WO2024045407A1 - Virtual disk-based secure storage method - Google Patents

Virtual disk-based secure storage method Download PDF

Info

Publication number
WO2024045407A1
WO2024045407A1 PCT/CN2022/137630 CN2022137630W WO2024045407A1 WO 2024045407 A1 WO2024045407 A1 WO 2024045407A1 CN 2022137630 W CN2022137630 W CN 2022137630W WO 2024045407 A1 WO2024045407 A1 WO 2024045407A1
Authority
WO
WIPO (PCT)
Prior art keywords
virtual disk
image
file
qcow2
virtual
Prior art date
Application number
PCT/CN2022/137630
Other languages
French (fr)
Chinese (zh)
Inventor
王宇锋
谢明
孙立明
张铎
Original Assignee
麒麟软件有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 麒麟软件有限公司 filed Critical 麒麟软件有限公司
Publication of WO2024045407A1 publication Critical patent/WO2024045407A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/062Securing storage systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0638Organizing or formatting or addressing of data
    • G06F3/064Management of blocks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0638Organizing or formatting or addressing of data
    • G06F3/0643Management of files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0638Organizing or formatting or addressing of data
    • G06F3/0644Management of space entities, e.g. partitions, extents, pools
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0662Virtualisation aspects
    • G06F3/0664Virtualisation aspects at device level, e.g. emulation of a storage device or system

Definitions

  • the present invention relates to the field of information security technology, and in particular to a virtual disk safe storage method.
  • the era of cloud computing is inseparable from the processing and storage of massive data.
  • the storage of massive data often requires a secure disk image storage method. Once a problem occurs with the disk image, it will seriously affect the data security of the cloud computing center. In order to improve the data security of massive virtual machine disk images, it is often necessary to encrypt the data when storing it and decrypt it when using it.
  • Symmetric encryption is typically represented by the Data Encryption Standard (DES) algorithm, and asymmetric encryption is usually represented by the RSA (Rivest Shamir Ademan) algorithm.
  • DES Data Encryption Standard
  • RSA Rivest Shamir Ademan
  • the encryption key and decryption key of symmetric encryption are the same, while the encryption key and decryption key of asymmetric encryption are different.
  • the encryption key can be made public but the decryption key needs to be kept secret.
  • asymmetric keys are mainly used for identity authentication, or to protect symmetric keys.
  • Daily data encryption generally uses symmetric keys.
  • the most commonly used encryption method for virtual machine image storage it is processed where the block device read and write functions are located.
  • the data is encrypted when writing and decrypted when reading.
  • the key can be dynamically transferred or stored on the key card.
  • the specific encryption algorithm can be selected according to your usage scenario.
  • Secure storage is essentially storage and can serve as a remote distributed storage center for files and data. Compared with ordinary storage, distributed storage is safer and more reliable, and can be used in areas that require confidentiality. If the data is placed in one place, you can get all the data by cracking it once. If the data is placed in different places, you need to crack multiple places at the same time to fully recover the complete data, and you need to crack multiple remote storage centers at the same time. So our solution is to make the disk image consist of multiple blocks, with data scattered in various image files, and each image file can be stored in different data centers. In this way, even if a data center is cracked, the disk image content cannot be restored. Therefore, the virtual disk file needs to support block storage and place different storage blocks in different storage locations. Our patent is aimed at allowing disk image files in the qcow2 format to be stored in different files in blocks, and the previously stored data can also be read from each storage block during operation. This allows the data of the virtual machine to be stored in different locations to achieve storage security.
  • the embodiment of the present invention discloses a method for creating and using an encrypted snapshot of a disk image file and a storage medium, which belongs to the field of virtualization.
  • the method of creating an encrypted snapshot of a disk image file includes the following steps: parsing key parameters and generating cipher password information for use in encrypting and decrypting files; copying the cipher password information to the source file operation options; opening the source file according to the source file operation options; judging Check whether the source file is opened successfully. If successful, create a snapshot and set the encryption information of the snapshot.
  • the key of the snapshot can be used to decrypt the source file, thereby changing the problem in the existing function that the key cannot be transferred to the source file and the snapshot at the same time, and realizing the simultaneous implementation of the encryption function and the snapshot function.
  • the method includes: establishing two non-migratory keys RSA_local and RSA_mig of the physical trusted platform module, and RSA_mig key Generate the corresponding digital certificate Certificate_mig; the cloud tenant generates identity authentication information on the local host and saves it; when creating a trusted virtual machine, create a vTPM label for the vTPM instance of each virtual machine; obtain identity_info identity authentication information, vTPM
  • the tag and tenant_info are checked for integrity, timeliness, legality and consistency; similarly, during the running phase of the trusted virtual machine, when migrating the trusted virtual machine, and during the exit, destruction, suspension and snapshot phases, the corresponding fields are completed validity, timeliness, legality and consistency checks.
  • the present invention can perform full life cycle security protection on the vTPM based on libtpms software simulation added to the IaaS cloud platform based on KVM virtualization technology to prevent the leakage of its private information.
  • This patent uses the TPM module for feasibility verification, and the disk security is not protected during shutdown.
  • Chinese invention patent "A method and mobile terminal for secure data storage and rapid retrieval” Patent No.: CN109829324A.
  • the invention discloses a method for secure data storage and quick retrieval and a mobile terminal, which include: encrypting data that the system needs to store under an open public path; and storing the encrypted data under the open public path; Decrypt the data under the open public path, store the decrypted data in virtual memory, and form a mapped path according to the storage address; perform the system call interface whose access path defaults to the open public path. Modify, modify the access path of the system call interface to the mapped path, thereby causing the system to retrieve the decrypted data from the virtual memory for use.
  • the present invention can not only solve the problem of safe storage of data under the default path of the system, but also improve the speed of data calling, avoid system lags, unresponsiveness and other phenomena, and well solve the problem of data storage security and data calling speed. conflicts between issues.
  • the patent only focuses on encrypting data stored in an open public path.
  • Chinese invention patent "Secure storage method of mobile terminal data based on virtual disk” (Patent No.: CN109325355A).
  • the invention provides a virtual disk-based mobile terminal data secure storage method, which belongs to the field of information security.
  • the working method of this invention is to first create an independent disk partition in the hard disk, simulate the disk partition by creating a fixed-size file, and then format the file content into a custom file system, so that it can be simulated into a disk, that is, a virtual disk. disk.
  • encryption and decryption methods are added during the process of reading and writing disks to ensure data security.
  • the invention customizes an encrypted file system for an independent disk partition, constructs an encryption and decryption pipeline for plain text in the memory and cipher text on the disk, avoids leaving traces of plain text on the disk, and provides transparent data protection.
  • the invention has high security and flexibility, provides strong protection for data in the mobile terminal, can customize the encrypted file system and identity verification mechanism, and can also provide a variety of encryption algorithms and working modes.
  • the encryption method implemented by this patent is that qemu already supports disk data segment encryption.
  • the patent discloses a differential virtual disk linking method, which includes the following steps: 1) Improve the differential virtual disk file format, and modify the recorded original virtual disk path information from the current absolute path or relative path in the physical machine system. It is the URL path information that can be accessed through the network; 2) Virtual disk driver improvement, the reading and writing of the differential virtual disk depends on the virtual disk driver, which requires the virtual disk driver to access the server through the IP network based on the network path information recorded by the differential virtual disk.
  • Original virtual disk file 3) Virtual disk access service, a host that stores original virtual disk files, a network service that provides original virtual disk access, monitors access requests from the differential virtual disk host, and completes read and write operations on the original virtual disk according to the request; It has the characteristics of separate deployment of differential virtual disks and its original virtual disks and cross-host access, which facilitates rapid deployment and has the advantages of balancing data security and access speed.
  • This patent already has the "backing file" feature in the qcow2 format to implement it. A certain image is used as the base disk (generally installed with the most basic OS files and data). Other disks that require a base can specify this as the backing file, and then The contents of differential writes will be written to their respective virtual disks. If you create a multi-level backing file, modifying the previous data will lead to data redundancy, which will consume disk space at a very high cost.
  • the present invention provides a virtual disk safe storage method, which includes the following steps:
  • Step S1 Use the qemu-img tool to create a set of block virtual disk files.
  • the block information of the virtual disk file is written into the file header of the first virtual disk file;
  • Step S2 Start the virtual machine, specify the first virtual disk file of the virtual disk image through the qemu-kvm program, read the block information, and find the images of other virtual disk files;
  • Step S3 Open the qcow2 virtual disk image in qemu, and create block meta information through the block information;
  • Step S4 According to the block range of the corresponding read and write requests, send the corresponding read and write requests to the virtual disk file of the corresponding virtual disk image for processing.
  • step S1 a set of block virtual disk files is created through the following command line:
  • parameter 1 is the size of each virtual disk file created
  • parameter 2 is the size of the entire virtual disk image.
  • step S1 the addressing range is determined for each created virtual disk file by adding an image positioning layer to the source code of the qcow2_co_create_opt function;
  • step S2 by adding an image positioning layer to the source code of the qcow2_open function, the block information in the first virtual disk file is read, and the images of other virtual disk files are found;
  • step S4 by adding an image positioning layer to the source code of the qcow2_co_preadv and qcow2_co_pwritev functions, the virtual disk file of the corresponding virtual disk image is determined when processing read and write requests.
  • the image positioning layer added to the source code of the qcow2_co_preadv and qcow2_co_pwritev functions includes an offset parameter and a bytes parameter, where the offset parameter is used to determine the offset position of the virtual disk image, and the bytes parameter is used to determine the requested Content size.
  • step S1 the block information of the virtual disk file is saved by adding the field div_img_size to the file header of the image of the first virtual disk file.
  • step S1 the block information of the virtual disk file is saved in the following directory of the file header of the first virtual disk file: uint64_t div_img_size//.
  • the virtual disk safe storage method provided by the present invention ensures the security of the data in the virtual disk image by storing data in different virtual disk files. If part of the image is stolen, the content of the complete image cannot be restored.
  • Figure 1 Logic diagram of the basic technical concept of the present invention.
  • Figure 2 Prior art virtual disk image IO addressing flow chart.
  • Figure 3 The IO addressing flow chart after segmentation based on the qcow2 virtual disk image of the present invention.
  • Figure 1 is a logic diagram of the basic concept of the present invention: At present, in most cases, the qcow2 virtual disk image is stored in a file. If the backing file function is used, there may be a golden image. If there is an information leak where the virtual disk image file is stored, all data stored in the virtual machine will be easily obtained by the attacker. However, if the virtual disk image can be composed of multiple files, and then put each block of the image in a different location, it is like "putting eggs in different baskets". If the thief only gets a part of the image , it is impossible to restore the contents of the complete image. This allows the virtual disk image to be stored in different locations in blocks, thereby improving the security of the data in the virtual disk image.
  • Blocking strategy in order not to increase the complexity of addressing, we can create a virtual disk image (qemu-img When creating), specify the addressable range of each block, and the operation range will automatically create the next block image.
  • Each block is in qcow2 format, so that the storage space occupied by the block is very small when created. , with the continuous data writing, the mirror slowly expands, retaining the best features of qcow2.
  • the source code of qcow2_co_create_opt / qcow2_open / qcow2_co_preadv / qcow2_co_pwritev adds the image positioning layer (which image read and write requests are assigned to) to realize the block storage of the image.
  • the present invention mainly analyzes the principles of the qcow2 format, and then optimizes the code for the qcow2 format image in the qemu source code, and adds the image positioning layer code by modifying the qcow2 series interface method to achieve image separation. Block storage without affecting the original usage interface and habits.
  • Figure 2 is a prior art virtual disk image IO addressing flow chart.
  • the qcow2 universal addressing process is as follows: Locate the location of the Level1 table in the virtual disk image by reading the qcow2_header, and then find the corresponding addressing in the Level1 table. The location of the Level2 table, and then find the offset corresponding to the cluster where the data is stored.
  • the virtual machine needs to know that the created virtual disk image is a segmented virtual disk image. That is, the virtual machine needs to read this segmentation information when it starts.
  • the file system layer When reading and writing to the virtual disk image, the file system layer will automatically manage the virtual disk image and automatically determine the location from which to write the new file. The program will address and complete the reading and writing based on the information fed back by the file system layer.
  • qemu's qcow2 When qemu's qcow2 processes a "read" read request, it sends the request to the virtual disk file divided into blocks of the corresponding virtual disk image for processing according to the block range.
  • image positioning layer By adding the image positioning layer to the source code of the qcow2_co_preadv function, ensure that the virtual disk file of the corresponding virtual disk image is addressed when processing a read request.
  • qemu's qcow2 When qemu's qcow2 processes a "write" write request, it sends the request to the virtual disk file divided into blocks of the corresponding virtual disk image for processing according to the block range.
  • the virtual disk file of the corresponding virtual disk image By adding the image positioning layer to the source code of the qcow2_co_pwritev function, the virtual disk file of the corresponding virtual disk image can be addressed when processing a write request.
  • the specific steps include the following steps:
  • the so-called “virtual disk file” is a storage method that uses files to simulate hard disk devices and is used by virtual machines. From the perspective of the Host (host), the disk of the virtual machine is just a file, and from the perspective of the Guest (virtual machine), it is no different from an ordinary hard disk.
  • the so-called "QCOW2 format” the full name is qemu copy
  • the Qemu virtual machine dynamically grows the virtual disk image format when a "write” operation occurs.
  • RAW native image format
  • the qcow2 image format is organized into multiple fixed-size units, called clusters. Both actual user data (guest data) and image metadata (metadata) are stored in a cluster unit.
  • This invention avoids the problem that one disk image is stolen and all the data in the entire virtual disk can be cracked by breaking up a previous disk image file into different image files.
  • the present invention can be implemented without changing the original virtual machine usage interface and usage habits, and has good compatibility with upper-layer libvirt and the like.

