Search

CN-122019134-A - Virtual trusted root construction method, device and system based on CPU built-in physical trusted root

CN122019134ACN 122019134 ACN122019134 ACN 122019134ACN-122019134-A

Abstract

The application discloses a virtual trusted root construction method, device and system based on a CPU built-in physical trusted root. The method comprises the steps of obtaining storage division information from a physical trusted root, wherein the storage division information is used for representing that storage resources of the physical trusted root are divided into a first part special for a host machine and a second part special for a virtual machine in advance, the second part is divided into a plurality of storage spaces, the physical trusted root is a built-in physical trusted root of a processor of computer equipment, a first virtual trusted root instance with free storage space is allocated for a first virtual machine instance from a plurality of virtual trusted root instances, and each virtual trusted root instance in the plurality of virtual trusted root instances corresponds to one storage space in the plurality of storage spaces. The application solves the technical problem of lower safety of the virtual machine in the related technology.

Inventors

  • Duan Guna
  • TIAN JIANSHENG
  • Ma Ruifan
  • LI RONGRONG
  • WANG ANSHENG

Assignees

  • 北京可信华泰技术服务有限公司
  • 北京可信华泰信息技术有限公司

Dates

Publication Date
20260512
Application Date
20251225

Claims (10)

  1. 1. The virtual trusted root construction method based on the CPU built-in physical trusted root is characterized by comprising the following steps: Obtaining storage division information from a physical trusted root, wherein the storage division information is used for representing that storage resources of the physical trusted root are divided into a first part special for a host machine and a second part special for a virtual machine in advance, the second part is divided into a plurality of storage spaces, and the physical trusted root is a built-in physical trusted root of a processor of computer equipment; And allocating a first virtual trusted root instance with free storage space for the first virtual machine instance from a plurality of virtual trusted root instances, wherein each virtual trusted root instance in the plurality of virtual trusted root instances corresponds to one storage space in the plurality of storage spaces.
  2. 2. The method of claim 1, wherein prior to obtaining storage partitioning information from a physical root of trust, the method comprises: And in the production stage of the processor chip of the computer equipment, static partitioning is carried out on the storage resources of the physical credible root through hardware logic solidification and safety configuration, so that hardware-level resource isolation and safety protection are realized.
  3. 3. The method of claim 2, wherein statically partitioning the storage resources of the physical root of trust through hardware logical curing and security configuration comprises: Dividing the storage resources of the physical trusted root into a first part special for a host machine and a second part special for a virtual machine; dividing the second part special for the virtual machines into a plurality of storage spaces according to the maximum number of the virtual machines; Generating a global unique identifier for each storage space of the plurality of storage spaces, writing the global unique identifier into a protected configuration register corresponding to each storage space, and locking the register; The globally unique identifier and partition address of each memory space are consolidated into the hardware logic of the physical root of trust.
  4. 4. The method of claim 3, wherein after the solidifying of the globally unique identifier and partition address for each storage space into the hardware logic of the physical root of trust, the method further comprises: And accessing the plurality of storage spaces through the test instruction, thereby verifying the correctness of the access control strategy.
  5. 5. The method of claim 1, wherein allocating a first virtual root instance, having free storage space, for the first virtual machine instance from among a plurality of virtual root instances, comprises: Selecting a matched first storage space from the free storage spaces of the plurality of storage spaces based on the requirements of the first virtual machine instance, wherein the first storage space is bound with the first virtual trusted root instance; Generating a first public-private key pair for the first virtual machine instance in the physical trusted root, injecting a private key in the first public-private key pair into a first storage space of the first virtual trusted root instance, and issuing a certificate for the first virtual machine instance.
  6. 6. The method of claim 1, wherein generating a first public-private key pair for the first virtual machine instance within the physical root of trust, injecting a private key of the first public-private key pair into a first storage space of the first virtual root of trust instance, and issuing a certificate for the first virtual machine instance, comprises: Invoking a hardware random number generator to generate a true random number seed; generating an asymmetric first public-private key pair by utilizing the true random number seed; Encrypting and storing the private key in the first public-private key pair in the first storage space; applying for a certificate for the first virtual machine instance; writing a public key and a certificate of the first public-private key pair into the first storage space; and updating the unique identifier of the first virtual machine instance, the global unique identifier of the first storage space and the binding relation among the certificates to a virtual trusted root association table in the physical trusted root.
  7. 7. The method of any of claims 1 to 6, wherein after allocating a target virtual root instance with free storage space for a target virtual machine instance from a plurality of virtual root instances, the method comprises at least one of: The method comprises the steps of executing query operation of a virtual trusted root association table, verifying a digital signature and query authority of a sending end of a query instruction under the condition that a physical trusted root receives the query instruction of a second virtual machine instance, and after the verification is passed, inquiring in the virtual trusted root association table according to a unique identifier of the second virtual machine instance, and feeding back a query result to the sending end of the query instruction; The method comprises the steps of executing the updating operation of a virtual trusted root association table, namely, under the condition that the physical trusted root receives an updating instruction of a third virtual machine instance, verifying a digital signature and updating authority of a sending end of the updating instruction, and after the verification is passed, writing a unique identifier of the third virtual machine instance, a global unique identifier corresponding to a storage space and a binding relation among certificates into the virtual trusted root association table, and storing a hash value and table item information of a table item; And executing the deleting operation of the virtual trusted root association table, namely verifying the digital signature and the deleting authority of the transmitting end of the deleting instruction under the condition that the physical trusted root receives the deleting instruction of the fourth virtual machine instance, and updating the state of the table item where the fourth virtual machine instance is located in the virtual trusted root association table to be inactive.
  8. 8. A virtual root of trust construction device based on a CPU built-in physical root of trust, comprising: The storage division information is used for representing that storage resources of the physical trusted root are divided into a first part special for a host machine and a second part special for a virtual machine in advance, the second part is divided into a plurality of storage spaces, and the physical trusted root is a built-in physical trusted root of a processor of computer equipment; the allocation unit is used for allocating a first virtual trusted root instance with idle storage space for the first virtual machine instance from a plurality of virtual trusted root instances, wherein each virtual trusted root instance in the plurality of virtual trusted root instances corresponds to one storage space in the plurality of storage spaces.
  9. 9. A virtual root of trust construction system based on a CPU built-in physical root of trust, comprising: A virtualized environment layer running multiple virtual machine instances, each virtual machine instance having an independent virtual root of trust instance; The CPU is internally provided with a physical trusted root layer, and comprises a physical trusted root and storage resources of the physical trusted root, wherein the storage resources of the physical trusted root are divided into a first part special for a host machine and a second part special for a virtual machine in advance, the second part is divided into a plurality of storage spaces, and each virtual trusted root instance in a plurality of virtual trusted root instances corresponds to one storage space in the plurality of storage spaces; and the host management layer is used as a bridge between the CPU built-in physical trusted root layer and the virtualized environment layer and is used for managing the life cycle of the virtual machine, scheduling physical trusted root resources and implementing security policies.
  10. 10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor performs the method of any of the preceding claims 1 to 7 by means of the computer program.

