Search

CN-115934348-B - TEE resource arrangement method, system, equipment and storage medium in edge calculation

CN115934348BCN 115934348 BCN115934348 BCN 115934348BCN-115934348-B

Abstract

The invention provides a TEE resource arrangement method, a system, equipment and a storage medium in multi-access edge calculation, which relate to the technical field of cloud computing, wherein the method comprises the steps that MEO receives TEE capability information of an MEC host reported by a VIM managed by the MEC host through attribution; the MEO selects a VIM and an associated MEPM of MEC host home management with TEE capability according to the received TEE capability information and based on the TEE capability requirement of a user side, initiates an MEC APP instantiation request to the MEPM, allocates resources in the MEC host with the TEE capability to realize TEE resource arrangement of the MEO, the MEC host conducts TEE instance remote verification after the TEE capability is started, and a third party application verifies the TEE application instance environment. According to the technical scheme provided by the invention, when the APP is deployed by the edge service, the service processing function or module with high requirement on data and code privacy protection can be deployed in the infrastructure resource supporting the TEE.

Inventors

  • XUE MIAO
  • REN JIE
  • REN MENGXUAN
  • MA SHAOWU

Assignees

  • 中国联合网络通信集团有限公司

Dates

Publication Date
20260508
Application Date
20221228

Claims (10)

  1. 1. A trusted execution environment TEE resource orchestration method in multi-access edge computing, comprising the steps of: s1, a multi-access edge computing orchestrator MEO receives TEE capability information of a multi-access edge computing MEC host, which is notified by a network function virtualization infrastructure management module VIM of the MEC host through the home management of the MEC host; S2, the MEO selects a VIM with TEE capability and MEC host home management and an associated mobile edge platform manager MEPM according to the received TEE capability information and based on the TEE capability requirement of a user side, initiates a mobile edge platform MEC APP instantiation request to the MEPM, and allocates resources in the MEC host with the TEE capability to realize TEE resource arrangement of the MEO; s3, the MEC host with the TEE capability performs TEE instance remote verification after the TEE capability is started; And S4, the third party application verifies the TEE application instance environment.
  2. 2. The method for arranging the TEE resources of the trusted execution environment in the multi-access edge computing as claimed in claim 1, wherein, The TEE capability information includes a TEE support or not, a TEE support type, a TEE on condition, and a TEE configuration information condition, and step S1 includes: s11, the MEC host reports the TEE capability information to the VIM; s12, the VIM records the TEE capability information and reports the TEE capability information to the MEO; S13, the MEO receives the TEE capability information and records whether the TEE of the MEC host is supported or not and information about the VIM.
  3. 3. The method for arranging TEE resources in a trusted execution environment in multi-access edge computing according to claim 1, wherein the TEE capability requirement of the user side is provided by adding TEE related description requirements in a MEC APP Descriptor description file.
  4. 4. A trusted execution environment TEE resource orchestration method in multi-access edge computing according to claim 3, wherein step S2 comprises: s201, the MEO receives an MEC APP instantiation request sent by an operation support system OSS; S202, checking MEC APP PACKAGE configuration including the description file sent by the OSS by the MEO, analyzing the resource requirement and the TEE capability requirement in the description file, and selecting a VIM and an associated MEPM of MEC host home management with the TEE capability; s203, the MEO initiates an MEC APP instantiation request to the MEPM; S204, the MEPM sends a resource allocation request to the VIM, and MEC APP software mirror image information is carried in a request message; S205, the VIM allocates corresponding resources on the MEC host with the TEE capability based on the request of the MEPM, downloads MEC APP software images and instantiates the images on the MEC host with the TEE capability; s206, the VIM sends a resource allocation request response to the MEPM; S207, the MEPM sends a service configuration request for the MEC APP to the MEP, wherein the service configuration request comprises a TEE specific support library file and a TEE remote verification configuration; s208, the MEP performs service configuration on the MEC APP; s209, the MEP sends a service configuration request response to the MEPM; S210, the MEPM sends an MEC APP instantiation result response to the MEO, and reports the resource allocation condition to the MEO; s211, the MEO returns an MEC APP instantiation result response to the OSS.
  5. 5. The trusted execution environment TEE resource orchestration method in multiple access edge computing according to claim 1, wherein step S3 comprises: s301, after the MEC host with the TEE capability is started, sending authentication information and CA certificate application information to the VIM, wherein the authentication information at least comprises a CPU ID, a TEE instance ID and a TEE instance public key; S302, the VIM forwards the authentication information and the CA certificate application information to the MEO of the VIM attribution management; S303, the MEO forwards the authentication information and the CA certificate application information to a TEE manufacturer server; S304, the TEE manufacturer server verifies whether the TEE instance represented by the authentication information is a real TEE environment or not based on the factory information of the TEE, and obtains a remote authentication result; S305, the TEE manufacturer server returns the remote authentication result and the CA certificate to the MEO; S306, the MEO checks the remote authentication result and stores the CA certificate locally; S307, the MEO returns the remote authentication result and the CA certificate to the VIM; S308, the VIM returns the remote authentication result and the CA certificate to the MEC host with TEE capability; S309, the MEC host with the TEE capability locally stores the CA certificate.
  6. 6. The trusted execution environment TEE resource orchestration method in multi-access edge computing according to claim 1, wherein when the third party application and the TEE application instance are in the same MEC environment, step S4 comprises: S411, the TEE application instance locally generates an authentication report and sends the authentication report to the third party application; s412, the third party application sends the authentication report to the MEP to which the third party application belongs to manage so as to request authentication; s413, the MEP sends the authentication report to the MEPM to which it is attributed to request authentication; S414, the MEPM sends the authentication report to the MEO which is attributed and managed by the MEPM to request authentication, the MEO verifies signature information in the authentication report based on a locally stored CA certificate, completes remote authentication, and returns a remote authentication result to the MEPM; S415, the MEPM returns the remote authentication result to the MEP; S416, the MEP returns the remote authentication result to the third party application; S417, the third party application judges whether to continue interaction with the TEE application instance according to the remote authentication result, and if the remote authentication result is passed, the third party application establishes trusted communication with the TEE application instance to continue interaction.
  7. 7. The trusted execution environment TEE resource orchestration method in multi-access edge computing according to claim 1, wherein when the third party application and TEE application instance are not in the same MEC environment, step S4 comprises: S421, the TEE application instance locally generates an authentication report and sends the authentication report to the third party application; s422, the third party application sends the authentication report to the MEO to request authentication, and the MEO verifies signature information in the authentication report based on a locally stored CA certificate to complete remote authentication; S423, the MEO returns an authentication result to the third party application.
  8. 8. A Trusted Execution Environment (TEE) resource arrangement system in multi-access edge computing is characterized by comprising a Mobile Edge Platform (MEP), a Mobile Edge Platform Manager (MEPM) for managing the MEP, a multi-access edge computing (MEC) host, a network function virtualization infrastructure management module (VIM) for managing the MEC host and a multi-access edge computing arrangement (MEO) for receiving TEE capability information of the MEC host notified by the MEC host through a VIM managed by the MEC host, selecting a MEC host with TEE capability and an associated MEPM according to the received TEE capability information and based on a TEE capability requirement of a user side, and initiating an MEC APP instantiation request to the MEPM, and distributing resources in the MEC host with TEE capability to realize TEE resource arrangement of the MEO.
  9. 9. TEE resource orchestration device comprising a memory and a processor, the memory having stored therein a computer program, which when executed by the processor performs the trusted execution environment TEE resource orchestration method in multi-access edge computing according to any one of claims 1 to 7.
  10. 10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when executed by a processor, performs the trusted execution environment TEE resource orchestration method in multi-access edge computing according to any one of claims 1 to 7.