Abstract

A virtual disk-based secure storage method, comprising the following steps: using a qemu-img tool to create a set of partitioned virtual disk files, partition information of the virtual disk files being written into a file header of an image of a first virtual disk file; starting a virtual machine, specifying the first virtual disk file of a virtual disk image by means of a qemu-kvm program, reading the partition information, and finding images of the remaining virtual disk files; opening a qcow2 virtual disk in qemu, creating partition meta information by means of the partition information; and according to the ranges of partitions of corresponding read/write requests, respectively sending the corresponding read/write requests to the corresponding virtual disk files of the virtual disk image for processing. According to the present invention, data is stored in different virtual disk files, and the content of a full image cannot be recovered when part of the image is stolen, thereby ensuring the security of data in a virtual disk image.

Description

虚拟磁盘安全存储方法Safe storage methods for virtual disks 技术领域Technical field
本发明涉及信息安全技术领域,具体涉及一种虚拟磁盘安全存储方法。The present invention relates to the field of information security technology, and in particular to a virtual disk safe storage method.
背景技术Background technique
云计算时代离不开对海量数据的处理和存储,海量数据的存储往往需要安全的磁盘镜像存储方法,且磁盘镜像一旦出现问题,将严重影响云计算中心的数据安全。为提高海量虚拟机磁盘镜像的数据安全,往往需要在数据存储时进行加密,使用时候进行解密。The era of cloud computing is inseparable from the processing and storage of massive data. The storage of massive data often requires a secure disk image storage method. Once a problem occurs with the disk image, it will seriously affect the data security of the cloud computing center. In order to improve the data security of massive virtual machine disk images, it is often necessary to encrypt the data when storing it and decrypt it when using it.
技术问题technical problem
从原理上来说,安全存储要解决的问题是两个:In principle, there are two problems that safe storage needs to solve:
1、如何保证文件数据完整可靠不泄密? 1. How to ensure that file data is complete, reliable and not leaked?
2、如何保证只有合法的用户,才能够访问相关的文件?2. How to ensure that only legitimate users can access relevant files?
解决上述两个问题,需要使用数据加密和认证授权管理技术,这也是安全存储的核心技术。在安全存储中,利用技术手段把文件变为乱码(加密)存储,在使用文件的时候,用相同或不同的手段还原(解密)。这样,存储和使用,文件就在密文和明文状态两种方式切换。既保证了安全,又能够方便的使用。加密包括两个元素:算法和密钥对数据加密的技术分为两类,即对称加密(私人密钥加密)和非对称加密(公开密钥加密)。对称加密以数据加密标准(DES,Data Encryption Standard)算法为典型代表,非对称加密通常以RSA(Rivest Shamir Ad1eman)算法为代表。对称加密的加密密钥和解密密钥相同,而非对称加密的加密密钥和解密密钥不同,加密密钥可以公开而解密密钥需要保密。To solve the above two problems, we need to use data encryption and authentication and authorization management technologies, which are also the core technologies of secure storage. In secure storage, technical means are used to convert files into garbled (encrypted) storage, and when the files are used, the same or different means are used to restore (decrypt) them. In this way, when stored and used, the file switches between ciphertext and plaintext states. It not only ensures safety, but also can be used conveniently. Encryption consists of two elements: algorithm and key. The technology of data encryption is divided into two categories, namely symmetric encryption (private key encryption) and asymmetric encryption (public key encryption). Symmetric encryption is typically represented by the Data Encryption Standard (DES) algorithm, and asymmetric encryption is usually represented by the RSA (Rivest Shamir Ademan) algorithm. The encryption key and decryption key of symmetric encryption are the same, while the encryption key and decryption key of asymmetric encryption are different. The encryption key can be made public but the decryption key needs to be kept secret.
一般来说,非对称密钥主要用于身份认证,或者保护对称密钥。而日常的数据加密,一般都使用对称密钥。Generally speaking, asymmetric keys are mainly used for identity authentication, or to protect symmetric keys. Daily data encryption generally uses symmetric keys.
现代的成熟加密解密算法,都具有可靠的加密强度,除非能够持有正确的密钥,否则很难强行破解。在安全存储产品实际部署的时候,如果需要更高强度的身份认证,还可以使用U-key,这种认证设备,在网上银行应用很普遍。Modern mature encryption and decryption algorithms have reliable encryption strength and are difficult to forcibly crack unless the correct key is held. During the actual deployment of secure storage products, if higher-strength identity authentication is required, U-key can also be used. This authentication device is commonly used in online banking.
采用加密和身份认证技术,存储就有了可靠的保障。Using encryption and identity authentication technology, storage is reliably guaranteed.
作为最常用的虚拟机镜像存储的加密方法: 在块设备读写函数的地方进行处理。在write的时候对数据进行加密,在read的时候进行解密,密钥可以动态传入,或者存放在密钥卡上,具体加密算法 可以根据你使用场景来选用合适自己需要的。As the most commonly used encryption method for virtual machine image storage: it is processed where the block device read and write functions are located. The data is encrypted when writing and decrypted when reading. The key can be dynamically transferred or stored on the key card. The specific encryption algorithm can be selected according to your usage scenario.
安全存储本质上还是存储,可以作为文件和数据的远程分布式存放中心。与一般的存储相比,分布式存放更安全更可靠,能够胜任需要保密的领域。如果数据放在一个地方,破解一次就可以得到所有数据,如果数据放在不同地方,这样要同时破解多个地方才能完全恢复完整数据,需要同时破解多个远程的存储中心。所以我们的方案是让 磁盘镜像有多个分块组成,数据分散在各个镜像文件,各个镜像文件可以存储在不同的数据中心。这样即使某1个数据中心被破解,也无法还原磁盘镜像内容。因此需要虚拟磁盘文件支持分块存储,把不同的存储块放在不同的存储位置。而我们专利针对的就是让qcow2格式的磁盘镜像文件 可以分块存储到不同的文件,运行时候也可以从各个存储块读到之前存入的数据。这样让虚拟机的数据存储到不同位置,达到存储安全的目的。Secure storage is essentially storage and can serve as a remote distributed storage center for files and data. Compared with ordinary storage, distributed storage is safer and more reliable, and can be used in areas that require confidentiality. If the data is placed in one place, you can get all the data by cracking it once. If the data is placed in different places, you need to crack multiple places at the same time to fully recover the complete data, and you need to crack multiple remote storage centers at the same time. So our solution is to make the disk image consist of multiple blocks, with data scattered in various image files, and each image file can be stored in different data centers. In this way, even if a data center is cracked, the disk image content cannot be restored. Therefore, the virtual disk file needs to support block storage and place different storage blocks in different storage locations. Our patent is aimed at allowing disk image files in the qcow2 format to be stored in different files in blocks, and the previously stored data can also be read from each storage block during operation. This allows the data of the virtual machine to be stored in different locations to achieve storage security.
