execution environment;在所述可信执行环境中,根据所述标识信息,调用相应的目标虚拟机可信执行环境上下文对所述目标vfTPM请求进行处理,并发送携带处理结果的存储地址及所述标识信息的结果反馈指令;In the trusted execution environment, according to the identification information, the corresponding target virtual machine trusted execution environment context is called to process the target vfTPM request, and a result carrying the storage address of the processing result and the identification information is sent. feedback instructions;对所述结果反馈指令进行封装,并切换当前运行状态至富执行环境;在所述富执行环境,通过解析所述结果反馈指令得到所述存储地址和所述标识信息,按照所述标识信息,将转换后的所述存储地址发送至所述目标虚拟机。Encapsulate the result feedback instruction, and switch the current running state to the rich execution environment; in the rich execution environment, obtain the storage address and the identification information by parsing the result feedback instruction, and according to the identification information, Send the converted storage address to the target virtual machine.
- 根据权利要求1所述的虚拟化实现方法,其中,所述调用相应的目标虚拟机可信执行环境上下文对所述目标vfTPM请求进行处理之后,还包括:The virtualization implementation method according to claim 1, wherein after calling the corresponding target virtual machine trusted execution environment context to process the target vfTPM request, it further includes:将所述处理结果存储至共享内存中。Store the processing results in shared memory.
- 根据权利要求1所述的虚拟化实现方法,其中,所述按照所述标识信息,将转换后的所述存储地址发送至所述目标虚拟机,包括:The virtualization implementation method according to claim 1, wherein sending the converted storage address to the target virtual machine according to the identification information includes:所述富执行环境的操作系统将所述存储地址转换为虚拟机所认为的物理地址,基于所述标识信息将所述物理地址发送至所述目标虚拟机。The operating system of the rich execution environment converts the storage address into a physical address considered by the virtual machine, and sends the physical address to the target virtual machine based on the identification information.
- 根据权利要求3所述的虚拟化实现方法,其中,在基于所述标识信息将所述物理地址发送至所述目标虚拟机之后,所述方法还包括:The virtualization implementation method according to claim 3, wherein after sending the physical address to the target virtual machine based on the identification information, the method further includes:所述目标虚拟机的内核将所述物理地址转换为虚拟机内存地址,并将所述虚拟机内存地址传输至所述目标虚拟机的操作系统中,所述目标虚拟机基于所述虚拟机内存地址读取vfTPM请求的处理结果。The kernel of the target virtual machine converts the physical address into a virtual machine memory address, and transmits the virtual machine memory address to the operating system of the target virtual machine. The target virtual machine is based on the virtual machine memory. The address reads the processing result of the vfTPM request.
- 根据权利要求1所述的虚拟化实现方法,其中,所述基于虚拟化类型,对运行着配置vfTPM功能的目标虚拟机的ARM平台进行初始化处理,包括:The virtualization implementation method according to claim 1, wherein, based on the virtualization type, initializing the ARM platform running the target virtual machine configured with the vfTPM function includes:ARM平台上电,并加载所述ARM平台的目标固件和可信执行环境操作系统;The ARM platform is powered on and the target firmware and trusted execution environment operating system of the ARM platform are loaded;当所述可信执行环境操作系统启动,为所述可信执行环境操作系统配置内存并进行内存初始化处理;When the trusted execution environment operating system starts, configure memory for the trusted execution environment operating system and perform memory initialization processing;基于所述目标虚拟机所属的虚拟化类型,对富执行环境进行初始化处理。Based on the virtualization type to which the target virtual machine belongs, a rich execution environment is initialized.
- 根据权利要求5所述的虚拟化实现方法,其中,所述为所述可信执行环境操作系统配置内存并进行内存初始化处理,包括:The virtualization implementation method according to claim 5, wherein said configuring memory for the trusted execution environment operating system and performing memory initialization processing includes:将所述可信执行环境操作系统的内存划分为运行内存和虚拟请求执行内存;所述运行内存用于处理底层请求,所述虚拟请求执行内存用于处理虚拟机的vfTPM请求;Divide the memory of the trusted execution environment operating system into running memory and virtual request execution memory; the running memory is used to process underlying requests, and the virtual request execution memory is used to process vfTPM requests of virtual machines;在闪存芯片中,为所述可信执行环境操作系统配置用于实现vfTPM功能的专有内存;In the flash memory chip, configure a dedicated memory for implementing the vfTPM function for the trusted execution environment operating system;加载存储驱动器至所述可信执行环境操作系统中,利用所述存储驱动器对所述专有内存进行初始化处理,并对所述专有内存进行分区处理。Load a storage driver into the trusted execution environment operating system, use the storage driver to initialize the private memory, and perform partitioning on the private memory.
