CN-121501426-B - Virtual machine cloning security control method and system in cloud server crypto machine environment

Abstract

The invention relates to the technical field of virtualization security, in particular to a virtual machine cloning security control method and a system under a cloud server cryptographic machine environment, comprising the following steps: the physical cipher machine generates a hardware root key pair, the management platform utilizes the root key to sign a public key to generate an authorization certificate, extracts a source mark and combines a time stamp to construct a unique identifier, calls a private key to encrypt a data block to generate a signature and construct a credential, and the cipher machine utilizes the public key to decrypt and compare the hash abstract, and divides an independent storage area when the public key is consistent, establishes a mapping relation and returns a resource access handle to the clone virtual machine. In the invention, a trusted authorization system is established through a hardware root key, a unique identity certificate containing a source mark is dynamically constructed, identity authenticity is ensured through digital signature and hardware level verification, and independent storage areas are forcedly divided after verification is passed, so that cloning and source instance hardware resources are physically isolated, unauthorized access risk is blocked, and security of cryptographic operation is ensured.

Inventors

• ZHU YUN
• LIU FEIYU
• Jing Liankui
• DI HU

Assignees

• 数盾信息科技股份有限公司

Dates

Publication Date

20260508

Application Date

20260112

Claims (10)

1. 1. The virtual machine cloning security control method under the cloud server cryptographic machine environment is characterized by comprising the following steps: S1, a physical cipher machine generates a hardware root key pair, a virtualized management platform generates a management public key and a management private key and transmits the management public key to the physical cipher machine, and a platform authorization certificate is generated by signing the management public key by using the hardware root key pair; S2, extracting a source mark by the virtualization management platform, constructing a target unique identifier by combining a time stamp, generating a data block to be signed by combining the source mark and the target unique identifier, generating digital signature data by calling a management private key to encrypt the data block to be signed, and constructing an identity certificate containing the data block to be signed and the digital signature data; s3, starting a clone virtual machine and transmitting an identity certificate to the physical cryptomachine, analyzing the platform authorization certificate by the physical cryptomachine to extract a management public key, decrypting the digital signature data by using the management public key, carrying out hash calculation on the data block to be signed to generate a calculation abstract, and comparing the decrypted data with the calculation abstract; and S4, dividing the independent storage areas by the physical crypto machine when the comparison is consistent, establishing a mapping relation between the target unique identifier and the independent storage areas, generating a resource access handle pointing to the independent storage areas, and returning the resource access handle to the clone virtual machine.
2. 2. The virtual machine clone security control method under the cloud server cryptographic machine environment according to claim 1, wherein the step of S1 specifically includes: S11, the physical crypto machine calls an internally integrated true random number generator to generate the hardware root key pair comprising a hardware root public key and a hardware root private key, stores the hardware root private key in a safe storage area protected by hardware, and broadcasts the hardware root public key to the outside for verification; S12, the virtualized management platform generates a key pair comprising a management public key and a management private key according to a preset asymmetric encryption algorithm standard, sends the management public key to the physical crypto-engine by establishing an encryption communication channel, and simultaneously stores the management private key in a local secure container in an isolated manner; And S13, the physical crypto machine receives the management public key, acquires the hardware serial number and the firmware version information of the current equipment, splices and combines the management public key and the hardware serial number, calls the hardware root private key to carry out digital signature operation on the combined data, and generates a platform authorization certificate containing a signature result and public key attribute information.
3. 3. The virtual machine clone security control method under the cloud server cryptographic machine environment according to claim 1, wherein the step of S2 specifically includes: s21, the virtualization management platform acquires a configuration characteristic hash value of a source virtual machine through a system log interface as a source mark, reads a high-precision clock cycle number of a current system as a time stamp, and performs character-level splicing processing on the source mark and the time stamp to generate a target unique identifier with global uniqueness; S22, the virtualization management platform takes a source mark as head data, takes the target unique identifier as load data, assembles the load data according to a predefined binary data packet format, and generates a data block to be signed for identity verification; S23, the virtualized management platform calls a management private key, performs integral encryption operation on the data block to be signed by adopting an asymmetric encryption algorithm, generates irreversible digital signature data, attaches the digital signature data to the tail part of the data block to be signed, and encapsulates the digital signature data to obtain an identity certificate.
4. 4. The virtual machine clone security control method under the cloud server cryptographic machine environment according to claim 1, wherein the step of S3 specifically includes: S31, establishing a direct I/O channel with the physical crypto-system in the starting and guiding stage of the clone virtual machine, injecting an identity certificate into the channel and sending the identity certificate to the physical crypto-system, wherein the physical crypto-system utilizes a known hardware root public key to carry out signature verification on the platform authorization certificate, and analyzing and restoring a management public key from the platform authorization certificate after the signature verification passes; s32, the physical cryptomachine decrypts and restores the digital signature data in the identity certificate by using the management public key obtained by analysis to obtain an original plaintext data sequence, and simultaneously, a hash algorithm consistent with an encryption end is adopted to perform abstract calculation on the data block to be signed in the identity certificate to generate a calculation abstract; and S33, the physical crypto machine compares the decrypted and restored plaintext data sequence with the generated calculation abstract bit by bit, counts the difference digits between the decrypted and restored plaintext data sequence and the generated calculation abstract, only judges the comparison result to be consistent when the difference digits are zero, and otherwise judges that verification fails and triggers a safety alarm interrupt flow.
