Data processing method, proxy device and related equipment
By adding an agent device to the computing device, the application of the virtualized instance can call the host operating system's drivers, which solves the problem that the virtualized instance cannot access the TEE environment, realizes secure data processing and parallel operation of multiple applications, and is suitable for deployments of different CPU architectures.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- HUAWEI TECH CO LTD
- Filing Date
- 2022-09-09
- Publication Date
- 2026-06-05
AI Technical Summary
Applications in virtualized instances cannot directly access the TEE environment on the computing device, making it difficult to ensure the security and trustworthiness of data processing during virtualization migrations.
By adding an agent device to the computing device, applications in the virtualization instance can call drivers in the host operating system to access the TEE environment and perform data processing operations.
It improves the security of data processing in virtualized instances, reduces the difficulty of migrating user applications to virtualization, and supports parallel calls of multiple virtual machines or applications, making it suitable for deployment scenarios with different CPU architectures.
Smart Images

Figure CN117708822B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of computer technology, and in particular to a data processing method, agent device and related equipment. Background Technology
[0002] Confidential computing refers to a method of protecting data in use by performing computations within a hardware-based trusted execution environment (TEE). Currently, a mainstream implementation approach is to implement the TEE within a TrustZone deployed on an Advanced Reduced Instruction Set Computer (ARM) architecture. A TrustZone is a hardware architecture that logically divides the hardware resources of a computing device into a secure world and a normal world. A TEE can be built using hardware resources in the secure world and an operating system (OS) within the TEE, while a rich execution environment (REE) can be built using hardware resources in the normal world and a host operating system (OS).
[0003] Typically, applications (or client applications) need to be developed based on the software development kit (SDK) provided by the TrustZone hardware architecture. This allows the application to use the SDK to call the driver in the host OS of the REE environment, thereby accessing the TEE environment and performing corresponding data processing operations.
[0004] However, when virtualization instances, such as virtual machines (VMs) or containers (Docker), are deployed on the computing device based on virtualization technology, the virtualization instances cannot interact with the host OS due to the isolation characteristics of virtualization technology. This makes it impossible for applications in the virtualization instance to access the TEE driver in the host OS using the SDK, and thus impossible to access the TEE environment, making it difficult for users' applications to migrate to virtualization.
[0005] Therefore, how to enable applications in virtualized instances to access the TEE environment on computing devices has become an important problem that urgently needs to be solved. Summary of the Invention
[0006] This application provides a data processing method in which an application in a virtualized instance uses an added agent device to call drivers in the host operating system, thereby enabling the application in the virtualized instance to access the TEE environment on the computing device. Furthermore, this application also provides a corresponding agent device, processor, computing device, computer-readable storage medium, and computer program product.
[0007] Firstly, this application provides a data processing method applied to a first computing device running an REE and a TEE. The REE is built based on a host operating system, and the TEE is built based on a trusted operating system. During the process of a virtualized instance accessing a TA in the TEE, a proxy device in the first computing device obtains a data processing request generated by the virtualized instance. The virtualized instance can be, for example, a container, a virtual machine, or a bare metal server. This data processing request requests data processing operations to be performed in the TEE, such as authentication operations or electronic payment operations. Then, in response to the data processing request, a target driver in the host operating system is invoked to enable the virtualized instance to interact with the TA in the TEE, thereby enabling the application in the virtualized instance to interact with the TA in the TEE and execute the data processing operation requested by the virtualized instance in the TEE. In practical applications, the proxy device can be deployed independently of the host operating system and the virtualized instance.
[0008] Although the isolation nature of virtualization technology prevents virtualized instances from directly accessing target drivers in the host operating system, they can still access the TEE environment by invoking these drivers through a proxy device. This allows applications within the virtualized instance to perform trusted data processing operations within the TEE environment, improving data processing security and reducing the difficulty of migrating user applications to virtualization.
[0009] In one possible implementation, when invoking the target driver in the host operating system, a first process can be selected from multiple processes. This first process is used to invoke the target driver, thereby enabling the virtual machine instance to invoke the target driver. In this way, for different virtual machine instances, or for different applications within the same virtual machine instance, multiple processes can be used to achieve parallel invocation of the target driver, thereby improving the efficiency of the first computing device in providing services for multiple virtual machine instances or multiple applications to perform operations in the TEE.
