CN-122019059-A - VTCM equipment virtualization optimization method, system, terminal and medium

Abstract

The invention discloses vTCM equipment virtualization optimization method, system, terminal and medium, which relate to the technical field of trusted computing and have the technical scheme that virtio _ vtcm _dev virtual equipment is created in a Qemu module, a driving module consisting of virtio driving and vtcm _gust driving is deployed in a Guest kernel state, a driving module consisting of vhost module and vtcm _host module is deployed in a Host kernel state, a multi-queue virtio channel is designed, each vTCM instance supports a plurality of independent virtio queues and binds independent interrupt vectors, and remote attestation requests are processed through multi-queue parallel. The invention can reduce the context switching and memory copy cost in the traditional virtualization, and breaks through the concurrency bottleneck of Qemu user mode serial simulation.

Inventors

• ZHANG YE
• WU HUAIGU
• ZHANG NANXIN
• ZHA MING

Assignees

• 天府绛溪实验室

Dates

Publication Date

20260512

Application Date

20260410

Claims (10)

1. 1. A vTCM device virtualization optimization method, which is characterized by comprising the following steps: creating virtio _ vtcm _dev virtual equipment in a Qemu module, wherein the Qemu module supports the number of configuration vTCM instances as a basis for vTCM instantiation; A driving module consisting of a virtio driving module and an vtcm _gust driving module is deployed in a Guest kernel mode, wherein the virtio driving module is used for scanning and mounting the virtio _ vtcm _dev virtual device to a virtio bus to complete front-back end parameter negotiation, and the vtcm _gust driving module provides the capability of packaging a secure operation request of a Guest-side TCM device into a virtio format request and sends the virtio format request to a Host back end through a virtio queue; The method comprises the steps of deploying a driving module consisting of a vhost module and a vtcm _host module in a Host kernel mode, wherein the vhost module manages memory mapping and interrupt notification of the virtio queue, receiving a virtio-format TCM device operation command issued by a Guest side through the virtio queue by the vtcm _host module, analyzing the Guest side command, converting the Guest side command into a physical TCM device operation command, and packaging a processing result into a virtio-format return; Multiple queues virtio channels are designed, each vTCM instance supports multiple independent virtio queues and binds independent interrupt vectors, and remote attestation requests are processed through multiple queues in parallel.
2. 2. The vTCM device virtualization optimization method of claim 1, wherein the Qemu module is configured to: And converting the front-end and back-end negotiation flow into the ioctl call of the back-end equipment file, and realizing the efficient interaction of the equipment functional characteristics, the queue configuration and the security parameters.
3. 3. The vTCM device virtualization optimization method of claim 1, wherein the Qemu module is configured to: And maintaining vTCM the dynamic mapping relation between the instance and the physical TCM equipment, and supporting the dynamic allocation of hardware resources.
4. 4. The vTCM device virtualization optimization method of claim 1, wherein the virtio driver is configured to: Scanning the virtio _ vtcm _dev virtual equipment registered by the Qemu module and mounting the virtio _ vtcm _dev virtual equipment to a virtio bus; Receiving the vtcm _gust driven negotiation request, and confirming virtio queue quantity, depth and security algorithm support list; after the negotiation is completed, the device state is set to be initialized.
5. 5. The vTCM device virtualization optimization method of claim 1, wherein the vtcm _gust driver is configured to: Binding the bus matching driver with the virtio _ vtcm _dev virtual device as virtio bus matching drivers; Providing a standard TCM interface including one or more of key management, hash computation, and signature verification to the Guest OS; and packaging the safe operation request into a command in virtio format, sending the command through a queue, receiving and analyzing a back-end return result.
6. 6. The vTCM device virtualization optimization method of claim 1, wherein the vtcm _host module is configured to: receiving negotiation parameters forwarded by the Qemu module through ioctl call, and initializing a communication link with physical TCM equipment; Analyzing the Guest side virtio instruction into a physical TCM identifiable operation instruction; Packaging the physical TCM processing result into virtio format for returning; multiple queue parallel processing is supported, and independent operation contexts are allocated for each queue.
7. 7. The vTCM device virtualization optimization method as claimed in claim 1, wherein each virtio queue contains independent desc-table, avail-ring, used-ring and index identifier, and the index identifier is composed of last_used_idx and last_avail_idx; the descriptor information is recorded by the desc-table, the available descriptor index is stored by the avail-ring, the used descriptor index is stored by the used-ring, the tail indexes of the used and available descriptors are recorded by the last_used_idx and last_avail_idx respectively, and parallel notification of each queue is realized through independent interrupt vectors.
8. 8. A vTCM device virtualization optimization system, comprising: The Qemu module is used for creating virtio _ vtcm _dev virtual equipment, and is used for supporting the number of configuration vTCM examples as a basis of vTCM instantiation; The Guest kernel mode driving module consists of virtio driving and vtcm _gust driving, wherein the virtio driving is used for scanning and mounting the virtio _ vtcm _dev virtual equipment to a virtio bus to complete front-back end parameter negotiation, and the vtcm _gust driving provides the capability of packaging a secure operation request of the Guest-side TCM equipment into a virtio format request and sending the virtio format request to the Host back end through a virtio queue; The Host kernel mode driving module consists of vhost modules and vtcm _host modules, wherein the vhost modules manage memory mapping and interrupt notification of the virtio queue, the vtcm _host modules receive a virtio-format TCM device operation command issued by a Guest side through the virtio queue, analyze the Guest side command and convert the command into a physical TCM device operation command, and package a processing result into a virtio format for returning; multiple queues virtio channels support multiple independent virtio queues for each vTCM instance and bind independent interrupt vectors, processing remote attestation requests in parallel through multiple queues.
9. 9. A computer terminal comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements a vTCM apparatus virtualization optimization method as claimed in any one of claims 1-7 when executing the computer program.
10. 10. A computer readable medium having stored thereon a computer program, wherein the computer program is executed by a processor to implement a vTCM apparatus virtualization optimization method as claimed in any one of claims 1 to 7.