中国发明专利“一种创建磁盘镜像文件加密快照、使用的方法及存储介质”(专利号:CN109376119A)。 本发明实施例公开了一种创建磁盘镜像文件加密快照、使用的方法及存储介质,属于虚拟化领域。其中创建磁盘镜像文件加密快照的方法包括步骤:解析密钥参数,生成cipher密码信息供加解密文件使用;将cipher密码信息拷贝至源文件操作选项中;根据源文件的操作选项打开源文件;判断源文件是否打开成功,如成功,创建快照,并设置快照的加密信息。本发明实施例操作快照时,可利用快照的密钥解密源文件,改变现有功能中无法同时为源文件和快照传递密钥的问题,实现加密功能与快照功能的同时实现。实现了创建Qemu Qcow2的磁盘镜像文件加密快照。这个并没有提高加密安全性,主要是加密和快照功能同时实现。Chinese invention patent "A method of creating and using encrypted snapshots of disk image files and storage media" (Patent No.: CN109376119A). The embodiment of the present invention discloses a method for creating and using an encrypted snapshot of a disk image file and a storage medium, which belongs to the field of virtualization. The method of creating an encrypted snapshot of a disk image file includes the following steps: parsing key parameters and generating cipher password information for use in encrypting and decrypting files; copying the cipher password information to the source file operation options; opening the source file according to the source file operation options; judging Check whether the source file is opened successfully. If successful, create a snapshot and set the encryption information of the snapshot. When operating a snapshot in the embodiment of the present invention, the key of the snapshot can be used to decrypt the source file, thereby changing the problem in the existing function that the key cannot be transferred to the source file and the snapshot at the same time, and realizing the simultaneous implementation of the encryption function and the snapshot function. Implemented the creation of encrypted snapshots of Qemu Qcow2 disk image files. This does not improve encryption security, mainly because encryption and snapshot functions are implemented at the same time.
中国发明专利“基于租户身份信息的可信虚拟机vTPM私密信息保护方法、系统”(专利号:CN111683052A)。本发明公开了一种基于租户身份信息的可信虚拟机vTPM私密信息保护方法、系统,其中,方法包括:建立物理可信平台模块的两个不可迁移密钥RSA_local和RSA_mig,并为RSA_mig密钥生成相应的数字证书Certificate_mig;由云租户在本地主机上生成身份认证信息并保存;在创建可信虚拟机时,为每一个虚拟机的vTPM实例分别创建一个vTPM标签;获取identity_info身份认证信息、vTPM标签及tenant_info进行完整性、时效性、合法性和一致性检查;同样,在可信虚拟机运行阶段、迁移可信虚拟机时、在退出、销毁、挂起、快照阶段,进行对应字段的完整性、时效性、合法性和一致性检查。本发明能够对添加到基于KVM虚拟化技术的IaaS云平台中的基于libtpms软件模拟的vTPM,进行全生命周期的安全防护,防止其私密信息泄露。该专利是利用TPM模块进行可性验证,在关机情况下磁盘安全没有得到保护。Chinese invention patent "Trusted virtual machine vTPM private information protection method and system based on tenant identity information" (Patent No.: CN111683052A). The invention discloses a method and system for protecting trusted virtual machine vTPM private information based on tenant identity information. The method includes: establishing two non-migratory keys RSA_local and RSA_mig of the physical trusted platform module, and RSA_mig key Generate the corresponding digital certificate Certificate_mig; the cloud tenant generates identity authentication information on the local host and saves it; when creating a trusted virtual machine, create a vTPM label for the vTPM instance of each virtual machine; obtain identity_info identity authentication information, vTPM The tag and tenant_info are checked for integrity, timeliness, legality and consistency; similarly, during the running phase of the trusted virtual machine, when migrating the trusted virtual machine, and during the exit, destruction, suspension and snapshot phases, the corresponding fields are completed validity, timeliness, legality and consistency checks. The present invention can perform full life cycle security protection on the vTPM based on libtpms software simulation added to the IaaS cloud platform based on KVM virtualization technology to prevent the leakage of its private information. This patent uses the TPM module for feasibility verification, and the disk security is not protected during shutdown.
中国发明专利“虚拟机数据保护系统和方法”(专利号:CN103902884A)。该专利公开了一种虚拟机数据保护系统和方法,涉及云计算虚拟化数据安全技术领域。通过对访问虚拟机数据的请求在Domain0中进行验证、标记和网络控制,结合虚拟机内部的数据行为和流向监控,达到对虚拟机数据安全访问的目的。解决了在多租户虚拟机环境下,由于虚拟机部署的服务有漏洞或者配置错误、虚拟机的应用或内核有bug而导致被云外或其他虚拟机非法访问的问题。该专利主要是针对运行时候的数据安全。Chinese invention patent "Virtual Machine Data Protection System and Method" (Patent No.: CN103902884A). The patent discloses a virtual machine data protection system and method, involving the field of cloud computing virtualization data security technology. By verifying, marking and network controlling requests to access virtual machine data in Domain0, combined with data behavior and flow monitoring within the virtual machine, the purpose of secure access to virtual machine data is achieved. It solves the problem of illegal access from outside the cloud or other virtual machines in a multi-tenant virtual machine environment due to vulnerabilities or configuration errors in the services deployed by the virtual machine, or bugs in the virtual machine's application or kernel. This patent is mainly aimed at data security at runtime.
中国发明专利“一种数据安全存储和快速调用的方法及移动终端”(专利号:CN109829324A)。本发明公开了一种数据安全存储和快速调用的方法及移动终端,包括:对系统需要存储在开放的公共路径下的数据进行加密;将加密后的数据存储在所述开放的公共路径下;对所述开放的公共路径下的数据进行解密,并将解密后的数据存放至虚拟内存中,并根据存放地址形成映射后路径;对访问路径默认为所述开放的公共路径的系统调用接口进行修改,将所述系统调用接口的访问路径修改为所述的映射后路径,进而使系统从所述虚拟内存中调取解密后的数据使用。本发明不仅可以解决系统默认路径下的数据的安全存储问题,而且可以提高数据的调用速度,避免出现系统卡顿、无响应等现象,很好地解决了数据存储安全性问题与数据调用快速性问题之间的矛盾。该专利只是针对存储在开放的公共路径下的数据进行加密。Chinese invention patent "A method and mobile terminal for secure data storage and rapid retrieval" (Patent No.: CN109829324A). The invention discloses a method for secure data storage and quick retrieval and a mobile terminal, which include: encrypting data that the system needs to store under an open public path; and storing the encrypted data under the open public path; Decrypt the data under the open public path, store the decrypted data in virtual memory, and form a mapped path according to the storage address; perform the system call interface whose access path defaults to the open public path. Modify, modify the access path of the system call interface to the mapped path, thereby causing the system to retrieve the decrypted data from the virtual memory for use. The present invention can not only solve the problem of safe storage of data under the default path of the system, but also improve the speed of data calling, avoid system lags, unresponsiveness and other phenomena, and well solve the problem of data storage security and data calling speed. conflicts between issues. The patent only focuses on encrypting data stored in an open public path.
中国发明专利“基于虚拟磁盘的移动终端数据安全存储方法”(专利号:CN109325355A)。本发明提供了一种基于虚拟磁盘的移动终端数据安全存储方法,属于信息安全领域。本发明的工作方式是首先在硬盘中创建独立磁盘分区,通过创建一个固定大小的文件模拟磁盘分区,然后将该文件内容格式化为自定义文件系统,便可以将其模拟成一块磁盘,即虚拟磁盘。最后结合实时加密技术,在读写磁盘的过程中加入加解密方法,就可以保证数据的安全性。本发明为独立的磁盘分区定制加密文件系统,构造内存中的明文和磁盘上的密文的加解密管道,避免磁盘留下明文痕迹,提供透明的数据保护。本发明具有较高的安全性和灵活性,为移动终端中的数据提供了强有力的保护,可自定义加密文件系统和身份验证机制,还可提供多种加密算法和工作模式。这个专利实现的加密方式是qemu已经支持磁盘的数据段加密。Chinese invention patent "Secure storage method of mobile terminal data based on virtual disk" (Patent No.: CN109325355A). The invention provides a virtual disk-based mobile terminal data secure storage method, which belongs to the field of information security. The working method of this invention is to first create an independent disk partition in the hard disk, simulate the disk partition by creating a fixed-size file, and then format the file content into a custom file system, so that it can be simulated into a disk, that is, a virtual disk. disk. Finally, combined with real-time encryption technology, encryption and decryption methods are added during the process of reading and writing disks to ensure data security. The invention customizes an encrypted file system for an independent disk partition, constructs an encryption and decryption pipeline for plain text in the memory and cipher text on the disk, avoids leaving traces of plain text on the disk, and provides transparent data protection. The invention has high security and flexibility, provides strong protection for data in the mobile terminal, can customize the encrypted file system and identity verification mechanism, and can also provide a variety of encryption algorithms and working modes. The encryption method implemented by this patent is that qemu already supports disk data segment encryption.