5. 5. The virtual machine clone security control method under the cloud server cryptographic machine environment according to claim 1, wherein the step S4 specifically includes: s41, when the comparison results are consistent, the physical crypto-machine scans the idle state of the internal storage resource pool, locks a section of continuous physical address space according to a preset security policy, and marks the continuous physical address space as an independent storage area only allowing specific ID access; s42, creating a new entry in an internal security access control table by the physical crypto-system, taking the target unique identifier as an index key, taking the physical initial address and the length of the independent storage area as index values, and establishing a one-to-one mapping relation between the two; S43, the physical crypto machine generates a resource access handle containing an encrypted access token and an address offset based on the mapping relation, and returns the resource access handle to the operating system kernel of the clone virtual machine through a secure channel so as to complete the mounting authorization of the storage resource.
6. 6. The virtual machine clone security control method under the cloud server cryptographic machine environment according to claim 2, wherein the generating process of the platform authorization credential of S13 specifically includes: Acquiring a binary data stream of a management public key, and calculating an integrity check value of the data stream by utilizing a secure hash algorithm; acquiring the hardware serial number of the physical crypto-engine and the validity period time window parameter of the current issuing operation; Splicing the integrity check value, the hardware serial number and the valid period time window parameter into content to be signed according to a preset sequence; and carrying out encryption operation on the content to be signed by utilizing the hardware root private key to generate a signature ciphertext, and packaging the signature ciphertext and the content to be signed together to generate a platform authorization certificate.
7. 7. The method for controlling cloning security of a virtual machine in a cloud server cryptographic environment according to claim 3, wherein the process of constructing the target unique identifier of S21 specifically includes: reading a universal unique identification code of the source virtual machine and a task serial number of a current cloning task; acquiring a nanosecond time stamp of the current moment of the virtualization management platform and a randomly generated dynamic salt value; mixing and arranging the universal unique identification code, the task serial number, the nanosecond time stamp and the dynamic salt value according to the sequence from high to low; And carrying out irreversible compression mapping transformation on the data after mixed arrangement, intercepting the transformed fixed-length character strings, and generating a target unique identifier.
8. 8. The method for controlling cloning security of a virtual machine in a cloud server cryptographic environment according to claim 4, wherein the specific process of S33 includes: temporarily storing the plaintext data sequence obtained by decryption and restoration into a first secure register, and temporarily storing a calculation abstract generated by hash calculation into a second secure register; Starting a hardware comparator circuit, and synchronously reading data bits in the first safety register and the second safety register under the drive of a clock signal; executing bitwise exclusive OR logic operation, and accumulating times of which the exclusive OR operation result is not zero in real time; when all data bits are read and the accumulation times are strictly equal to zero, outputting a level signal with consistent comparison, otherwise outputting a level signal with failed comparison and triggering a data destruction instruction.
9. 9. The method for controlling cloning security of a virtual machine in a cloud server cryptographic environment according to claim 5, wherein the step of dividing the independent storage area in S41 specifically includes: searching an unallocated physical block list in a physical storage medium, and screening candidate physical blocks meeting capacity requirements according to the resource request specification of the clone virtual machine; starting a data erasing logic of a hardware level, and writing all zero data or nonsensical random noise data into all address units of the selected candidate physical block so as to cover historical residual information of the area; After the data erasing operation is completed, the partition configuration register of the storage controller is modified, the read-write right bit of the candidate physical block is set, and the state of the candidate physical block is updated to be an allocated and protected independent storage area.
10. 10. The virtual machine clone security control system under a cloud server crypto environment, wherein the system is configured to implement the virtual machine clone security control method under a cloud server crypto environment as set forth in any one of claims 1 to 9, the system comprising: the authorization certificate management module is used for controlling the physical cipher machine to generate a hardware root key pair, controlling the virtualized management platform to generate a management public key and a management private key, coordinating the transmission process of the management public key, and driving the physical cipher machine to sign the management public key by utilizing the hardware root key pair so as to generate a platform authorization certificate; the identity credential construction module is used for indicating the virtualized management platform to extract a source mark and construct a target unique identifier by combining a timestamp, combining to generate a data block to be signed, calling a management private key to encrypt to generate digital signature data, and assembling an identity credential containing the data block to be signed and the digital signature data; the security verification analysis module is used for transmitting an identity certificate when the clone virtual machine is started, driving the physical cryptomachine to analyze the platform authorization certificate to extract a management public key, executing decryption operation and hash calculation to generate a calculation abstract, and being responsible for comparing the consistency of the data obtained by decryption and the calculation abstract; And the resource isolation mapping module is used for controlling the physical crypto machine to divide an independent storage area in a storage resource pool when the comparison results are consistent, establishing a mapping relation between the target unique identifier and the area, generating a resource access handle pointing to the area and returning the resource access handle to the clone virtual machine.