- 根据权利要求6所述的虚拟化实现方法,其中,所述专有内存用于存储所述vfTPM的数据,所述方法还包括:预先为每个虚拟机在所述专有内存中分配一块存储区间,用于存储所述每个虚拟机自己的vfTPM数据。The virtualization implementation method according to claim 6, wherein the dedicated memory is used to store data of the vfTPM, and the method further includes: allocating a piece of storage in the dedicated memory for each virtual machine in advance Interval, used to store the vfTPM data of each virtual machine.
- 根据权利要求6所述的虚拟化实现方法,其中,所述基于所述目标虚拟机所属的虚拟化类型,对富执行环境进行初始化处理,包括:The virtualization implementation method according to claim 6, wherein the initializing the rich execution environment based on the virtualization type to which the target virtual machine belongs includes:若所述目标虚拟机采用虚拟操作系统模拟器系统虚拟化模块QEMU KVM虚拟化技术,则完成对富执行环境操作系统的加载。If the target virtual machine adopts the virtual operating system emulator system virtualization module QEMU KVM virtualization technology, the loading of the rich execution environment operating system is completed.
- 根据权利要求6所述的虚拟化实现方法,其中,所述基于所述目标虚拟机所属的虚拟化类型,对富执行环境进行初始化处理,包括:The virtualization implementation method according to claim 6, wherein the initializing the rich execution environment based on the virtualization type to which the target virtual machine belongs includes:若所述目标虚拟机采用Xen虚拟化技术,则在启动基本输入输出系统BIOS的同时启动Xen虚拟化的镜像文件;If the target virtual machine adopts Xen virtualization technology, start the Xen virtualization image file while starting the basic input and output system BIOS;在启动过程中,将虚拟机监视器作为具有预设标识的虚拟机,为所述虚拟机监视器分配对应的虚拟机可信执行环境实例及虚拟机可信执行环境上下文;During the startup process, the virtual machine monitor is used as a virtual machine with a preset identification, and the corresponding virtual machine trusted execution environment instance and virtual machine trusted execution environment context are assigned to the virtual machine monitor;通过所述虚拟机可信执行环境实例加载vfTPM可信应用;在所述vfTPM可信应用的加载过程中,利用所述存储驱动器对所述专有内存进行读写,并在所述专有内存中为所述虚拟机监视器分配专属存储区域;The vfTPM trusted application is loaded through the virtual machine trusted execution environment instance; during the loading process of the vfTPM trusted application, the storage driver is used to read and write the private memory, and in the private memory Allocating a dedicated storage area to the virtual machine monitor;将所述虚拟机监视器的vfTPM请求的处理结果返回至所述虚拟机监视器,启动所述虚拟机监视器。Return the processing result of the vfTPM request of the virtual machine monitor to the virtual machine monitor, and start the virtual machine monitor.
- 根据权利要求1至9任意一项所述的虚拟化实现方法,其中,所述当接收到所述目标虚拟机的目标vfTPM请求之前,还包括:The virtualization implementation method according to any one of claims 1 to 9, wherein before receiving the target vfTPM request of the target virtual machine, the method further includes:所述富执行环境下发虚拟机创建指令,并为配置有vfTPM功能的所述目标虚拟机分配相应的标识信息;The rich execution environment issues a virtual machine creation instruction and allocates corresponding identification information to the target virtual machine configured with the vfTPM function;将所述标识信息和所述虚拟机创建指令进行封装,并切换当前运行状态至所述可信 执行环境;Encapsulate the identification information and the virtual machine creation instruction, and switch the current running state to the trusted execution environment;在所述可信执行环境,所述可信执行环境操作系统基于所述虚拟机创建指令,为所述目标虚拟机分配所述目标虚拟机可信执行环境上下文、目标虚拟机可信执行环境实例和内存空间;通过所述目标虚拟机可信执行环境实例加载vfTPM可信应用,启动TPM,并初始化所述内存空间和所述目标虚拟机的vfTPM;In the trusted execution environment, the trusted execution environment operating system allocates the target virtual machine trusted execution environment context and the target virtual machine trusted execution environment instance to the target virtual machine based on the virtual machine creation instruction. and memory space; load the vfTPM trusted application through the target virtual machine trusted execution environment instance, start the TPM, and initialize the memory space and the vfTPM of the target virtual machine;将所述目标虚拟机的vfTPM的初始化结果和所述标识信息进行封装,并切换当前运行状态至所述富执行环境,以基于所述初始化结果,在所述富执行环境完成所述目标虚拟机的创建操作。Encapsulate the initialization result of the vfTPM of the target virtual machine and the identification information, and switch the current running state to the rich execution environment, so as to complete the target virtual machine in the rich execution environment based on the initialization result. creation operation.
