Search

CN-121980558-A - Container system safety enhancement method and electronic equipment

CN121980558ACN 121980558 ACN121980558 ACN 121980558ACN-121980558-A

Abstract

The invention relates to the technical field of virtualized frames, in particular to a container system security enhancement method and electronic equipment. A method for enhancing security of a container system is applied to electronic equipment, and comprises the steps that a Linux kernel, an android system, a container and a TEE are operated on the electronic equipment, the Linux kernel obtains a trusted identity certificate stored in the container in a starting stage of the container and sends the trusted identity certificate to the TEE, the TEE performs signature verification on the received trusted identity certificate, if the verification is passed, the TEE returns a corresponding trusted certificate to the Linux kernel, after the Linux kernel receives the trusted certificate, a beaconing mark is arranged on a naming space of the container, and based on the trusted mark, the Linux kernel receives a request of the android system, starts the container and performs access control and allocation on resources of the container. The Linux kernel can perform more accurate and safer dynamic management and control on the container resources, effectively isolate the resource access of the untrusted container, and further enhance the safety protection capability of the whole container system.

Inventors

  • YE GUOHUA
  • QIU YILONG

Assignees

  • 福建汇思博数字科技有限公司

Dates

Publication Date
20260505
Application Date
20251229

Claims (11)

  1. 1. A method for enhancing security of a container system, applied to an electronic device, on which a Linux kernel, an android system, a container, and a TEE are running, the method comprising: the Linux kernel acquires a trusted identity certificate stored in the container at the starting stage of the container and sends the trusted identity certificate to the TEE; The TEE performs signature verification on the received trusted identity certificate, and if the verification is passed, the TEE returns a corresponding trusted certificate to the Linux kernel; after the Linux kernel receives the trusted voucher, a trusted mark is set on the naming space of the container; and based on the beaconing mark, the Linux kernel receives the request of the android system, starts the container and performs access control and allocation on the resources of the container.
  2. 2. The method for enhancing security of a container system according to claim 1, wherein said receiving, by the Linux kernel, a request of the android system based on the beaconing, starting the container and performing access control and allocation on resources of the container comprises: And the Linux kernel judges whether the beaconing mark of the name space to which the target object belongs in the operation request received from the android system is a preset value, and if so, returns an operation failure response to the android system.
  3. 3. The container system security enhancement method of claim 1, further comprising: The Linux kernel adds a namespace check logic in an access interface of a device node in a driver of the Linux kernel, wherein the namespace check logic is configured to only allow a namespace of the container to access the device node; and when the container is started, the Linux kernel binds the device node to the naming space of the container, so that the device node is visible in the container and is invisible or can not be opened on the android system.
  4. 4. The container system security enhancement method of claim 1, further comprising: The Linux kernel sets a resource exclusive mark in a corresponding Cgroups subsystem; The Linux kernel marks Cgroups control groups bound to the container as having the exclusive resource mark, so that the android system is denied access to Cgroups resources having the exclusive resource mark.
  5. 5. The container system security enhancement method of claim 1, further comprising: in the creation stage of the container, the TEE generates a trusted identity certificate of the container and stores a public key of the trusted identity certificate in a configuration file of the container; The TEE stores the private key corresponding to the trusted identity certificate in a secure memory of the TEE, and writes the corresponding public key into a configuration file of the container; the TEE performing signature verification on the received trusted identity certificate includes: And the TEE verifies the received signature of the trusted identity certificate according to the public key.
  6. 6. A method of enhancing the safety of a container system according to claim 1, further comprising, prior to said container start-up phase: The TEE performs signature verification on the system image file of the container, and compares the hash value of the system image file with a legal system image hash value prestored in the TEE; if the signature verification and the hash value comparison are passed, the TEE informs the android system to start a system corresponding to the system image file; loading the container-specific SELinux during the system start-up process; The container management system of the android system obtains preset system identifiers from the SELinux and the TEE respectively for cross verification; And if the cross verification is not passed, unloading the partition of the container by the container management system, sending the abnormal starting alarm of the container to the TEE, and prohibiting the starting operation of the container.
  7. 7. The method for enhancing security of a container system according to claim 6, wherein the container management system of the android system obtains preset system identifiers from the SELinux and the TEE respectively for cross-validation, comprising: the container management system generates a verification request containing the unique identifier, the random number and the time stamp of the container, and carries out hash operation on the verification request to obtain a request hash value; The container management system sends verification requests containing the request hash value to the TEE and the SELinux respectively; The TEE derives a first session key based on a preset first root key and parameters acquired from the verification request, encrypts a preset TEE system identifier by using the first session key, and generates a first encrypted identifier; The SELinux derives a second session key based on a preset second root key and the same parameters acquired from the verification request, encrypts a preset SELinux system identifier by using the second session key, and generates a second encrypted identifier; and the container management system receives and decrypts the first encrypted identifier and the second encrypted identifier, verifies whether the two decrypted system identifiers both accord with a preset format, and if so, completes cross verification.
  8. 8. The container system security enhancement method of claim 6, further comprising: the android system checks the integrity signature of the container management partition; if the inspection passes, the android system mounts a container management partition, and mounts a payment partition, wherein the container management partition stores a root file system of the container management system, and the payment partition stores a root file system of the payment system; executing an initialization program in the container management partition by the android system to start the container management system; the container management system reads the file in the payment partition to start the payment system.
  9. 9. The container system security enhancement method of claim 8, further comprising: and in the starting stage of the android system, the android system does not mount the container management partition and the payment partition.
  10. 10. The container system security enhancement method of claim 8, wherein said payment system comprises a system implemented based on MicroDroid system extensions.
  11. 11. An electronic device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements a container system security enhancement method according to any one of claims 1 to 10 when executing the computer program.