Description

TEE resource arrangement method, system, equipment and storage medium in edge calculation Technical Field The present invention relates to the field of cloud computing technologies, and in particular, to a TEE resource arrangement method in multi-access edge computing, a TEE resource arrangement system in multi-access edge computing, a TEE resource arrangement device, and a computer readable storage medium. Background With the deployment of 5G, and in particular the deployment of 5G private networks, the need for data processing at the network edge increases. On one hand, the low-delay requirement of specific service requires the service to provide quick response, and on the other hand, the requirement of a data management policy makes the service data to be processed in a park. MEC (Multi-access edge Computing), multi-ACCESS EDGE Computing, can provide IT services and cloud Computing capabilities in data centers near the network edge, increasingly being used by OTT and operators to build the necessary infrastructure for edge traffic ecology. However, MECs are deployed at the network edge, the environment is complex, the infrastructure and applications belong to different owners, and thus new requirements are put on the trust and privacy protection of data processing. On the one hand, some business processes involve sensitive data such as face recognition, location data, production data and the like, and a common virtual environment constructed in a general x86 has privacy disclosure risk, and on the other hand, for data processed locally in a park, bidirectional protection needs to be provided for local data and third party algorithms. Confidential computing based on TEE (trusted execution environment ) is believed to be useful to implement an extensible scheme of "data available and unavailable". The sensitive data and the program codes are input into the TEE in the form of ciphertext to finish calculation, and calculation results are output, so that the privacy of the data and the codes is protected. However, when the MEC orchestrates the IaaS (including VM or Docker) resources, there are problems that the MEC host cannot inform the VIM (network function virtualization infrastructure management module or virtualization infrastructure manager, virtualized Infrastructure Managers) and the upper layer MEO (multi-access edge computing orchestrator, MEC orchestrator) of whether the mee host supports TEE, whether the TEE function is on, what TEE type is supported, and other information, and when the MEO orchestrates the resources, on the one hand, MEC APP Descriptor does not describe TEE requirements, on the other hand, the MEO does not have affinity processing for TEE resource orchestration, and on the other hand, remote authentication using TEE is involved, and the MEC does not provide authentication method selection. Disclosure of Invention The invention is completed for at least partially solving the technical problems that in the prior art, an MEC host does not support TEE capability reporting, MEO does not describe TEE requirements and process affinity for TEE resource arrangement when resource arrangement is carried out, MEC does not provide authentication method selection and the like. According to one aspect of the invention, a Trusted Execution Environment (TEE) resource arrangement method in multi-access edge computing is provided, and the method comprises the following steps of S1, a multi-access edge computing arrangement device (MEO) receiving TEE capability information of a MEC host notified by a multi-access edge computing MEC host through a network function virtualization infrastructure management module (VIM) of the MEC host attribution management, S2, selecting a VIM and an associated MEPM (mobile edge platform manager ) of the MEC host attribution management with the TEE capability according to the received TEE capability information and based on a TEE capability requirement of a user side, and initiating an MEC APP instantiation request to the MEPM, distributing resources in the MEC host with the TEE capability to realize TEE resource arrangement of the MEO, S3, conducting TEE instance remote verification after the TEE capability of the MEC host with the TEE capability is started, and S4, conducting verification on a TEE application instance environment by a third party application. Optionally, the TEE capability information includes a TEE support condition, a TEE support type, a TEE on condition, and a TEE (necessary) configuration information condition, and step S1 includes S11 that the MEC host reports the TEE capability information to the VIM, S12 that the VIM records the TEE capability information and reports the TEE capability information to the MEO, and S13 that the MEO receives the TEE capability information and records the TEE support condition of the MEC host and information about the VIM. Optionally, the TEE capability requirement of the user side is provided by adding TEE relat