中国发明专利“一种差分虚拟磁盘链接方法”(专利号:CN108228108A)。该专利公开了一种差分虚拟磁盘链接方法,包括以下步骤:1)差分虚拟磁盘文件格式改进,将记录的原始虚拟磁盘路径信息,由当前的本物理机系统内的绝对路径或相对路径,修改为通过网络可以访问的URL路径信息;2)虚拟磁盘驱动改进,差分虚拟磁盘的读写,依赖虚拟磁盘驱动,需要虚拟磁盘驱动根据差分虚拟磁盘记录的网络路径信息,通过IP网络访问服务器上的原始虚拟磁盘文件;3)虚拟磁盘访问服务,存放原始虚拟磁盘文件的主机,提供原始虚拟磁盘访问的网络服务,监听来自差分虚拟磁盘主机的访问请求,根据请求完成原始虚拟磁盘的读写操作;具有差分虚拟磁盘和其原始虚拟磁盘分开部署,跨主机访问的特点,便于快速部署,数据安全和访问速率兼顾的优点。该专利在qcow2格式中已经有“backing file”的特性来实现,已某个镜像为基准盘(一般装了最基本的OS文件和数据),其他需要基的磁盘可以指定这个为backing file,后面差分写入的内容会写道各自的虚拟磁盘中,如果创建多级backing file,修改之前的数据会导致数据冗余, 这样分块的耗费磁盘空间代价很大。Chinese invention patent "A Differential Virtual Disk Linking Method" (Patent No.: CN108228108A). The patent discloses a differential virtual disk linking method, which includes the following steps: 1) Improve the differential virtual disk file format, and modify the recorded original virtual disk path information from the current absolute path or relative path in the physical machine system. It is the URL path information that can be accessed through the network; 2) Virtual disk driver improvement, the reading and writing of the differential virtual disk depends on the virtual disk driver, which requires the virtual disk driver to access the server through the IP network based on the network path information recorded by the differential virtual disk. Original virtual disk file; 3) Virtual disk access service, a host that stores original virtual disk files, a network service that provides original virtual disk access, monitors access requests from the differential virtual disk host, and completes read and write operations on the original virtual disk according to the request; It has the characteristics of separate deployment of differential virtual disks and its original virtual disks and cross-host access, which facilitates rapid deployment and has the advantages of balancing data security and access speed. This patent already has the "backing file" feature in the qcow2 format to implement it. A certain image is used as the base disk (generally installed with the most basic OS files and data). Other disks that require a base can specify this as the backing file, and then The contents of differential writes will be written to their respective virtual disks. If you create a multi-level backing file, modifying the previous data will lead to data redundancy, which will consume disk space at a very high cost.
技术解决方案Technical solutions
为解决已有技术存在的不足,本发明提供了一种虚拟磁盘安全存储方法,包括如下步骤:In order to solve the shortcomings of the existing technology, the present invention provides a virtual disk safe storage method, which includes the following steps:
步骤S1:使用qemu-img工具创建一组分块的虚拟磁盘文件,虚拟磁盘文件的分块信息被写入第一个虚拟磁盘文件的文件头里;Step S1: Use the qemu-img tool to create a set of block virtual disk files. The block information of the virtual disk file is written into the file header of the first virtual disk file;
步骤S2:启动虚拟机,通过qemu-kvm程序指定虚拟磁盘镜像的第一个虚拟磁盘文件,读到分块信息,找到其它虚拟磁盘文件的镜像;Step S2: Start the virtual machine, specify the first virtual disk file of the virtual disk image through the qemu-kvm program, read the block information, and find the images of other virtual disk files;
步骤S3:在qemu打开qcow2虚拟磁盘镜像,通过分块信息,建立分块meta信息;Step S3: Open the qcow2 virtual disk image in qemu, and create block meta information through the block information;
步骤S4:根据相应的读写请求的分块的范围,把相应的读写请求分别发送到对应的虚拟磁盘镜像的虚拟磁盘文件来处理。Step S4: According to the block range of the corresponding read and write requests, send the corresponding read and write requests to the virtual disk file of the corresponding virtual disk image for processing.
其中,所述步骤S1中,通过如下命令行创建一组分块的虚拟磁盘文件:Among them, in step S1, a set of block virtual disk files is created through the following command line:
qemu-img create -f qcow2 -d 参数1 xxxx.qcow2 参数2;qemu-img create -f qcow2 -d parameter 1 xxxx.qcow2 parameter 2;
其中,参数1为所创建的每块虚拟磁盘文件的大小,参数2为整个虚拟磁盘镜像的大小。Among them, parameter 1 is the size of each virtual disk file created, and parameter 2 is the size of the entire virtual disk image.
其中,所述步骤S1中,通过在qcow2_co_create_opt函数的源码中加入镜像定位层,为每个创建的虚拟磁盘文件确定寻址范围;Among them, in step S1, the addressing range is determined for each created virtual disk file by adding an image positioning layer to the source code of the qcow2_co_create_opt function;
所述步骤S2中,通过在qcow2_open函数的源码中加入镜像定位层,读取第一个虚拟磁盘文件中的分块信息,并找到其它虚拟磁盘文件的镜像;In step S2, by adding an image positioning layer to the source code of the qcow2_open function, the block information in the first virtual disk file is read, and the images of other virtual disk files are found;
所述步骤S4中,通过在qcow2_co_preadv 及qcow2_co_pwritev函数的源码中加入镜像定位层,实现在处理读写请求时确定对应的虚拟磁盘镜像的虚拟磁盘文件。In step S4, by adding an image positioning layer to the source code of the qcow2_co_preadv and qcow2_co_pwritev functions, the virtual disk file of the corresponding virtual disk image is determined when processing read and write requests.
其中,所述步骤S4中,在qcow2_co_preadv 及qcow2_co_pwritev函数的源码中加入的镜像定位层包括offset参数及bytes参数,其中,offset参数用于确定虚拟磁盘镜像的偏移位置,bytes参数用于确定请求的内容大小。Among them, in step S4, the image positioning layer added to the source code of the qcow2_co_preadv and qcow2_co_pwritev functions includes an offset parameter and a bytes parameter, where the offset parameter is used to determine the offset position of the virtual disk image, and the bytes parameter is used to determine the requested Content size.
其中,所述步骤S1中,通过在第一个虚拟磁盘文件的镜像的文件头里添加字段div_img_size来保存虚拟磁盘文件的分块信息。In step S1, the block information of the virtual disk file is saved by adding the field div_img_size to the file header of the image of the first virtual disk file.
其中,所述步骤S1中,虚拟磁盘文件的分块信息被保存在第一个虚拟磁盘文件的文件头的如下目录中:uint64_t div_img_size//。Among them, in step S1, the block information of the virtual disk file is saved in the following directory of the file header of the first virtual disk file: uint64_t div_img_size//.
本发明提供的虚拟磁盘安全存储方法,通过将数据存储在不同的虚拟磁盘文件中,在其中一部分镜像被窃取的情况下无法恢复完整镜像的内容,确保了虚拟磁盘镜像里面数据的安全性。The virtual disk safe storage method provided by the present invention ensures the security of the data in the virtual disk image by storing data in different virtual disk files. If part of the image is stolen, the content of the complete image cannot be restored.
附图说明Description of drawings
图1:本发明的基础技术构思逻辑图。Figure 1: Logic diagram of the basic technical concept of the present invention.
图2:已有技术的虚拟磁盘镜像IO寻址流程图。Figure 2: Prior art virtual disk image IO addressing flow chart.
