CN-122020640-A - Method for rapidly deploying trusted container sandbox execution environment in offline environment

Abstract

The invention discloses a method for rapidly deploying a trusted container sandbox execution environment in an offline environment, which relates to the technical field of computer security and has the technical scheme that the method comprises the following steps of detecting hardware and software environments of an offline target environment and verifying the integrity and signature of an offline deployment package; the method comprises the steps of decompressing an offline deployment package, installing a TIPU driver and a trusted sandbox middleware, initializing a TIPU board card, establishing a security isolation boundary based on separation of a control plane and a data plane, configuring a system-level security policy, loading a preset basic mirror image, constructing a trusted container sandbox with multiple isolation characteristics, enabling vTCM-based trusted execution environment support in the trusted container sandbox, and configuring a TIPU virtualization device through mechanism. The invention can complete the deployment of the container sandbox environment without any network connection, is suitable for the network isolation environment, has high deployment success rate and solves the difficult problem of container deployment in the offline environment.

Inventors

• LIU YI
• ZHANG NANXIN
• WU HUAIGU
• ZHA MING

Assignees

• 天府绛溪实验室

Dates

Publication Date

20260512

Application Date

20260409

Claims (10)

1. 1. A method for rapidly deploying a trusted container sandbox execution environment in an offline environment is characterized in that an offline target environment suitable for the method is configured with an offline deployment package and a trusted base environment, and comprises the following steps: detecting the hardware and software environment of the offline target environment, and verifying the integrity and signature of the offline deployment package; decompressing the offline deployment package, and installing a TIPU driver and a trusted sandbox middleware; Initializing a TIPU board card and establishing a safety isolation boundary based on separation of a control surface and a data surface; configuring a system level security policy, including a kernel security module and security reinforcement settings; Loading a preset basic mirror image and constructing a trusted container sandbox with multiple isolation characteristics; enabling vTCM-based trusted execution environment support in the trusted container sandbox to realize application-level security isolation; And configuring a TIPU virtualization device through mechanism to complete the deployment of the trusted container sandbox execution environment.
2. 2. The method for rapidly deploying a trusted container sandboxed execution environment in an offline environment according to claim 1, wherein said offline deployment package of said offline target environment configuration is deployed in a networked environment, comprising: Downloading the TIPU driver, the trusted sandbox middleware, a security component and a virtualization platform, wherein the virtualization platform comprises a container engine, the base image and a dependency library; Carrying out digital signature and integrity check on the downloaded resources to generate check information; And packaging all the resources into a self-contained offline deployment package, including a deployment script and a configuration template.
3. 3. The method for rapidly deploying a trusted container sandboxed execution environment in an offline environment of claim 2 wherein the container engine comprises at least one of Docker and Kata Containerd; the base image includes at least one of Alpine Linux, busyBox and a minimized Linux distribution; and/or the security component comprises a security-hardened container runtime, a security monitoring tool and an encryption library.
4. 4. The method for rapidly deploying a trusted container sandbox execution environment in an offline environment according to claim 1, wherein the offline deployment package is embedded with an intelligent detection and adaptive configuration mechanism to automatically adjust a deployment policy according to a detection result of the offline target environment.
5. 5. The method for rapidly deploying a trusted container sandboxed execution environment in an offline environment according to claim 1, wherein said trusted base environment of said offline target environment configuration is deployed in a networked environment, comprising: Presetting a trusted execution environment support module, wherein the trusted execution environment support module comprises a hardware-level security extension and trusted starting component which are built in a TIPU board card; Integrating a remote attestation mechanism comprising a preconfigured device certificate, an attestation key and a verification certificate; the security policy templates are preconfigured, including resource limitations, access control, and network quarantine rules.
6. 6. The method for rapidly deploying a trusted container sandboxed execution environment in an offline environment of claim 5 wherein the trusted boot component comprises at least one of a vTCM-based secure boot chain and a trusted metrics module.
7. 7. The method for rapidly deploying a trusted container sandboxed execution environment in an offline environment according to claim 1, wherein initializing the TIPU board card comprises: Decompressing the offline deployment package to a specified directory of the TIPU board card; Configuring communication between a Host and the TIPU board card through a PCIe bus; Initializing an ICPU subsystem and an IPU logic chip of the TIPU board card, and starting a control plane and data plane separation architecture; And configuring the TIPU gateway as a unique access entry, and encrypting and protecting a gateway interface through the UKey.
8. 8. The method for rapidly deploying a trusted container sandbox execution environment in an offline environment of claim 1 wherein the constructing of the trusted container sandbox further comprises: the trusted protection mechanism of the double-stack integrated sandbox is configured to support the trusted measurement of the KVM virtual machine and Kata secure containers.
9. 9. The method for rapidly deploying a trusted container sandboxed execution environment in an offline environment of claim 1 further comprising: monitoring the running state of the trusted container sandbox in real time through an active immune protection mechanism, and detecting abnormal behaviors and security threats; Dynamically adjusting a security policy, and responding to the detected security event; And recording a security log, and supporting post audit and traceability.
10. 10. The method for rapidly deploying a trusted container sandboxed execution environment in an offline environment of claim 1 further comprising: periodically verifying the integrity of the container environment based on a double-stack integrated sandbox trusted protection mechanism; remote certification during operation is realized, and the trusted state of the environment is certified for an external verifier; and supporting security updating and patch management through a hardware-level two-stage authorization management and control mechanism, and acquiring the security updating through a trusted channel in an offline environment.

