Search

CN-122027199-A - VSOCK-based virtual cloud platform trusted computing communication method, device and system

CN122027199ACN 122027199 ACN122027199 ACN 122027199ACN-122027199-A

Abstract

The application discloses a VSOCK-based virtual cloud platform trusted computing communication method, device and system. The method includes the steps that when a trusted software base is started, an initial connection request is initiated to an agent program of a host through a first VSOCK port, the agent program monitors on a first VSOCK port, a second VSOCK port is dynamically allocated to the trusted software base of a virtual machine, a first virtual trusted root instance of the host is bound with a second VSOCK port, after a response of the agent program is received, the trusted software base breaks the initial connection with the first VSOCK port, service communication connection is established with the first virtual trusted root instance through the second VSOCK port, and instructions and data related to trusted computing are transmitted between the trusted software base of the virtual machine and the first virtual trusted root instance through the service communication connection. By limiting the trusted communication link to the inside of the host and isolating the process level, the technical problem of poor communication security of trusted computing in the virtualized cloud platform can be solved.

Inventors

  • TIAN JIANSHENG
  • Duan Guna
  • WEI LEI
  • CAO JIAWEI
  • XUAN YANJIE

Assignees

  • 北京可信华泰技术服务有限公司
  • 北京可信华泰信息技术有限公司

Dates

Publication Date
20260512
Application Date
20251225

Claims (10)