Description

Container system safety enhancement method and electronic equipment Technical Field The invention relates to the technical field of virtualized frames, in particular to a container system security enhancement method and electronic equipment. Background In the prior art, two main types of schemes exist in the system architecture of intelligent financial payment terminals (such as POS machine and cash register): 1. the customization scheme based on the Android main system is that customization transformation meeting financial payment safety and business requirements is directly carried out on the Android main system, the main system is used as an operation main body of a financial payment function, and a containerization technology is not introduced. 2. Based on the container technical scheme, an LXC (Linux container) scheme is that a plurality of isolated containers are created on an Android system by utilizing original characteristics of a Namespace (NAMESPACES) and a control group (cgroups) of a Linux kernel of Linux, and each container can run an independent lightweight system. The technology is currently used for scenes such as automatic testing, intelligent cabin multi-screen control and the like. PVM scheme based on Android Virtualization Framework (AVF) can theoretically provide stronger security by placing the financial payment system in a protected virtual machine (pVM) to run. However, this solution faces the problems of hardware compatibility (some common chips do not support AVF) and performance overhead, and has poor application effect on a low-cost chip platform, so the practice is often shifted to adopting a solution based on container technology. However, in the process of pursuing safety, compatibility and performance, there is a significant technical contradiction in the above scheme: If the customized Android main system scheme is adopted, the main system body of the system is highly coupled with the general environment, so that high-strength isolation required by financial payment service is difficult to realize, and the safety boundary is weak. If the pVM scheme of AVF is adopted, although better isolation can be provided, the scheme is limited by hardware support and performance loss, and is difficult to be applied to widely deployed low-cost terminals. If the current mainstream LXC container scheme is adopted, although compatibility and performance are more feasible, the isolation mechanism of the Linux kernel level (relying on a namespace and sharing the Linux kernel) has inherent defects, the isolation strength is insufficient, and the severe requirements of financial payment scenes on safety cannot be met. The architecture in the related art fails to realize a system main body scheme which can ensure that a financial payment system is deeply isolated from a host environment, achieves financial-level safety standards and can maintain good performance and hardware compatibility on a widely available low-cost hardware platform. The method is characterized in that a scheme with high safety requirements (such as AVF/pVM) is limited by hardware and performance, and a scheme with good compatibility (such as LXC) sacrifices necessary isolation strength, so that the financial payment terminal is difficult to consider between safety and universality. Disclosure of Invention The invention aims to solve the technical problem of providing a container system security enhancement method and electronic equipment, which can ensure that a financial payment system is deeply isolated from a host environment, achieve financial security standards and maintain good performance and hardware compatibility. In order to solve the technical problems, the invention adopts a technical scheme that: A container system security enhancement method applied to an electronic device, on which a Linux kernel, an android system, a container and a TEE are running, the method comprising: the Linux kernel acquires a trusted identity certificate stored in the container at the starting stage of the container and sends the trusted identity certificate to the TEE; the TEE performs signature verification on the received trusted identity certificate, if the verification is passed, the TEE returns a corresponding trusted certificate to the Linux kernel, After the Linux kernel receives the trusted voucher, a trusted mark is set on the naming space of the container; and based on the beaconing mark, the Linux kernel receives the request of the android system, starts the container and performs access control and allocation on the resources of the container. In order to solve the technical problems, the invention adopts another technical scheme that: an electronic device comprising a memory storing a computer program and a processor implementing the steps of a container system security enhancement method of the above-mentioned kind when said computer program is executed by said processor. The invention has the beneficial effects that: T