vTPM private information protection method based on label

Abstract

The invention discloses a vTPM private information protection method based on a label. The method comprises the steps of S1, performing initialization work before system deployment; S2, separately building a vTPM label for a vTPM instance of each virtual machine; S3, extracting the vTPM label from an mirror file of the virtual machine, detecting related content of the vTPM label, judging whether acorresponding relationship between the virtual machine and the vTPM is correct, and thus judging whether the virtual machine is started; S4, performing Hash operation, encryption, decryption and Hashvalue verification according to a KEY acquired through decrypting the encryption information field of the vTPM label acquired in the step 3, and performing confidentiality protection and completenessverification on the vTPM private information; and S5, when the virtual machine is in dynamic migration, securely migrating volatility information and private information of the vTPM and the vTPM label. According to the method provided by the invention, the confidentiality and completeness of the vTPM private information and the consistency of the association relationships between the virtual machines and the vTPM instances are protected in real time by using the vTPM labels, and association between the vTPM and the physical credible platform module is built.

Description

technical field [0001] The invention relates to the field of trusted computing and virtualization security, in particular to a tag-based vTPM private information protection method. Background technique [0002] Trusted computing technology can provide a virtual machine integrity verification mechanism for cloud computing platforms, and vTPM (vTPM, virtual Trusted Platform Module) is an important component of trusted computing technology virtualization. The virtualization platforms XEN and KVM both have vTPM implementation solutions, both of which involve the software simulation of the non-volatile information of the Trusted Platform Module (TPM, Trusted Platform Module), which includes private information such as endorsement keys and access passwords , so the present invention calls the non-volatile information of vTPM private information of vTPM, and these private information are easy to be stolen and abused. [0003] There are three main types of trusted platform module v...

AI Technical Summary

Problems solved by technology

[0004] The deficiencies of the fully virtualized trusted platform module under KVM are: (1) use the libtpms function library to simulate all the functions of the physical trusted platform module, which is completely separated from the physical trusted platform module; (2) store the private information of the vTPM In the host file, no security measures are added; (3) The corresponding vTPM instance is loaded through the command line parameters of QEMU, and the relationship between vTPM and virtual machine is weak

[0005] The deficiencies of existing solutions are: (1) relying on transactional synchronization extension technology (TSX, transactional synchronization extension), causing vTPM to be non-migratable; (2) relying on Intel's software guard extension technology (SGX, software guard extension) , the source code structure of the vTPM needs to be modified; (3) The vTPM is secured using the migrateable key of the Trusted Platform Module, which cannot guarantee the strong association between the virtual machine and the vTPM; (4) The existing vTPM dynamic migration process Failure to consider the security of their private information

Images