  1. 1. A VSOCK-based virtual cloud platform trusted computing communication system, comprising a host and a virtual machine running on the host: the host is provided with an agent program and a virtual trusted root instance, the agent program monitors on a first VSOCK port, and a trusted software base is operated in the virtual machine; When the trusted software base of the virtual machine is started, an initial connection request is initiated to the agent program through the first VSOCK port, the agent program dynamically allocates a second VSOCK port for the trusted software base of the virtual machine and binds an available first virtual trusted root instance with the second VSOCK port, the trusted software base disconnects the initial connection with the first VSOCK port and establishes service communication connection with the first virtual trusted root instance through the second VSOCK port, and then, instructions and data related to trusted computation are transmitted between the trusted software base of the virtual machine and the first virtual trusted root instance through the service communication connection.
  2. 2. The system of claim 1, wherein the trusted software base within the virtual machine comprises a communication driver module and a trusted services module: the communication driving module is used for performing bottom connection management between the trusted service module and the first virtual trusted root instance based on VSOCK mechanisms, wherein the bottom connection management comprises the steps of establishing service communication connection, maintaining service communication connection, disconnecting service communication connection and recovering faults; the trusted service module is used for running trusted computing service logic and delivering the packaged service data to the communication driving module for transmission.
  3. 3. A VSOCK-based trusted computing communication method for a virtual cloud platform, which is characterized by being applied to a virtual machine, the method comprising: When a trusted software base of a virtual machine is started, initiating an initial connection request to an agent program on a host machine through a first VSOCK port, wherein the agent program monitors on the first VSOCK port, and is used for dynamically distributing a second VSOCK port for the trusted software base of the virtual machine and binding a first virtual trusted root instance in available virtual trusted root instances of the host machine with the second VSOCK port; after receiving the response of the agent program, the trusted software base disconnects the initial connection with the first VSOCK port and establishes service communication connection with the first virtual trusted root instance through the second VSOCK port; and transmitting instructions and data related to trusted computing between the trusted software base of the virtual machine and the first virtual trusted root instance through the service communication connection.
  4. 4. The method of claim 3, wherein after establishing a traffic communication connection with the first virtual trusted root instance through the second VSOCK port, the method further comprises: Under the condition that the service communication connection fails, attempting to reestablish a new service communication connection by utilizing the second VSOCK port, and under the condition that the attempt fails, waiting for a preset interval time and then attempting to reestablish the new service communication connection again; Under the condition that the continuous failure times reach the preset connection times, re-using the first VSOCK port to establish new initial connection with the agent program so as to request the agent program to allocate a third VSOCK port and a second virtual trusted root instance for the virtual machine; Establishing a new service communication connection with the second virtual trusted root instance through the third VSOCK port; And transmitting instructions and data related to trusted computing between the trusted software base of the virtual machine and the second virtual trusted root instance through a new service communication connection.
  5. 5. A VSOCK-based virtual cloud platform trusted computing communication method, which is characterized by being applied to a host, the method comprising: Monitoring an initial connection request initiated by a trusted software base of a virtual machine on a first VSOCK port of an agent of a host machine; Dynamically allocating a second VSOCK port for the trusted software base of the virtual machine, and binding a first virtual trusted root instance of the host machine with the second VSOCK port; And sending response information to the trusted software base of the virtual machine through the first VSOCK port to instruct the trusted software base to disconnect the initial connection with the first VSOCK port, and establishing service communication connection with the first virtual trusted root instance through the second VSOCK port, wherein the service communication connection is used for carrying out instruction and data transmission related to trusted computing between the trusted software base of the virtual machine and the first virtual trusted root instance.
  6. 6. The method of claim 5, wherein dynamically assigning a second VSOCK port to the trusted software base of the virtual machine and binding the first virtual trusted root instance of the host with the second VSOCK port comprises: Selecting an unused port from available ports recorded in a port management table as the second VSOCK port to be allocated to the virtual machine, and marking the second VSOCK port as occupied in the port management table; And simultaneously, creating a new virtual trusted root instance as the first virtual trusted root instance, distributing the first virtual trusted root instance to the virtual machine, recording the first virtual trusted root instance into a virtual trusted root instance state table and marking the first virtual trusted root instance as occupied, binding a process identifier of the first virtual trusted root instance to the second VSOCK port, or selecting one of the virtual trusted root instance state tables in an idle state as the first virtual trusted root instance to be distributed to the virtual machine, updating the first virtual trusted root instance into occupied in the virtual trusted root instance state table, and binding a process identifier of the first virtual trusted root instance to the second VSOCK port.
  7. 7. The method of claim 6, wherein after dynamically assigning a second VSOCK port to the trusted software base of the virtual machine and binding the first virtual root instance of the host with the second VSOCK port, the method further comprises: and when the agent program monitors that the first virtual trusted root instance bound with the second VSOCK port is abnormal, releasing the corresponding second VSOCK port.
  8. 8. A VSOCK-based virtual cloud platform trusted computing communication apparatus for use with a virtual machine, the apparatus comprising: A request unit, configured to initiate an initial connection request to an agent on a host through a first VSOCK port when a trusted software base of a virtual machine is started, where the agent listens on the first VSOCK port, and the agent is configured to dynamically allocate a second VSOCK port to the trusted software base of the virtual machine, and bind a first virtual trusted root instance in available virtual trusted root instances of the host with the second VSOCK port; The connection unit is used for disconnecting the initial connection with the first VSOCK port by the trusted software base after receiving the response of the agent program, and establishing service communication connection with the first virtual trusted root instance through the second VSOCK port; And the communication unit is used for carrying out instruction and data transmission related to trusted computing between the trusted software base of the virtual machine and the first virtual trusted root instance through the service communication connection.
  9. 9. A VSOCK-based virtual cloud platform trusted computing communication device for use with a host, the device comprising: The monitoring unit is used for monitoring an initial connection request initiated by a trusted software base of the virtual machine on a first VSOCK port of an agent program of the host machine; the allocation unit is used for dynamically allocating a second VSOCK port for the trusted software base of the virtual machine and binding a first virtual trusted root instance of the host machine with the second VSOCK port; The indication unit is configured to send response information to the trusted software base of the virtual machine through the first VSOCK port, so as to instruct the trusted software base to disconnect from the initial connection with the first VSOCK port, and establish a service communication connection with the first virtual trusted root instance through the second VSOCK port, where the service communication connection is used for performing instruction and data transmission related to trusted computing between the trusted software base of the virtual machine and the first virtual trusted root instance.
  10. 10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor performs the method of any of the preceding claims 3 to 7 by means of the computer program.

