CN-122020740-A - Data persistence storage system, method, terminal and medium

Abstract

The invention discloses a data persistence storage system, a data persistence storage method, a terminal and a medium. The secure virtual block device is located in a trusted execution environment, provides a standardized block storage interface for an upper file system, is compatible with formatting and mounting use of a general file system, and stores proprietary secure metadata in the secure superblock. The IDE module is located in a trusted execution environment and connected with the secure virtual block device for realizing confidentiality and integrity protection of data through an encryption algorithm. The secure storage operation module is located in the rich execution environment and is connected with the IDE module for realizing specific storage operation. The invention can realize data persistence storage, and can ensure confidentiality, integrity, collapse consistency and freshness of the data persistence storage of the TEE by combining with the TEE environment.

Inventors

• XIONG JUN
• Lan Yanxiang

Assignees

• 深圳市机密计算科技有限公司

Dates

Publication Date

20260512

Application Date

20260410

Claims (10)

1. 1. A data persistence storage system, the system comprising: The secure virtual block device is positioned in a trusted execution environment, provides a standardized block storage interface for an upper file system, is compatible with formatting and mounting use of a general file system, and stores exclusive secure metadata in a secure super block; the IDE module is positioned in the trusted execution environment and connected with the secure virtual block device and is used for realizing confidentiality and integrity protection of data through an encryption algorithm; and the safe storage operation module is positioned in the rich execution environment and connected with the IDE module and is used for realizing specific storage operation.
2. 2. The data persistence storage system of claim 1, wherein the secure virtual block device is configured with a private storage space that is not exposed to an upper file system and is used only to store private metadata; The private metadata includes a secure superblock and MERKLE TREE, the secure superblock including a global monotonically increasing count value obtained from a trusted counter, values of MERKLE TREE root nodes, storage locations of MERKLE TREE root nodes in the private storage space.
3. 3. The data persistence storage system of claim 2, wherein the secure virtual block device further aligns its secure transaction boundaries with transaction boundaries of an upper file system and enables crash consistency assurance of private metadata.
4. 4. The data persistence storage system of claim 1, wherein the secure storage operating module sets a storage area in the rich execution environment, the storage area comprising a first area and a second area, wherein the first area is exposed to a secure virtual block device for storing data of the secure virtual block device, and the second area is a private area for storing additional information output by the IDE module.
5. 5. A data persistence storage method based on the data persistence storage system of any of claims 1-4, the method comprising: the security virtual block device reads the security super block of the security virtual block device, then carries out security check, activates the security virtual block device after the security check passes, and completes mount operation of the security virtual block device by an operating system; The method comprises the steps that safety virtual block equipment writes data pages, the written data pages are subjected to encryption processing through an IDE module to generate combined data of ciphertext and verification information, and the ciphertext and the verification information are respectively written into corresponding positions through a safety storage operation module; the secure virtual block device initiates a read request, reads the ciphertext and the check information through the secure storage operation module, decrypts the read ciphertext and the read check information through the IDE module and returns the decrypted ciphertext and the read check information to the secure virtual block device; The safe virtual block device sends a disc-falling instruction to the safe storage operation module, and the safe storage operation module completes the floor storage of the ciphertext and the verification information through a native file system interface of the rich execution environment, so that the physical persistence of data is realized.
6. 6. The data persistence storage method of claim 5, wherein the secure virtual block device performs a security check after reading its own secure superblock, and activating the secure virtual block device after the security check passes comprises: the security virtual block device reads the security super block of the security virtual block device and completes basic verification; After the basic verification is passed, verifying the validity of the globally monotonically increasing count value in the security super block; verifying the validity of the value of MERKLE TREE root nodes in the secure superblock; and after the global monotonically increasing count value and the MERKLE TREE root node value pass the verification, activating the secure virtual block device.
7. 7. The data persistence storage method of claim 5, wherein writing the ciphertext and the verification information to corresponding locations, respectively, via a secure storage operation module comprises: Mapping an address given by the secure virtual block device into a position of a storage area through a secure storage operation module, and writing the ciphertext into the position of the storage area; And the safe storage operation module calculates a verification position based on the position of the storage area, and writes the verification information into the verification position.
8. 8. The method of claim 5, wherein decrypting the read ciphertext and the verification information via the IDE module and returning the decrypted ciphertext and the verification information to the secure virtual block device, comprises: Feeding the ciphertext and the verification information back to an IDE module through a secure storage operation module; The IDE module decrypts the ciphertext and the verification information to obtain a data page; And the IDE module performs integrity check on the data page and returns the data page passing the integrity check to the secure virtual block device.
9. 9. A terminal comprising a memory, a processor and a data persistence program stored in the memory and executable on the processor, the processor implementing the steps of the data persistence method of any of claims 5-8 when executing the data persistence program.
10. 10. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a data persistence storage program, the data persistence storage program implementing the steps of the data persistence storage method of any of claims 5-8 on the computer readable storage medium.