Description

VTCM equipment virtualization optimization method, system, terminal and medium Technical Field The invention relates to the technical field of trusted computing, in particular to a vTCM equipment virtualization optimization method, a system, a terminal and a medium. Background The trusted computing technology provides identity trust, data confidentiality and integrity guarantee for a computing system by introducing a hardware-level security module (such as TCM equipment), and is widely applied to security sensitive fields such as cloud computing, financial science and technology, industrial Internet and the like. In a virtualization scenario, to enable a virtual machine to have trusted computing capability, a physical TCM device needs to be virtualized into multiple vTCM instances for sharing use by different VMs. Traditional TCM equipment virtualization is realized by Qemu user mode simulation, namely I/O operation on vTCM equipment in VM is required to be subjected to multiple links such as Guest OS system call, hypervisor, qemu user mode simulation analysis, physical TCM equipment access and the like. The process has the key problems that 1) a calling link is lengthy, VM Exit, VM Entry, kernel mode and user mode context switching, memory copying and other operations are time-consuming seriously, so that the I/O efficiency of vTCM equipment is low and cannot meet the performance requirements of high-security-level application, 2) Qemu user mode simulation is a serial processing mechanism, when the VM based on vTCM equipment is used as a remote proving server, concurrent proving requests of a large number of clients are difficult to handle, concurrent processing capacity is limited, 3) the resource utilization rate of physical TCM equipment is low, and the traditional virtualization scheme cannot realize dynamic scheduling and efficient sharing of hardware resources. Therefore, research and design of vTCM equipment virtualization optimization method, system, terminal and medium capable of overcoming the defects is a problem which needs to be solved at present. Disclosure of Invention In order to solve the defects in the prior art, the invention aims to provide a vTCM equipment virtualization optimization method, a system, a terminal and a medium, which are based on a vTCM equipment paravirtualized architecture of virtio channels, unload vTCM back end drivers to a Host kernel mode, enable virtio equipment and hypervisors to be in the kernel mode simultaneously, reduce context switching and memory copying expenditure in traditional virtualization, and design a multi-queue virtio communication mechanism to process remote attestation requests in parallel through a plurality of independent virtio queues so as to break through the concurrency bottleneck of Qemu user mode serial simulation. The technical aim of the invention is realized by the following technical scheme: in a first aspect, a vTCM device virtualization optimization method is provided, including the following steps: creating virtio _ vtcm _dev virtual equipment in a Qemu module, wherein the Qemu module supports the number of configuration vTCM instances as a basis for vTCM instantiation; A driving module consisting of a virtio driving module and an vtcm _gust driving module is deployed in a Guest kernel mode, wherein the virtio driving module is used for scanning and mounting the virtio _ vtcm _dev virtual device to a virtio bus to complete front-back end parameter negotiation, and the vtcm _gust driving module provides the capability of packaging a secure operation request of a Guest-side TCM device into a virtio format request and sends the virtio format request to a Host back end through a virtio queue; The method comprises the steps of deploying a driving module consisting of a vhost module and a vtcm _host module in a Host kernel mode, wherein the vhost module manages memory mapping and interrupt notification of the virtio queue, receiving a virtio-format TCM device operation command issued by a Guest side through the virtio queue by the vtcm _host module, analyzing the Guest side command, converting the Guest side command into a physical TCM device operation command, and packaging a processing result into a virtio-format return; Multiple queues virtio channels are designed, each vTCM instance supports multiple independent virtio queues and binds independent interrupt vectors, and remote attestation requests are processed through multiple queues in parallel. Further, the Qemu module is configured to: And converting the front-end and back-end negotiation flow into the ioctl call of the back-end equipment file, and realizing the efficient interaction of the equipment functional characteristics, the queue configuration and the security parameters. Further, the Qemu module is configured to: And maintaining vTCM the dynamic mapping relation between the instance and the physical TCM equipment, and supporting the dynamic allocation of hardware resour