Description

VSOCK-based virtual cloud platform trusted computing communication method, device and system Technical Field The application relates to the field of computer security, in particular to a VSOCK-based virtual cloud platform trusted computing communication method, device and system. Background This section is intended to provide a background or context for the matter recited in the claims or specification, which is not admitted to be prior art by inclusion in this section. With the rapid development of cloud computing technology, a virtualized environment has become a core infrastructure for constructing modern data centers, public clouds and private cloud platforms. In such environments, how to ensure secure and trusted communications inside Virtual Machines (VM), between virtual machines, and between a virtual machine and a host machine, particularly communications involving an underlying hardware trust root (such as a TPM), becomes a key technical challenge to secure the overall security of a cloud platform. Trusted computing communications require high security, low latency, high reliability, and good isolation of the communication process. The conventional virtual platform trusted computing communication mechanism mainly comprises the following schemes, but each has inherent limitations: 1) And the communication based on the TCP/IP network stack is that the virtual machine accesses the virtual network through the virtual network card and communicates with the host machine or other virtual machines through a standard network protocol (such as TCP/IP). The scheme has strong universality and good compatibility, but has long communication path, and the data needs to be processed by the complete network protocol stack of the host machine, so that the performance cost is huge, the communication delay is high, and the requirement of trusted computing on real-time performance is difficult to meet. In addition, the scheme is complex in configuration, needs to manage IP addresses, routes and firewall rules, is low in safety, and is easy to suffer network layer threats such as interception, man-in-the-middle attack and the like. 2) Communication based on virtual-services (e.g., virtio-services) devices as a paravirtualized device, virtio-services are intended to provide a communication channel that is lighter than TCP/IP. Although the delay is relatively low, a single queue mode is adopted, the bandwidth is limited, the transmission efficiency is low, the interrupt delay is high, and the requirements of high-performance trusted computing scenes cannot be met. Meanwhile, the multi-process support capability is poor, and a single serial port can be safely read and written by only one process, so that the concurrent processing capability of the serial port is limited, and the serial port is mainly suitable for scenes such as simple instruction transmission or log collection. 3) Communication based on Shared Memory (Shared Memory) is realized by mapping the same physical Memory area of a host machine for direct access by a virtual machine. The scheme is extremely fast in theory, and can realize data transmission with nearly zero copies. However, implementation is extremely complex, requiring elaborate memory mapping, synchronization and locking mechanisms. More importantly, in a multi-tenant cloud environment, the shared memory scheme is difficult to realize effective security isolation, and exposure of a memory area may become an attack surface, thereby causing serious security risks. Meanwhile, the scheme lacks standard communication semantics, and increases the difficulty of development and maintenance. 4) And based on communication of PCIe pass-through devices, a physical Trusted Platform Module (TPM) is directly distributed to a specific virtual machine for exclusive use through PCIe pass-through (Passthrough) technology. The scheme can provide a trust root of a hardware level, but has strong hardware dependence, high cost and extremely poor expansibility. More importantly, one physical TPM device can only serve one virtual machine at the same time, and cannot support the core requirement of multiple virtual machines in a cloud platform for concurrent access to trusted computing services, which is contrary to the resource sharing and elastic expansion concepts of cloud computing. The prior art has the problems of high delay of the traditional network communication mode (especially TCP/IP), high processing overhead of a protocol stack and incapability of meeting the requirement of trusted computing on high real-time performance. The potential safety hazard is that the communication path is long (for example, the communication path passes through an external virtual network), the exposure of the data is wide in the transmission process, the data is easy to intercept and attack, and the isolation of part of schemes (for example, shared memory) is poor, so that an attack channel crossing the virtual machine is easy to