Description

Data persistence storage system, method, terminal and medium Technical Field The present invention relates to the field of data security technologies, and in particular, to a data persistent storage system, method, terminal, and medium. Background With the rapid landing of the internet of things, cloud computing and confidential computing technologies, the full life cycle security protection requirements of sensitive data such as key certificates, biological characteristics, medical health, financial transactions and the like are continuously upgraded. The trusted execution environment (Trusted Execution Environment, TEE) is used as a safe execution space isolated at a hardware level, and by physical isolation from the rich execution environment (Rich Execution Environment, re), the trusted application (Trusted Application, TA) and sensitive data running in the trusted execution environment can be ensured not to be stolen or tampered by malicious programs and privilege attackers at the re side. However, the TEE native only provides security protection for the volatile memory, and memory data will be completely lost after the device is powered off, which severely limits the application of TE in long-term data storage scenarios. The main stream TEE architecture at present has all introduced the persistent storage solution adapted to the hardware characteristics of the main stream TEE architecture, and has all realized the confidentiality and integrity basic guarantee of persistent data, but there are general short boards on the two main core capabilities of crash consistency and malicious rollback prevention, mainly in that the server-level TEE scheme does not provide the technical support of native and systemization, and is difficult to adapt to the business scenario with strong demands on the security of the whole life cycle of data such as financial transactions, database systems and the like, and becomes the core bottleneck for restricting the landing of the TEE scale industry. Therefore, the prior art has drawbacks. Disclosure of Invention Aiming at the defects in the prior art, the invention provides a data persistence storage system, a method, a terminal and a medium, and the technical scheme adopted by the invention is as follows: in a first aspect, the present invention provides a data persistence storage system, the system comprising: The secure virtual block device is positioned in a trusted execution environment, provides a standardized block storage interface for an upper file system, is compatible with formatting and mounting use of a general file system, and stores exclusive secure metadata in a secure super block; the IDE module is positioned in the trusted execution environment and connected with the secure virtual block device and is used for realizing confidentiality and integrity protection of data through an encryption algorithm; and the safe storage operation module is positioned in the rich execution environment and connected with the IDE module and is used for realizing specific storage operation. In one implementation, the secure virtual block device sets a private storage space, where the private storage space is not exposed to an upper file system and is only used for storing private metadata; The private metadata comprises a secure superblock and MERKLE TREE, wherein the secure superblock comprises a global monotonically increasing count value acquired from a trusted counter, the value of MERKLE TREE root nodes and the storage position of MERKLE TREE root nodes in the private storage space. In one implementation, the secure virtual block device also aligns its secure transaction boundary with the transaction boundary of the upper file system and implements a guarantee of crash consistency of private metadata. In one implementation manner, the secure storage operation module sets a storage area in the rich execution environment, wherein the storage area comprises a first area and a second area, the first area is exposed to secure virtual block equipment and used for storing data of the secure virtual block equipment, and the second area is a private area and used for storing additional information output by the IDE module. In a second aspect, an embodiment of the present invention further provides a data persistence storage method based on the data persistence storage system according to any one of the above schemes, where the method includes: The security virtual block device reads the security super block of the security virtual block device, then carries out security check, activates the security virtual block device after the security check passes, and completes mount operation of the security virtual block device by an operating system; The method comprises the steps that safety virtual block equipment writes data pages, the written data pages are subjected to encryption processing through an IDE module to generate combined data of ciphertext and verification information, and t