- 根据权利要求10所述的虚拟化实现方法,其中,所述方法还包括:The virtualization implementation method according to claim 10, wherein the method further includes:将所述vfTPM的存储保存在flash闪存上,使其只能在所述可信执行环境中进行读取。The storage of the vfTPM is saved on flash memory so that it can only be read in the trusted execution environment.
- 根据权利要求10所述的虚拟化实现方法,其中,所述初始化所述内存空间,包括:The virtualization implementation method according to claim 10, wherein the initializing the memory space includes:若所述目标虚拟机在闪存芯片中有相应的目标存储空间,则将所述目标存储空间分配给所述目标虚拟机的vfTPM功能;If the target virtual machine has a corresponding target storage space in the flash memory chip, allocate the target storage space to the vfTPM function of the target virtual machine;若所述目标虚拟机在闪存芯片中有相应的存储分区,则当所述闪存芯片的剩余存储空间大于预设空间阈值,通过存储驱动器为所述目标虚拟机的vfTPM功能分配目标存储空间;If the target virtual machine has a corresponding storage partition in the flash memory chip, when the remaining storage space of the flash memory chip is greater than the preset space threshold, the target storage space is allocated for the vfTPM function of the target virtual machine through the storage driver;将所述目标存储空间与所述标识信息进行绑定;Bind the target storage space and the identification information;其中,所述目标存储空间作为所述目标虚拟机的vfTPM的非易失性随机访问存储器NVRAM;且所述目标存储空间的读写功能由所述目标虚拟机在所述可信执行环境中执行。Wherein, the target storage space is used as the non-volatile random access memory NVRAM of the vfTPM of the target virtual machine; and the read and write functions of the target storage space are executed by the target virtual machine in the trusted execution environment .
- 根据权利要求12所述的虚拟化实现方法,其中,所述方法还包括:The virtualization implementation method according to claim 12, wherein the method further includes:通过在所述闪存芯片上进行分区,为每个虚拟机的vfTPM提供一个分区,用于进行NVRAM存储。By partitioning on the flash chip, each virtual machine's vfTPM is given a partition for NVRAM storage.
- 根据权利要求12所述的虚拟化实现方法,其中,所述可信执行环境操作系统上的闪存芯片驱动程序被设置为只允许在在所述可信执行环境侧,对闪存芯片的读写设置权限;并且所述目标存储空间被设置为只允许被所述目标虚拟机操作。The virtualization implementation method according to claim 12, wherein the flash memory chip driver on the trusted execution environment operating system is set to only allow the read and write settings of the flash memory chip on the trusted execution environment side. permissions; and the target storage space is set to only allow operations by the target virtual machine.