Description

Method for rapidly deploying trusted container sandbox execution environment in offline environment Technical Field The invention relates to the technical field of computer security, in particular to a method for rapidly deploying a trusted container sandbox execution environment in an offline environment. Background With the rapid development of cloud computing and container technology, containerized deployment has become the dominant approach to modern application deployment. The container technology realizes the isolated operation of the application program through the virtualization of the operating system level, and has the advantages of high starting speed, less resource occupation, convenient deployment and the like. However, in many special scenarios, such as fields of high security requirements, e.g., military, government, finance, etc., and in environments where networks are limited or completely isolated, conventional container deployment approaches face the problems of (1) relying on network connections where conventional container deployment requires pulling mirror images and dependent packages from a network warehouse, and failure to complete deployment in an offline environment. (2) The security is insufficient, and although the common container technology provides a certain degree of isolation, an isolation mechanism can be broken through when facing advanced threats, and the requirements of high-security requirement scenes cannot be met. (3) The deployment efficiency is low, and in an offline environment, the prior art generally needs to manually configure a large number of parameters and dependencies, and the deployment process is complex and time-consuming. (4) The credibility is difficult to ensure, the integrity and credibility of the container mirror image are difficult to verify in an offline environment, and the security risk exists. Currently, for container deployment in an offline environment, solutions have been disclosed in the prior art, such as downloading the image package in advance, using an offline installation package, and so forth. But these solutions mainly solve the basic problem of offline deployment, failing to meet the requirements of rapid deployment and high security at the same time. In particular to the trusted execution environment, the prior art has difficulty in quickly constructing a container sandbox environment with trusted guarantee in an offline environment. Therefore, a method for rapidly deploying a trusted container sandbox execution environment in an offline environment capable of overcoming the defects is an urgent need to be solved. Disclosure of Invention In order to solve the defects in the prior art, the invention aims to provide a method for rapidly deploying the trusted container sandbox execution environment in an offline environment, the deployment of the container sandbox environment can be completed without any network connection, the method is suitable for a network isolation environment, the deployment success rate is high, and the difficult problem of container deployment in the offline environment is solved. The technical aim of the invention is realized by the following technical scheme: a method for rapidly deploying a trusted container sandbox execution environment in an offline environment comprises the following steps that an offline target environment suitable for the method is configured with an offline deployment package and a trusted base environment: detecting the hardware and software environment of the offline target environment, and verifying the integrity and signature of the offline deployment package; decompressing the offline deployment package, and installing a TIPU driver and a trusted sandbox middleware; Initializing a TIPU board card and establishing a safety isolation boundary based on separation of a control surface and a data surface; configuring a system level security policy, including a kernel security module and security reinforcement settings; Loading a preset basic mirror image and constructing a trusted container sandbox with multiple isolation characteristics; enabling vTCM-based trusted execution environment support in the trusted container sandbox to realize application-level security isolation; And configuring a TIPU virtualization device through mechanism to complete the deployment of the trusted container sandbox execution environment. Further, the offline deployment package configured by the offline target environment is deployed in a network environment, and includes: Downloading the TIPU driver, the trusted sandbox middleware, a security component and a virtualization platform, wherein the virtualization platform comprises a container engine, the base image and a dependency library; Carrying out digital signature and integrity check on the downloaded resources to generate check information; And packaging all the resources into a self-contained offline deployment package, including a deployment scr