Description

Virtual machine cloning security control method and system in cloud server crypto machine environment Technical Field The invention relates to the technical field of virtualization security, in particular to a virtual machine cloning security control method and system in a cloud server cryptographic machine environment. Background The technical field of virtualization security relates to the isolation and protection of computing resources, data transmission and execution processes in a virtualization environment by utilizing software or hardware mechanisms so as to prevent unauthorized access, data leakage or malicious tampering and ensure the integrity and confidentiality of a virtual machine. The virtual machine cloning security control method under the traditional cloud server cryptographic machine environment refers to that a virtualization management platform directly copies a disk image file and a configuration file of a source virtual machine to a target storage path completely through a snapshot technology or a file system copying instruction, and allocates a new MAC address to generate a cloning virtual machine. In this process, the cloned virtual machine typically directly inherits the operating system registry configuration, application program interface handles, and driver settings bound to the physical crypto-engine board card of the source virtual machine, and continues to use the key container and encrypted session channel of the source virtual machine through the PCI express or virtual function interface without an independent identity reset or access rights renegotiation of the hardware security module. When the traditional virtual machine cloning method relates to a physical cryptographic machine environment, the system configuration and the driving state of a source virtual machine are directly used, so that the generated cloning instance completely inherits the access authority of the source instance to a hardware security module, the multiple virtual machine instances share the same key container and an encryption session handle based on a complete copying operation mode, the physical cryptographic machine cannot effectively distinguish different instance instruction sources, fine operation audit and authority isolation are difficult to implement, and once any instance is attacked, an attacker can acquire sensitive key information through a shared channel, and identity confusion and serious data security risk are caused. Disclosure of Invention The invention aims to solve the defects in the prior art, and provides a virtual machine cloning security control method and a system under a cloud server cryptographic machine environment. In order to achieve the above purpose, the present invention adopts the following technical scheme, and the method for controlling cloning security of a virtual machine in a cloud server cryptographic machine environment comprises the following steps: S1, a physical cipher machine generates a hardware root key pair, a virtualized management platform generates a management public key and a management private key and transmits the management public key to the physical cipher machine, and a platform authorization certificate is generated by signing the management public key by using the hardware root key pair; S2, extracting a source mark by the virtualization management platform, constructing a target unique identifier by combining a time stamp, generating a data block to be signed by combining the source mark and the target unique identifier, generating digital signature data by calling a management private key to encrypt the data block to be signed, and constructing an identity certificate containing the data block to be signed and the digital signature data; s3, starting a clone virtual machine and transmitting an identity certificate to the physical cryptomachine, analyzing the platform authorization certificate by the physical cryptomachine to extract a management public key, decrypting the digital signature data by using the management public key, carrying out hash calculation on the data block to be signed to generate a calculation abstract, and comparing the decrypted data with the calculation abstract; and S4, dividing the independent storage areas by the physical crypto machine when the comparison is consistent, establishing a mapping relation between the target unique identifier and the independent storage areas, generating a resource access handle pointing to the independent storage areas, and returning the resource access handle to the clone virtual machine. As a further scheme of the present invention, the step S1 specifically includes: S11, the physical crypto machine calls an internally integrated true random number generator to generate the hardware root key pair comprising a hardware root public key and a hardware root private key, stores the hardware root private key in a safe storage area protected by hardware, and broadcasts the hardware roo