Description

Virtual trusted root construction method, device and system based on CPU built-in physical trusted root Technical Field The application relates to the field of computer security, in particular to a virtual trusted root construction method, device and system based on a CPU built-in physical trusted root. Background This section is intended to provide a background or context for the matter recited in the claims or specification, which is not admitted to be prior art by inclusion in this section. With the widespread use of cloud computing and virtualization technologies, the security of virtual machines has become a critical issue. The traditional virtual trusted root (vTPCM) is mainly based on software implementation, lacks direct association with a physical trusted root (TPCM), so that the security is lower, and the security hidden danger exists because the virtual trusted root of the software implementation is easy to attack, the security characteristics provided by hardware can not be fully utilized. Therefore, a virtual root-of-trust construction method based on a built-in physical root of trust of a CPU is needed to improve the security of a virtual machine. In view of the above problems, no effective solution has been proposed at present. Disclosure of Invention The embodiment of the application provides a virtual trusted root construction method, device and system based on a CPU built-in physical trusted root, which at least solve the technical problem of low security of a virtual machine in the related art. According to one aspect of the embodiment of the application, a virtual trusted root construction method based on a CPU built-in physical trusted root is provided, and the method comprises the steps of obtaining storage division information from the physical trusted root, wherein the storage division information is used for representing that storage resources of the physical trusted root are divided into a first part special for a host machine and a second part special for a virtual machine in advance, the second part is divided into a plurality of storage spaces, the physical trusted root is the built-in physical trusted root of a processor of computer equipment, and a first virtual trusted root instance with a free storage space is allocated for a first virtual trusted root instance from a plurality of virtual trusted root instances, wherein each virtual trusted root instance in the plurality of virtual trusted root instances corresponds to one storage space in the plurality of storage spaces. Optionally, before the storage partition information is acquired from the physical trusted root, the method comprises the steps of carrying out static partition on storage resources of the physical trusted root through hardware logic solidification and safety configuration in the production stage of a processor chip of the computer equipment, so as to realize hardware-level resource isolation and safety protection. The method comprises the steps of carrying out static partitioning on storage resources of a physical trusted root through hardware logic solidification and safety configuration, wherein the storage resources of the physical trusted root are divided into a first part special for a host machine and a second part special for a virtual machine, dividing the second part special for the virtual machine into a plurality of storage spaces according to the maximum number of the virtual machines, generating a global unique identifier for each storage space of the plurality of storage spaces, writing the global unique identifier into a protected configuration register corresponding to each storage space, locking the register, and solidifying the global unique identifier and partition address of each storage space into the hardware logic of the physical trusted root. Optionally, after the globally unique identifier and partition address of each memory space are solidified into the hardware logic of the physical root of trust, the method further comprises accessing the plurality of memory spaces through test instructions, thereby verifying the correctness of the access control policy. Optionally, a first virtual trusted root instance with free storage space is allocated for a first virtual machine instance from a plurality of virtual trusted root instances, and the method comprises the steps of selecting a matched first storage space from the free storage spaces of the plurality of storage spaces based on the requirement of the first virtual machine instance, wherein the first storage space is bound with the first virtual trusted root instance, generating a first public-private key pair for the first virtual machine instance in the physical trusted root, injecting a private key in the first public-private key pair into the first storage space of the first virtual trusted root instance, and issuing a certificate for the first virtual machine instance. Optionally, generating a first public-private key pair for