图3:本发明的基于qcow2虚拟磁盘镜像分块后的IO寻址流程图。Figure 3: The IO addressing flow chart after segmentation based on the qcow2 virtual disk image of the present invention.
本发明的最佳实施方式Best Mode of Carrying Out the Invention
为了对本发明的技术方案及有益效果有更进一步的了解,下面结合附图详细说明本发明的技术方案及其产生的有益效果。In order to have a further understanding of the technical solutions and beneficial effects of the present invention, the technical solutions of the present invention and the beneficial effects thereof will be described in detail below with reference to the accompanying drawings.
图1为本发明的基础构思逻辑图:目前,大多数情况使用qcow2虚拟磁盘镜像都是存储在一个文件中,如果使用了backing file功能,可能还有一个黄金镜像。如果这个虚拟磁盘镜像文件所存放的地方发生了信息泄漏,虚拟机中存储的所有数据就很容易被盗取者获取到。然而如果虚拟磁盘镜像可以由多个文件共同组成,再把每个分块的镜像放到不同的位置,这样就好比“把鸡蛋放在不同的篮子里面了”,如果盗窃者只拿到一部分镜像,根本无法恢复完整镜像里面的内容。这样让虚拟磁盘镜像分块存储到不同位置就提高了虚拟磁盘镜像里面数据的安全性。Figure 1 is a logic diagram of the basic concept of the present invention: At present, in most cases, the qcow2 virtual disk image is stored in a file. If the backing file function is used, there may be a golden image. If there is an information leak where the virtual disk image file is stored, all data stored in the virtual machine will be easily obtained by the attacker. However, if the virtual disk image can be composed of multiple files, and then put each block of the image in a different location, it is like "putting eggs in different baskets". If the thief only gets a part of the image , it is impossible to restore the contents of the complete image. This allows the virtual disk image to be stored in different locations in blocks, thereby improving the security of the data in the virtual disk image.
为了实现上述目的,需要解决以下问题:In order to achieve the above goals, the following issues need to be solved:
1、如何分块1. How to divide into chunks
分块的策略,为了不再增加寻址的复杂度,我们可以在制作虚拟磁盘镜像(qemu-img create)的时候就指定每个分块可以寻址的范围,操作范围自动再创建下一个分块镜像,每个分块都是qcow2格式,这样在创建的时候分块所占存储空间也是很小的,随着不断的数据写入镜像慢慢扩大,保留了qcow2最好的特性。Blocking strategy, in order not to increase the complexity of addressing, we can create a virtual disk image (qemu-img When creating), specify the addressable range of each block, and the operation range will automatically create the next block image. Each block is in qcow2 format, so that the storage space occupied by the block is very small when created. , with the continuous data writing, the mirror slowly expands, retaining the best features of qcow2.
2、在哪一层截获虚拟机的读写请求实现存储镜像的分块存储2. At which layer is the read and write requests of the virtual machine intercepted to implement block storage of the storage image?
通过修改qemu源码中的qcow2.c 中 qcow2_co_create_opt / qcow2_open / qcow2_co_preadv / qcow2_co_pwritev 的源码,在其中加入镜像定位层(把读写请求分配到哪个镜像读写)来实现镜像的分块存储。By modifying qcow2.c in the qemu source code The source code of qcow2_co_create_opt / qcow2_open / qcow2_co_preadv / qcow2_co_pwritev adds the image positioning layer (which image read and write requests are assigned to) to realize the block storage of the image.
3、分块信息保存在哪里3. Where is the chunked information stored?
存在第一虚拟磁盘文件的qcow2 header里面,通过 div_img_size字段记录分块大小。这样也就可以区分谁是第一个镜像了。下次打开的时候读出来也就知道分块信息了。It exists in the qcow2 header of the first virtual disk file and records the block size through the div_img_size field. This way you can tell who is the first image. The next time you open it, you will know the chunking information when you read it.
针对要解决的技术难题,本发明主要从qcow2格式的原理进行分析,然后在qemu源代码中关于qcow2格式镜像的代码进行优化,通过修改qcow2系列接口方法添加镜像定位层代码,来实现镜像的分块存储,同时不影响原有的使用接口和习惯。In view of the technical problems to be solved, the present invention mainly analyzes the principles of the qcow2 format, and then optimizes the code for the qcow2 format image in the qemu source code, and adds the image positioning layer code by modifying the qcow2 series interface method to achieve image separation. Block storage without affecting the original usage interface and habits.
图2为已有技术的虚拟磁盘镜像IO寻址流程图,qcow2通用寻址流程如下:通过读取 qcow2_header 定位到 Level1 table在虚拟磁盘镜像中的位置,再通过在Level1 table查到寻址对应的 Level2 table的位置,再查到具体存放数据的cluster对应的offset。Figure 2 is a prior art virtual disk image IO addressing flow chart. The qcow2 universal addressing process is as follows: Locate the location of the Level1 table in the virtual disk image by reading the qcow2_header, and then find the corresponding addressing in the Level1 table. The location of the Level2 table, and then find the offset corresponding to the cluster where the data is stored.
加入了本发明的qcow2分块设计后,流程图如图3所示,基于此,形成了本发明的虚拟磁盘安全存储方法:After adding the qcow2 block design of the present invention, the flow chart is shown in Figure 3. Based on this, the virtual disk safe storage method of the present invention is formed:
1、使用qemu-img 工具创建分块虚拟磁盘镜像1. Use the qemu-img tool to create a partitioned virtual disk image
假设需要将一个80G大小的虚拟磁盘镜像分块为8个虚拟磁盘文件,则使用如下命令行:qemu-img create -f qcow2 -d 10G xxxx.qcow2 80G,它会根据所指定的虚拟磁盘镜像大小自动创建一组分块的虚拟磁盘文件,创建时,通过在qcow2_co_create_opt函数的源码中加入镜像定位层,为每个创建的虚拟磁盘文件确定寻址范围;分块大小的信息等可以写到第一个虚拟磁盘文件的文件头里。具体的,在QCowHeader最后添加个字段(div_img_size)保存“分块大小”信息到第一个虚拟磁盘文件里。Assume that an 80G virtual disk image needs to be divided into eight virtual disk files, use the following command line: qemu-img create -f qcow2 -d 10G xxxx.qcow2 80G, it will automatically create a set of segmented virtual disk files based on the specified virtual disk image size. When creating, add the image positioning layer to the source code of the qcow2_co_create_opt function to provide each The created virtual disk file determines the addressing range; block size information, etc. can be written to the file header of the first virtual disk file. Specifically, add a field (div_img_size) at the end of QCowHeader to save the "block size" information to the first virtual disk file.
[0-10G]: xxxx.qcow2[0-10G]: xxxx.qcow2
[10-20G]: xxxx.qcow2.div1[10-20G]: xxxx.qcow2.div1
[20-30G]: xxxx.qcow2.div2[20-30G]: xxxx.qcow2.div2
[30-40G]: xxxx.qcow2.div3[30-40G]: xxxx.qcow2.div3
[40-50G]: xxxx.qcow2.div4[40-50G]: xxxx.qcow2.div4
[50-60G]: xxxx.qcow2.div5[50-60G]: xxxx.qcow2.div5
[60-70G]: xxxx.qcow2.div6[60-70G]: xxxx.qcow2.div6
[70-80G]: xxxx.qcow2.div7。[70-80G]: xxxx.qcow2.div7.
如此,分块的虚拟磁盘镜像已经创建起来,接下来需要让虚拟机知道所创建的虚拟磁盘镜像是分块的虚拟磁盘镜像,也就是虚拟机启动的时候需要读取这个分块信息。In this way, the segmented virtual disk image has been created. Next, the virtual machine needs to know that the created virtual disk image is a segmented virtual disk image. That is, the virtual machine needs to read this segmentation information when it starts.
2、启动虚拟机,通过qemu-kvm 程序指定虚拟磁盘镜像的第一个分块虚拟磁盘文件,读到分块大小,找到其它虚拟磁盘文件的分块镜像,确定好每个虚拟磁盘文件负责存储的范围;具体的,通过在qcow2_open函数的源码中加入镜像定位层,读取第一个虚拟磁盘文件中的分块信息,并找到其它虚拟磁盘文件的镜像。2. Start the virtual machine, specify the first block virtual disk file of the virtual disk image through the qemu-kvm program, read the block size, find the block images of other virtual disk files, and determine the storage responsibility of each virtual disk file. The scope; specifically, by adding the image positioning layer to the source code of the qcow2_open function, read the block information in the first virtual disk file and find the images of other virtual disk files.