- 根据权利要求1至9任意一项所述的虚拟化实现方法,其中,所述对运行着配置vfTPM功能的目标虚拟机的ARM平台进行初始化处理之后,还包括:The virtualization implementation method according to any one of claims 1 to 9, wherein after initializing the ARM platform running the target virtual machine configured with the vfTPM function, it further includes:当接收到虚拟机销毁指令,在所述富执行环境中,通过解析所述虚拟机销毁指令,得到获取待销毁虚拟机的销毁标识;When a virtual machine destruction instruction is received, in the rich execution environment, by parsing the virtual machine destruction instruction, the destruction identification of the virtual machine to be destroyed is obtained;将参数化处理的所述虚拟机销毁指令以及所述销毁标识进行封装,并切换当前运行状态为所述可信执行环境;Encapsulate the parameterized virtual machine destruction instruction and the destruction identification, and switch the current running state to the trusted execution environment;在所述可信执行环境中,所述可信执行环境操作系统基于所述销毁标识,将所述虚拟机销毁指令发送至所述待销毁虚拟机对应的销毁虚拟机可信执行环境实例;所述销毁虚拟机可信执行环境实例删除销毁虚拟机可信执行环境上下文,并删除所述待销毁虚拟机对应在闪存芯片的存储分区;反馈携带所述销毁标识的虚拟机销毁完成指令;In the trusted execution environment, the trusted execution environment operating system sends the virtual machine destruction instruction to the destroyed virtual machine trusted execution environment instance corresponding to the virtual machine to be destroyed based on the destruction identification; Deleting and destroying the virtual machine trusted execution environment instance deletes and destroys the virtual machine trusted execution environment context, and deletes the storage partition of the flash memory chip corresponding to the virtual machine to be destroyed; and feeds back a virtual machine destruction completion instruction carrying the destruction identification;将参数化处理的所述虚拟机销毁完成指令以及所述销毁标识进行封装,并切换当前运行状态为所述富执行环境;Encapsulate the parameterized virtual machine destruction completion instruction and the destruction identification, and switch the current running state to the rich execution environment;在所述富执行环境中,根据所述虚拟机销毁完成指令和所述销毁标识,删除所述待销毁虚拟机。In the rich execution environment, the virtual machine to be destroyed is deleted according to the virtual machine destruction completion instruction and the destruction identification.
- 根据权利要求1至9任意一项所述的虚拟化实现方法,其中,所述对运行着配置vfTPM功能的目标虚拟机的ARM平台进行初始化处理之后,还包括:The virtualization implementation method according to any one of claims 1 to 9, wherein after initializing the ARM platform running the target virtual machine configured with the vfTPM function, it further includes:当接收到虚拟机关闭指令,在所述富执行环境中,通过解析所述虚拟机关闭指令,得到获取待关闭虚拟机的关闭标识;When a virtual machine shutdown instruction is received, in the rich execution environment, by parsing the virtual machine shutdown instruction, the shutdown identification of the virtual machine to be shut down is obtained;将参数化处理的所述虚拟机关闭指令以及所述关闭标识进行封装,并切换当前运行状态为所述可信执行环境;Encapsulate the parameterized virtual machine shutdown instruction and the shutdown identifier, and switch the current running state to the trusted execution environment;在所述可信执行环境中,所述可信执行环境操作系统基于所述关闭标识,将所述虚拟机关闭指令发送至所述待关闭虚拟机对应的关闭虚拟机可信执行环境实例;所述关闭虚拟机可信执行环境实例删除关闭虚拟机可信执行环境上下文,并更新所述关闭虚拟机在所述可信执行环境中的vfTPM;反馈携带所述关闭标识的虚拟机关闭完成指令;In the trusted execution environment, the trusted execution environment operating system sends the virtual machine shutdown instruction to the shutdown virtual machine trusted execution environment instance corresponding to the virtual machine to be shut down based on the shutdown identifier; so The shutdown virtual machine trusted execution environment instance deletes the shutdown virtual machine trusted execution environment context, and updates the vfTPM of the shutdown virtual machine in the trusted execution environment; feeds back a virtual machine shutdown completion instruction carrying the shutdown identification;将参数化处理的所述虚拟机关闭完成指令以及所述关闭标识进行封装,并切换当前运行状态为所述富执行环境;Encapsulate the parameterized virtual machine shutdown completion instruction and the shutdown identifier, and switch the current running state to the rich execution environment;在所述富执行环境中,根据所述虚拟机关闭完成指令和所述关闭标识,关闭所述待关闭虚拟机。In the rich execution environment, the virtual machine to be shut down is shut down according to the virtual machine shutdown completion instruction and the shutdown identifier.