[0010] In one possible implementation, the virtualized instance can be deployed on a first computing device, specifically within an REE environment on that device. Alternatively, the virtualized instance can be deployed on a second computing device connected to the first device, for example, via a physical line or a network connection. This allows for the development and deployment of virtualized instances (or applications) on remote computing devices, reducing the development requirements for virtualized instances.
[0011] In one possible implementation, when the virtualization instance is deployed on a second computing device, the second computing device has a different x86 architecture than the first computing device. For example, the CPU architecture of the first computing device may be ARM architecture, while the CPU architecture of the second computing device may be x86 architecture, thus enabling the deployment and development of applications in the virtualization instance on multiple different architectures.
[0012] In one possible implementation, when invoking the target driver in the host operating system, the system may first verify whether a Task Manager (TA) corresponding to the application in the virtualized instance is running in the TEE based on the data processing request. If the TA is running in the TEE, the target driver in the host operating system is invoked to enable interaction between the application and the TA. In this way, by verifying whether a TA is deployed in the TEE, it is easy to determine in a timely manner whether the data processing operation requested by the application can be executed in the TEE.
[0013] In one possible implementation, when the application corresponding to the virtualized instance is not running in the TEE, the application in the virtualized instance is instructed to upload the application's corresponding TA to the first device so that the TA deployed in the TEE can be used for subsequent data processing.
[0014] In one possible implementation, when invoking the target driver in the host operating system, the authentication information carried in the data processing request can be parsed, and the virtualization instance can be authenticated based on this authentication information. If the virtualization instance passes the authentication, the target driver in the host operating system is invoked. Thus, by authenticating the virtualization instance, the legitimacy and security of data processing operations performed in the TEE can be further improved.
[0015] Optionally, when a virtualization instance fails the authentication, the call to the target driver can be rejected, and a notification message indicating the call failure can be sent back to the virtualization instance.
[0016] Secondly, this application provides a proxy device, which includes modules for performing the data processing method in the first aspect or any possible implementation of the first aspect.
[0017] Thirdly, this application provides a processor that can be connected to a memory for executing instructions stored in the memory, so that the processor performs the steps of the data processing method as described in the first aspect or any implementation thereof.
[0018] Fourthly, this application provides a computing device, which includes a processor and a memory. The processor and the memory communicate with each other. The processor executes instructions stored in the memory, causing a scheduler to execute a data processing method as described in the first aspect or any implementation thereof. It should be noted that the memory can be integrated into the processor or can be independent of the processor. The computing device may also include a bus. The processor is connected to the memory via the bus. The memory may include readable storage and random access memory.
[0019] Fifthly, this application provides a computer-readable storage medium storing instructions that, when executed on a computing device, cause the computing device to perform the operation steps of the data processing method described in the first aspect or any implementation thereof.
[0020] In a sixth aspect, this application provides a computer program product containing instructions that, when run on a computing device, causes the computing device to perform the operational steps of the data processing method described in the first aspect or any implementation thereof.
[0021] Based on the implementation methods provided in the above aspects, this application can be further combined to provide more implementation methods. Attached Figure Description
[0022] Figure 1 A schematic diagram of the architecture of an exemplary computing device provided for this application;
[0023] Figure 2 A schematic diagram of an application scenario provided in this application;
[0024] Figure 3 A flowchart illustrating a data processing method provided in this application;
[0025] Figure 4 A schematic diagram illustrating the use of multiple processes to call driver 102-1 in parallel, as provided in this application;
[0026] Figure 5 A flowchart illustrating another data processing method provided in this application;
[0027] Figure 6A schematic diagram of the structure of an agent device provided in this application;
[0028] Figure 7 This is a schematic diagram of the hardware structure of a computing device provided in this application. Detailed Implementation
[0029] For ease of description, the terms used in this application will first be explained.
[0030] A rich execution environment (REE) is an untrusted environment in which a host operating system (OS) is deployed on a computing device. REEs do not consider security issues such as sensitive data transmission.
[0031] A host operating system, also known as a REE OS, is a set of interconnected system software programs that manage and control the operation of computing devices, utilize and run hardware and software resources, and provide public services to organize user interactions.
[0032] Open application (CA), also known as untrusted application, is software that runs in an open execution environment. Multiple CAs can run in the same open execution environment.