3、在qemu打开qcow2虚拟磁盘镜像,通过分块信息,建立分块meta信息。具体的,虚拟机读取了第一个虚拟磁盘文件的分块信息后,知道了所有的虚拟磁盘文件的分块镜像,之后让程序通过meta信息对上述分块信息进行一个数据的体现,也即,通过meta信息将虚拟磁盘镜像的分块信息进行数据的描述后,将其加载到内存里面,构成一个数据模型,使得程序能够通过meta信息去寻址,在进行相应的读写操作的时候,不用重复去第一个虚拟磁盘文件的文件头里读取分块信息。3. Open the qcow2 virtual disk image in qemu and create block meta information through the block information. Specifically, after the virtual machine reads the block information of the first virtual disk file, it knows the block images of all virtual disk files, and then allows the program to perform a data representation of the above block information through meta information, and also That is, after describing the data of the block information of the virtual disk image through meta information, it is loaded into the memory to form a data model, so that the program can address through the meta information, and perform corresponding read and write operations. , there is no need to repeatedly read the block information from the file header of the first virtual disk file.
至此,虚拟磁盘镜像的分块操作已完成,之后可以进行针对虚拟磁盘镜像的读写操作。At this point, the block operation of the virtual disk image has been completed, and then read and write operations on the virtual disk image can be performed.
在向虚拟磁盘镜像进行读写操作的时候,文件系统层会自动管理虚拟磁盘镜像,自动划分新建的文件从哪个位置写起,程序根据文件系统层反馈的信息去寻址并完成读写。When reading and writing to the virtual disk image, the file system layer will automatically manage the virtual disk image and automatically determine the location from which to write the new file. The program will address and complete the reading and writing based on the information fed back by the file system layer.
4、读请求操作4. Read request operation
在qemu的qcow2 处理“读”read请求的时候,根据分块范围把请求分别发送到对应虚拟磁盘镜像所分块的虚拟磁盘文件来处理。通过在qcow2_co_preadv函数的源码中加入镜像定位层,确保在处理读请求时寻址到对应的虚拟磁盘镜像的虚拟磁盘文件,具体包括如下步骤:When qemu's qcow2 processes a "read" read request, it sends the request to the virtual disk file divided into blocks of the corresponding virtual disk image for processing according to the block range. By adding the image positioning layer to the source code of the qcow2_co_preadv function, ensure that the virtual disk file of the corresponding virtual disk image is addressed when processing a read request. The specific steps include the following:
(1)在qcow2_co_preadv函数的参数中有 offset(虚拟磁盘偏移位置) 和 bytes(请求的内容大小),把这个请求根据虚拟磁盘镜像所分块的虚拟磁盘文件负责的范围,对IO请求队列进行分割。(1) Among the parameters of the qcow2_co_preadv function are offset (virtual disk offset position) and bytes (requested content size), this request is processed according to the range responsible for the virtual disk file divided by the virtual disk image, and the IO request queue is processed segmentation.
(2)根据分割后的请求要派发的虚拟磁盘文件,构建环境上下文。(2) Build the environment context based on the virtual disk file to be distributed according to the split request.
(3)把分割后的请求队列,根据虚拟磁盘文件的镜像,派发下去执行。(3) Distribute the divided request queue for execution based on the image of the virtual disk file.
5、写请求操作5. Write request operation
在qemu的qcow2 处理“写”write请求的时候,根据分块范围把请求分别发送到对应虚拟磁盘镜像所分块的虚拟磁盘文件来处理。通过在qcow2_co_pwritev函数的源码中加入镜像定位层,实现在处理写请求时寻址到对应的虚拟磁盘镜像的虚拟磁盘文件,具体包括如下步骤:When qemu's qcow2 processes a "write" write request, it sends the request to the virtual disk file divided into blocks of the corresponding virtual disk image for processing according to the block range. By adding the image positioning layer to the source code of the qcow2_co_pwritev function, the virtual disk file of the corresponding virtual disk image can be addressed when processing a write request. The specific steps include the following steps:
(1)在qcow2_co_pwritev函数的参数中有 offset(虚拟磁盘偏移位置) 和 bytes(请求的内容大小),把这个请求根据虚拟磁盘镜像所分块的虚拟磁盘文件负责的范围,对IO请求队列进行分割。(1) Among the parameters of the qcow2_co_pwritev function are offset (virtual disk offset position) and bytes (requested content size), this request is processed according to the range of the virtual disk file that the virtual disk image is divided into, and the IO request queue is processed. segmentation.
(2)根据分割后的请求要派发的虚拟磁盘文件,构建环境上下文。(2) Build the environment context based on the virtual disk file to be distributed according to the split request.
(3)把分割后的请求队列,根据虚拟磁盘文件的镜像,派发下去执行。(3) Distribute the divided request queue for execution based on the image of the virtual disk file.
本发明中,所谓的“虚拟磁盘文件”,是用文件模拟硬盘设备,给虚拟机使用的一种存储方式。从Host(宿主机)上看虚拟机的磁盘就是一个文件,从Guest(虚拟机)上看和普通硬盘没有区别。In the present invention, the so-called "virtual disk file" is a storage method that uses files to simulate hard disk devices and is used by virtual machines. From the perspective of the Host (host), the disk of the virtual machine is just a file, and from the perspective of the Guest (virtual machine), it is no different from an ordinary hard disk.
本发明中,所谓的“QCOW2格式”,全称qemu copy on write格式,Qemu虚拟机在“写(write)”操作发生的时候才动态增长虚拟磁盘镜像格式,和原生镜像格式(RAW)对应它最大的特点就是当你真的需要存储数据的时候才会去分配空间,因此节省Host主机上的磁盘空间。qcow2镜像格式是由多个固定大小的单元组织构成的,这些单元被称为cluster。无论是实际用户数据(guest data)还是镜像的元数据(metadata),都在一个cluster单元中进行存储。In this invention, the so-called "QCOW2 format", the full name is qemu copy On write format, the Qemu virtual machine dynamically grows the virtual disk image format when a "write" operation occurs. Corresponding to the native image format (RAW), its biggest feature is that it will only be used when you really need to store data. to allocate space, thus saving disk space on the Host. The qcow2 image format is organized into multiple fixed-size units, called clusters. Both actual user data (guest data) and image metadata (metadata) are stored in a cluster unit.
和现有技术相比,本发明的优势在于:Compared with the existing technology, the advantages of the present invention are:
1、本发明通过把之前的一个磁盘镜像文件,打散到不同镜像文件,避免了一个磁盘镜像被盗取,整个虚拟磁盘里面所有数据都可以被破解的问题。1. This invention avoids the problem that one disk image is stolen and all the data in the entire virtual disk can be cracked by breaking up a previous disk image file into different image files.
2、在磁盘分块的策略上也可以有更多的安全设计,可以不用固定范围的分块策略,根据使用场景自定义安全加密策略。2. There can also be more security designs in the disk partitioning strategy. Instead of a fixed range of partitioning strategies, security encryption strategies can be customized according to usage scenarios.
3、采用本发明,可以在不改变原有虚拟机使用接口和使用习惯的基础上来实现,对上层libvirt等兼容性很好。3. The present invention can be implemented without changing the original virtual machine usage interface and usage habits, and has good compatibility with upper-layer libvirt and the like.
虽然本发明已利用上述较佳实施例进行说明,然其并非用以限定本发明的保护范围,任何本领域技术人员在不脱离本发明的精神和范围之内,相对上述实施例进行各种变动与修改仍属本发明所保护的范围,因此本发明的保护范围以权利要求书所界定的为准。Although the present invention has been described using the above preferred embodiments, they are not intended to limit the scope of the present invention. Any person skilled in the art can make various changes relative to the above embodiments without departing from the spirit and scope of the present invention. and modifications still fall within the scope of protection of the present invention. Therefore, the scope of protection of the present invention shall be defined by the claims.