- 一种虚拟化实现装置,包括:A virtualization implementation device, including:初始化处理模块,被设置为预先基于虚拟化类型,对运行着配置vfTPM功能的目标虚拟机的ARM平台进行初始化处理;The initialization processing module is set to perform initialization processing on the ARM platform running the target virtual machine configured with the vfTPM function based on the virtualization type in advance;虚拟化请求下发模块,被设置为当接收到所述目标虚拟机的目标vfTPM请求,将携带由所述目标虚拟机的虚拟物理地址所转换的真实物理地址、和所述目标虚拟机的标识信息的指令进行封装,并切换当前运行状态至可信执行环境;The virtualization request issuing module is configured to carry the real physical address converted from the virtual physical address of the target virtual machine and the identification of the target virtual machine when receiving the target vfTPM request of the target virtual machine. Encapsulate the information instructions and switch the current running state to a trusted execution environment;虚拟化请求处理模块,被设置为在所述可信执行环境中,根据所述标识信息,调用 相应的目标虚拟机可信执行环境上下文对所述目标vfTPM请求进行处理,并发送携带处理结果的存储地址及所述标识信息的结果反馈指令;The virtualization request processing module is configured to, in the trusted execution environment, call the corresponding target virtual machine trusted execution environment context to process the target vfTPM request according to the identification information, and send a message carrying the processing result. Store the address and the result feedback instruction of the identification information;处理结果反馈模块,被设置为对所述结果反馈指令进行封装,并切换当前运行状态至富执行环境;在所述富执行环境,通过解析所述结果反馈指令得到所述存储地址和所述标识信息,按照所述标识信息,将转换后的所述存储地址发送至所述目标虚拟机。The processing result feedback module is configured to encapsulate the result feedback instruction and switch the current running state to a rich execution environment; in the rich execution environment, obtain the storage address and the identifier by parsing the result feedback instruction information, and sends the converted storage address to the target virtual machine according to the identification information.
- 一种电子设备,包括处理器和存储器,所述处理器被设置为执行所述存储器中存储的计算机程序时实现如权利要求1至16任一项所述虚拟化实现方法的步骤。An electronic device includes a processor and a memory. The processor is configured to implement the steps of the virtualization implementation method according to any one of claims 1 to 16 when executing a computer program stored in the memory.
- 一种非易失性可读存储介质,所述非易失性可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如权利要求1至16任一项所述虚拟化实现方法的步骤。A non-volatile readable storage medium. A computer program is stored on the non-volatile readable storage medium. When the computer program is executed by a processor, the virtualization as described in any one of claims 1 to 16 is realized. Implement the steps of the method.
- 一种ARM平台,用于执行计算机程序时实现如权利要求1至16任一项所述虚拟化实现方法的步骤,其包括应用层、系统层、虚拟化层和固件层;An ARM platform, used to implement the steps of the virtualization implementation method according to any one of claims 1 to 16 when executing a computer program, which includes an application layer, a system layer, a virtualization layer and a firmware layer;所述应用层,包括位于富执行环境中的多个虚拟机应用程序,和位于可信执行环境的可信应用集,所述可信应用集包括用于实现vfTPM功能的可信应用;The application layer includes multiple virtual machine applications located in a rich execution environment and a trusted application set located in a trusted execution environment. The trusted application set includes trusted applications used to implement vfTPM functions;所述系统层,包括位于所述富执行环境中的宿主机处理模块,和位于所述可信执行环境的可信管理模块;The system layer includes a host processing module located in the rich execution environment, and a trusted management module located in the trusted execution environment;所述虚拟化层,包括位于所述富执行环境中的虚拟机监视器;The virtualization layer includes a virtual machine monitor located in the rich execution environment;所述固件层,包括固件处理模块,所述固件处理模块被设置为接收所述宿主机处理模块、所述虚拟机监视器和所述可信管理模块的指令;执行运行状态的切换,并在执行运行状态切换过程中转发接收指令中的虚拟机标识信息。The firmware layer includes a firmware processing module. The firmware processing module is configured to receive instructions from the host processing module, the virtual machine monitor and the trusted management module; perform switching of running states, and The virtual machine identification information in the received instruction is forwarded during the execution of running state switching.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210334870.7 | 2022-03-31 | ||