[0033] A Trusted Execution Environment (TEE), also known as a secure world, secure execution environment, or trusted hardware execution environment, offers higher security compared to an open execution environment. A trusted operating system can be deployed within a secure area of a computing device to create a trusted environment that ensures the storage and processing of various sensitive data. End-to-end security during the transmission and processing of sensitive data is ensured through the implementation of protection, confidentiality, integrity, and data access permissions. Computing devices include servers, edge servers, workers, personal computers (PCs), smartphones, and tablets—devices used for data processing.
[0034] Trusted operating systems, also known as secure operating systems or TEE OS, include openEurla, Trustzone, Trustonic, Qualcomm's QSEE, and open-source OPTEE, among others.
[0035] A trusted application (TA), also known as a trusted application, refers to a software program running in a trusted operating system. Access to the software is authorized through methods such as permission control and signature authentication. A single TEE can contain multiple isolated TAs. For example, multiple applications, such as fingerprint comparison and private key signing during payments, can run in a trusted execution environment to ensure the security of sensitive data processing and transmission, including private key signing and fingerprints.
[0036] To address the issue of enabling applications in virtualized instances to access the TEE environment on a computing device, this application provides a data processing method that adds a proxy device to the computing device. This proxy device allows applications in the virtualized instance to invoke drivers in the host operating system, thereby enabling applications in the virtualized instance to access the TEE environment on the computing device.
[0037] The technical solutions in this application will now be described with reference to the accompanying drawings.
[0038] See Figure 1 This is a schematic diagram of the structure of an exemplary computing device provided in this application. The computing device can be a device with computing capabilities, such as a server. Figure 1 As shown, the computing device 100 may include a hardware layer 101, a host operating system (HOS OS) 102, a trusted operating system (TEE OS) 103, and a security monitor 106. The hardware layer 101 may include multiple processors, such as... Figure 1 Processors 1 to 8, as shown, can be used to construct an REE environment based on hardware layer 101 and hots OS 102, and a TEE environment can be constructed based on hardware layer 101 and TEE OS 103. Security monitor 106 manages the switching between the insecure world state (REE) and secure world state (TEE) of the processors in hardware layer 101. For example, security monitor 106 can control the processors in hardware layer 101 to switch from an insecure world state to a secure world state, enabling the execution of corresponding data processing operations within the TEE environment. Furthermore, before switching the world state of a processor, security monitor 106 can save information about the insecure world state so that the processor can be correctly restored after switching back to the insecure world state.
[0039] In an REE environment, one or more instances can be deployed based on virtualization technology, such as virtual machines (VMs), containers, bare metal servers (BMS), etc. Figure 1Taking container 104 and VM 105 as an example, for ease of description, this embodiment refers to them as virtualization instances. Furthermore, each virtualization instance can deploy at least one application, such as an independent software vendor (ISV) application. Figure 1 The example illustrates how container 104 includes application 1 and VM 105 includes application 2 (application 2 runs on guest OS 105-1 in VM 105).
[0040] In a TEE environment, trusted applications (TAs) can be deployed to perform confidential computations on data for applications in the REE environment, such as authentication and electronic payments, thereby improving data processing security. For example, Figure 1 TA1, deployed in the TEE environment, can perform confidential computations for application 1 in the REE environment, and TA2 can perform confidential computations for application 2 in the REE environment, etc.
[0041] Normally, devices in the REE environment cannot access devices in the TEE environment (such as memory, cache, hard disk, etc.) to ensure information security in the TEE environment. When Application 1 and Application 2 need to process data in the TEE environment, they need to call driver 102-1 in host OS 102 to access the TEE environment, thereby performing data processing operations in the TEE environment and improving data processing security. However, due to the isolation characteristics of virtualization instances, virtualization instances and host OS 102 usually cannot interact. This makes it difficult for Application 1 and Application 2 in the virtualization instance to directly access driver 102-1 in host OS 102, thus hindering data processing in the TEE environment.