Claims (6)

  1. 一种虚拟磁盘安全存储方法,其特征在于,包括如下步骤:A method for safe storage of virtual disks, which is characterized by including the following steps:
    步骤S1:使用qemu-img工具创建一组分块的虚拟磁盘文件,虚拟磁盘文件的分块信息被写入第一个虚拟磁盘文件的文件头里;Step S1: Use the qemu-img tool to create a set of block virtual disk files. The block information of the virtual disk file is written into the file header of the first virtual disk file;
    步骤S2:启动虚拟机,通过qemu-kvm程序指定虚拟磁盘镜像的第一个虚拟磁盘文件,读到分块信息,找到其它虚拟磁盘文件的镜像;Step S2: Start the virtual machine, specify the first virtual disk file of the virtual disk image through the qemu-kvm program, read the block information, and find the images of other virtual disk files;
    步骤S3:在qemu打开qcow2虚拟磁盘镜像,通过分块信息,建立分块meta信息;Step S3: Open the qcow2 virtual disk image in qemu, and create block meta information through the block information;
    步骤S4:根据相应的读写请求的分块的范围,把相应的读写请求分别发送到对应的虚拟磁盘镜像的虚拟磁盘文件来处理。Step S4: According to the block range of the corresponding read and write requests, send the corresponding read and write requests to the virtual disk file of the corresponding virtual disk image for processing.
  2. 如权利要求1所述的虚拟磁盘安全存储方法,其特征在于,所述步骤S1中,通过如下命令行创建一组分块的虚拟磁盘文件:The virtual disk safe storage method according to claim 1, characterized in that, in step S1, a set of block virtual disk files is created through the following command line:
    qemu-img create -f qcow2 -d 参数1 xxxx.qcow2 参数2;qemu-img create -f qcow2 -d parameter 1 xxxx.qcow2 parameter 2;
    其中,参数1为所创建的每块虚拟磁盘文件的大小,参数2为整个虚拟磁盘镜像的大小。Among them, parameter 1 is the size of each virtual disk file created, and parameter 2 is the size of the entire virtual disk image.
  3. 如权利要求1所述的虚拟磁盘安全存储方法,其特征在于,所述步骤S1中,通过在qcow2_co_create_opt函数的源码中加入镜像定位层,为每个创建的虚拟磁盘文件确定寻址范围;The virtual disk safe storage method according to claim 1, characterized in that, in step S1, the addressing range is determined for each created virtual disk file by adding a mirror positioning layer to the source code of the qcow2_co_create_opt function;
    所述步骤S2中,通过在qcow2_open函数的源码中加入镜像定位层,读取第一个虚拟磁盘文件中的分块信息,并找到其它虚拟磁盘文件的镜像;In step S2, by adding an image positioning layer to the source code of the qcow2_open function, the block information in the first virtual disk file is read, and the images of other virtual disk files are found;
    所述步骤S4中,通过在qcow2_co_preadv 及qcow2_co_pwritev函数的源码中加入镜像定位层,实现在处理读写请求时确定对应的虚拟磁盘镜像的虚拟磁盘文件。In step S4, by adding an image positioning layer to the source code of the qcow2_co_preadv and qcow2_co_pwritev functions, the virtual disk file of the corresponding virtual disk image is determined when processing read and write requests.
  4. 如权利要求3所述的虚拟磁盘安全存储方法,其特征在于,所述步骤S4中,在qcow2_co_preadv 及qcow2_co_pwritev函数的源码中加入的镜像定位层包括offset参数及bytes参数,其中,offset参数用于确定虚拟磁盘镜像的偏移位置,bytes参数用于确定请求的内容大小。The virtual disk safe storage method according to claim 3, characterized in that, in step S4, the image positioning layer added to the source code of the qcow2_co_preadv and qcow2_co_pwritev functions includes an offset parameter and a bytes parameter, wherein the offset parameter is used to determine The offset position of the virtual disk image. The bytes parameter is used to determine the requested content size.
  5. 如权利要求1所述的虚拟磁盘安全存储方法,其特征在于,所述步骤S1中,通过在第一个虚拟磁盘文件的镜像的文件头里添加字段div_img_size来保存虚拟磁盘文件的分块信息。The virtual disk safe storage method according to claim 1, characterized in that, in step S1, the block information of the virtual disk file is saved by adding a field div_img_size to the file header of the image of the first virtual disk file.
  6. 如权利要求5所述的虚拟磁盘安全存储方法,其特征在于,所述步骤S1中,虚拟磁盘文件的分块信息被保存在第一个虚拟磁盘文件的文件头的如下目录中:uint64_t div_img_size//。The virtual disk safe storage method according to claim 5, characterized in that, in step S1, the block information of the virtual disk file is saved in the following directory of the file header of the first virtual disk file: uint64_t div_img_size/ /.
PCT/CN2022/137630 2022-09-02 2022-12-08 Virtual disk-based secure storage method WO2024045407A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211068135.2 2022-09-02
CN202211068135.2A CN115146318B (en) 2022-09-02 2022-09-02 Virtual disk safe storage method