CN202210334870.7A CN114625484B (en) | 2022-03-31 | 2022-03-31 | Virtualization implementation method and device, electronic equipment, medium and ARM platform |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023184920A1 true WO2023184920A1 (en) | 2023-10-05 |
Family
ID=81905172
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2022/123583 WO2023184920A1 (en) | 2022-03-31 | 2022-09-30 | Virtualization implementation method and apparatus, electronic device, non-volatile readable storage medium, and arm platform |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN114625484B (en) |
WO (1) | WO2023184920A1 (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114625484B (en) * | 2022-03-31 | 2024-06-21 | 苏州浪潮智能科技有限公司 | Virtualization implementation method and device, electronic equipment, medium and ARM platform |
CN118535410A (en) * | 2023-02-21 | 2024-08-23 | 中兴通讯股份有限公司 | Monitoring method of host operating system and electronic equipment |
CN116028164B (en) * | 2023-03-29 | 2023-06-20 | 阿里云计算有限公司 | Equipment virtualization method and device |
Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110004735A1 (en) * | 2009-07-01 | 2011-01-06 | International Business Machines Corporation | Method and apparatus for two-phase storage-aware placement of virtual machines |
CN102479100A (en) * | 2010-11-26 | 2012-05-30 | 中国科学院软件研究所 | Pervasive computing environment virtual machine platform and creation method thereof |
CN103748594A (en) * | 2011-07-29 | 2014-04-23 | 微软公司 | For ARM TRUSTZONETMImplemented firmware-based trusted platform module |
CN103986662A (en) * | 2014-05-22 | 2014-08-13 | 浪潮电子信息产业股份有限公司 | Cross-virtualization-platform virtual router achieving method |
CN105389513A (en) * | 2015-11-26 | 2016-03-09 | 华为技术有限公司 | Trusted execution method and apparatus for virtual trusted platform module (vTPM) |
CN107704308A (en) * | 2017-09-19 | 2018-02-16 | 浪潮(北京)电子信息产业有限公司 | Virtual platform vTPM management systems, trust chain constructing method and device, storage medium |
CN107844362A (en) * | 2017-11-14 | 2018-03-27 | 浪潮(北京)电子信息产业有限公司 | Virtualize system, method, virtual machine and the readable storage medium storing program for executing of TPM equipment |
CN108549571A (en) * | 2018-03-19 | 2018-09-18 | 沈阳微可信科技有限公司 | A kind of safety virtualization method suitable for credible performing environment |
US20200201669A1 (en) * | 2015-07-28 | 2020-06-25 | Samsung Electronics Co., Ltd. | Storage device and storage virtualization system |
CN112148418A (en) * | 2019-06-26 | 2020-12-29 | 北京百度网讯科技有限公司 | Method, apparatus, device and medium for accessing data |
CN113485785A (en) * | 2021-06-28 | 2021-10-08 | 海光信息技术股份有限公司 | Method for realizing virtualized trusted platform module, security processor and storage medium |
CN113868676A (en) * | 2021-08-30 | 2021-12-31 | 苏州浪潮智能科技有限公司 | Method and device for realizing trusted cryptographic module based on firmware on ARM platform |
CN114625484A (en) * | 2022-03-31 | 2022-06-14 | 苏州浪潮智能科技有限公司 | Virtualization implementation method, device, electronic equipment, medium and ARM platform |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11132440B2 (en) * | 2018-11-01 | 2021-09-28 | Foundation Of Soongsil University-Industry Cooperation | Hybrid trust execution environment based android security framework, android device equipped with the same and method of executing trust service in android device |
CN112364343B (en) * | 2020-11-16 | 2022-05-06 | 支付宝(杭州)信息技术有限公司 | Method and device for protecting secrets of virtual machine monitor and electronic equipment |
CN112817697A (en) * | 2021-02-09 | 2021-05-18 | 中国银联股份有限公司 | Virtualization system and method for trusted execution environment and device calling method |
-
2022
- 2022-03-31 CN CN202210334870.7A patent/CN114625484B/en active Active
- 2022-09-30 WO PCT/CN2022/123583 patent/WO2023184920A1/en unknown
Patent Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110004735A1 (en) * | 2009-07-01 | 2011-01-06 | International Business Machines Corporation | Method and apparatus for two-phase storage-aware placement of virtual machines |
CN102479100A (en) * | 2010-11-26 | 2012-05-30 | 中国科学院软件研究所 | Pervasive computing environment virtual machine platform and creation method thereof |
CN103748594A (en) * | 2011-07-29 | 2014-04-23 | 微软公司 | For ARM TRUSTZONETMImplemented firmware-based trusted platform module |