Publications (1)

Publication Number Publication Date
WO2024045407A1 true WO2024045407A1 (en) 2024-03-07

Family

ID=83415825

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/137630 WO2024045407A1 (en) 2022-09-02 2022-12-08 Virtual disk-based secure storage method

Country Status (2)

Country Link
CN (1) CN115146318B (en)
WO (1) WO2024045407A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115146318B (en) * 2022-09-02 2022-11-29 麒麟软件有限公司 Virtual disk safe storage method
CN115629716B (en) * 2022-12-07 2023-04-11 广东睿江云计算股份有限公司 Defragmentation method and defragmentation system based on disk mirror image file

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103516755A (en) * 2012-06-27 2014-01-15 华为技术有限公司 Virtual storage method and equipment thereof
CN109933278A (en) * 2017-12-19 2019-06-25 中国电信股份有限公司 For realizing the method and apparatus of block device carry access
CN113641467A (en) * 2021-10-19 2021-11-12 杭州优云科技有限公司 Distributed block storage implementation method of virtual machine
CN115146318A (en) * 2022-09-02 2022-10-04 麒麟软件有限公司 Virtual disk safe storage method

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101373441B (en) * 2008-09-19 2012-04-18 苏州壹世通科技有限公司 Virtual platform system based on firmware
WO2012162128A1 (en) * 2011-05-20 2012-11-29 Citrix Systems, Inc. Securing encrypted virtual hard disks
CN102891876B (en) * 2011-07-22 2017-06-13 中兴通讯股份有限公司 Distributed data encryption method and system under cloud computing environment
US10719346B2 (en) * 2016-01-29 2020-07-21 British Telecommunications Public Limited Company Disk encryption
CN108664523B (en) * 2017-03-31 2021-08-13 华为技术有限公司 Virtual disk file format conversion method and device
CN109032499B (en) * 2018-06-09 2022-04-05 西安电子科技大学 Data access method for distributed data storage and information data processing terminal
CN109376119B (en) * 2018-10-30 2021-10-26 郑州云海信息技术有限公司 Method for creating disk image file encrypted snapshot, method for using disk image file encrypted snapshot and storage medium
CN110058813A (en) * 2019-03-15 2019-07-26 启迪云计算有限公司 It is a kind of that management method is locally stored based on the storage of cloud platform block
CN113821170A (en) * 2021-08-31 2021-12-21 济南浪潮数据技术有限公司 Distributed storage system, access method and component
CN113961892A (en) * 2021-11-04 2022-01-21 杭州安恒信息技术股份有限公司 Account security control method and system, readable storage medium and computer equipment
CN114201755A (en) * 2021-12-15 2022-03-18 电子科技大学广东电子信息工程研究院 Out-of-domain security detection method for file system of virtual machine
CN114491421A (en) * 2022-01-21 2022-05-13 北京字跳网络技术有限公司 File encryption method, file processing method, file encryption device, file processing device, readable medium and electronic equipment
CN114968128A (en) * 2022-07-28 2022-08-30 云宏信息科技股份有限公司 Qcow 2-based virtual disk mapping method, system and medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103516755A (en) * 2012-06-27 2014-01-15 华为技术有限公司 Virtual storage method and equipment thereof
CN109933278A (en) * 2017-12-19 2019-06-25 中国电信股份有限公司 For realizing the method and apparatus of block device carry access
CN113641467A (en) * 2021-10-19 2021-11-12 杭州优云科技有限公司 Distributed block storage implementation method of virtual machine
CN115146318A (en) * 2022-09-02 2022-10-04 麒麟软件有限公司 Virtual disk safe storage method

Also Published As

Publication number Publication date
CN115146318A (en) 2022-10-04
CN115146318B (en) 2022-11-29

Similar Documents

Publication Publication Date Title
JP4089171B2 (en) Computer system
US20220006617A1 (en) Method and apparatus for data storage and verification
WO2024045407A1 (en) Virtual disk-based secure storage method
US20060174352A1 (en) Method and apparatus for providing versatile services on storage devices
WO2021164166A1 (en) Service data protection method, apparatus and device, and readable storage medium
CN101853363A (en) File protection method and system
CN100378689C (en) Enciphered protection and read write control method for computer data
KR950029930A (en) Method and device for securing file access
EP1012691A1 (en) Encrypting file system and method
KR20080065661A (en) A method for controlling access to file systems, related system, sim card and computer program product for use therein
CN106682521B (en) File transparent encryption and decryption system and method based on driver layer
US20200004695A1 (en) Locally-stored remote block data integrity
US20220366030A1 (en) Password Management Method and Related Apparatus
CN110569651A (en) file transparent encryption and decryption method and system based on domestic operating system
WO2023056742A1 (en) Cloud hard disk encryption method, apparatus and system, cloud hard disk decryption method, apparatus and system, and readable storage medium
WO2023273647A1 (en) Method for realizing virtualized trusted platform module, and secure processor and storage medium
WO2023010834A1 (en) Method and apparatus for starting embedded linux system, and storage medium
CN109376119B (en) Method for creating disk image file encrypted snapshot, method for using disk image file encrypted snapshot and storage medium
CN108229190A (en) Control method, device, program, storage medium and the electronic equipment of transparent encryption and decryption
CN101447009A (en) Method, device and system for installing software
CN101447013A (en) Method, device and system for running software
US20080107261A1 (en) Method for Protecting Confidential Data
CN113342473A (en) Data processing method, migration method of secure virtual machine, related device and architecture
CN113568568A (en) Hardware encryption method, system and device based on distributed storage
WO2020044095A1 (en) File encryption method and apparatus, device, terminal, server, and computer-readable storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22957219

Country of ref document: EP

Kind code of ref document: A1