CN103986662A (en) * | 2014-05-22 | 2014-08-13 | 浪潮电子信息产业股份有限公司 | Cross-virtualization-platform virtual router achieving method |
US20200201669A1 (en) * | 2015-07-28 | 2020-06-25 | Samsung Electronics Co., Ltd. | Storage device and storage virtualization system |
CN105389513A (en) * | 2015-11-26 | 2016-03-09 | 华为技术有限公司 | Trusted execution method and apparatus for virtual trusted platform module (vTPM) |
CN107704308A (en) * | 2017-09-19 | 2018-02-16 | 浪潮(北京)电子信息产业有限公司 | Virtual platform vTPM management systems, trust chain constructing method and device, storage medium |
CN107844362A (en) * | 2017-11-14 | 2018-03-27 | 浪潮(北京)电子信息产业有限公司 | Virtualize system, method, virtual machine and the readable storage medium storing program for executing of TPM equipment |
CN108549571A (en) * | 2018-03-19 | 2018-09-18 | 沈阳微可信科技有限公司 | A kind of safety virtualization method suitable for credible performing environment |
CN112148418A (en) * | 2019-06-26 | 2020-12-29 | 北京百度网讯科技有限公司 | Method, apparatus, device and medium for accessing data |
CN113485785A (en) * | 2021-06-28 | 2021-10-08 | 海光信息技术股份有限公司 | Method for realizing virtualized trusted platform module, security processor and storage medium |
CN113868676A (en) * | 2021-08-30 | 2021-12-31 | 苏州浪潮智能科技有限公司 | Method and device for realizing trusted cryptographic module based on firmware on ARM platform |
CN114625484A (en) * | 2022-03-31 | 2022-06-14 | 苏州浪潮智能科技有限公司 | Virtualization implementation method, device, electronic equipment, medium and ARM platform |
Also Published As
Publication number | Publication date |
---|---|
CN114625484B (en) | 2024-06-21 |
CN114625484A (en) | 2022-06-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2023184920A1 (en) | Virtualization implementation method and apparatus, electronic device, non-volatile readable storage medium, and arm platform | |
US9406099B2 (en) | Methods and systems for maintaining state in a virtual machine when disconnected from graphics hardware | |
US10552208B2 (en) | Migrating a virtual machine that owns a resource such as a hardware device | |
US9262197B2 (en) | System and method for input/output acceleration device having storage virtual appliance (SVA) using root of PCI-E endpoint | |
US7421533B2 (en) | Method to manage memory in a platform with virtual machines | |
US10255090B2 (en) | Hypervisor context switching using a redirection exception vector in processors having more than two hierarchical privilege levels | |
US10162655B2 (en) | Hypervisor context switching using TLB tags in processors having more than two hierarchical privilege levels | |
JP4665040B2 (en) | Computer and access control method | |
US20060184938A1 (en) | Method, apparatus and system for dynamically reassigning memory from one virtual machine to another | |
US20090083829A1 (en) | Computer system | |
CN102147763B (en) | Method, system and computer for recording weblog | |
US10948967B2 (en) | Mobile device virtualization solution based on bare-metal hypervisor with optimal resource usage and power consumption | |
US20090265708A1 (en) | Information Processing Apparatus and Method of Controlling Information Processing Apparatus | |
JP2011100431A (en) | Device and method for controlling virtual machine | |
US9959134B2 (en) | Request processing using VM functions | |
JP2014515146A (en) | Compound virtual graphics device | |
US8627315B2 (en) | Apparatus and method for cooperative guest firmware | |
US20180322299A1 (en) | Systems and methods for hardware-based security for inter-container communication | |
US20180335956A1 (en) | Systems and methods for reducing data copies associated with input/output communications in a virtualized storage environment | |
US10235195B2 (en) | Systems and methods for discovering private devices coupled to a hardware accelerator | |
WO2022268150A1 (en) | Method for communication between virtual machine and secure partition, and related device | |
WO2022100693A1 (en) | Method for configuring address translation relationship, and computer system | |
WO2024008066A1 (en) | Cloud computing technology-based server and cloud system | |
JP2010128943A (en) | Information processing apparatus and method of controlling the same | |
CN113312295A (en) | System reset using a controller |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22934738 Country of ref document: EP Kind code of ref document: A1 |