[0042] Based on this, this application adds a proxy device 200 to the computing device 100. This proxy device 200 is deployed independently of the virtualization instance and the host OS 102 in the REE environment to enable access to the TEE for the virtualization instance. Specifically, each virtualization instance can be configured with a client to trigger access to the TEE, such as... Figure 1Clients 201 and 202, etc., are included in the container 104. When container 104 needs to access the TEE, specifically when application 1 (or application 2) within container 104 needs to access the TEE, application 1 can call client 201 and generate a corresponding data processing request. This data processing request requests data processing operations to be performed in the TEE. Then, client 201 can send this data processing request to agent device 200. Computing device 100 can obtain this data processing request through agent device 200 and respond to it by calling driver 102-1 in host OS 102 to access the TEE. This allows application 1 in container 104 to interact with TA1 in the TEE, specifically instructing TA1 in the TEE to execute the data processing operation indicated by the data processing request. This enables application 1 to access the TEE, ensures data processing security, and reduces the difficulty of migrating user applications to virtualization.
[0043] As examples, the agent device 200 can be implemented in software or hardware. When implemented in software, the agent device 200 can be, for example, a program running on the processor of the computing device 200, such as a component with agent functionality or other form of software product. Alternatively, when implemented in hardware, the agent device 200 can be a processor, or implemented through a physical device including a processor. The processor can be a CPU, and any processor or any combination thereof, including application-specific integrated circuits (ASICs), programmable logic devices (PLDs), complex programmable logical devices (CPLDs), field-programmable gate arrays (FPGAs), generic array logic (GALs), systems-on-chips (SoCs), software-defined infrastructure (SDI) chips, artificial intelligence (AI) chips, and data processing units (DPUs). Furthermore, the number of processors included in the physical device can be one or more, and the specific number of processors can be set according to the actual business needs of the application. This embodiment does not limit this.
[0044] It is worth noting that the above Figure 1 The computing device 100 shown is only an example. In actual application, the data processing method provided in this application embodiment can also be applied to other applicable computing devices.
[0045] For example, in Figure 2 In the scenario shown, agent device 200 is deployed on computing device 300, and computing device 300 runs REE and TEE, while virtualized instances (i.e. Figure 2 The container 104 and VM 105 can be deployed in the computing device 400. When the application in the container 104 and VM 105 needs to access the TEE in the computing device 300, the client 201 (or client 202) can remotely call the agent device 200, such as by calling the agent device 200 based on the remote procedure call (RPC) protocol, and send a data processing request to the agent device 200. Thus, the agent device 200 can call the driver 102-1 to access the TEE, which enables the application 1 (or application 2) to remotely access the TEE on the computing device 300.
[0046] At this time, computing device 300 and computing device 400 may have the same CPU architecture, such as both computing device 300 and computing device 400 being ARM architecture; or, computing device 300 and computing device 400 may have different CPU architectures, such as computing device 300 having an ARM architecture and computing device 400 having an x86 architecture, etc. This embodiment does not limit this.
[0047] Next, embodiments of the data processing method provided in this application will be described with reference to the accompanying drawings.
[0048] See Figure 3 , Figure 3 This is a flowchart illustrating a data processing method provided in an embodiment of this application. Wherein, Figure 3 The data processing method shown is applied to Figure 1 The computing device shown, taking container 104 accessing the TEE environment as an example, Figure 3 The data processing methods shown may specifically include:
[0049] S301: Container 104 generates a data processing request, which requests the execution of data processing operations within the TEE.
[0050] In this embodiment, one or more virtualization instances can be deployed in the computing device 100, such as Figure 1 Container 104, VM 105, or BMS (in the context of BMS) Figure 1(not shown in the image), etc., and each virtualization instance can run one or more applications.
[0051] When container 104 needs to access the TEE on the computing device, that is, when application 1 (or other applications) in container 104 needs to access the TEE on the computing device (in order to perform confidential computation on data in the TEE environment), application 1 can call client 201 deployed in container 104 through the interface provided by client 201. Client 201 is used to trigger access to the TEE. As an example, the interface of client 201 to application 1 can be compatible with the traditional GP TEE API (global platform trusted execution environment application program interface) interface provided to application 1. In this way, the modifications required to develop application 1 for the deployment of client 201 can be minimized, reducing the difficulty of migrating user applications to virtualization. The specific implementation of this interface can refer to the existing GP TEE API interface implementation, which will not be elaborated here. In other embodiments, client 201 can also be flexibly developed according to the needs of actual applications, and this embodiment does not limit it in this way.
[0052] S302: Container 104 sends a data processing request to agent device 200.
[0053] The agent device 200 can be deployed independently in the computing device 100 as a virtualized instance and as a host OS 102.
[0054] In specific implementation, when application 1 calls client 201, client 201 can generate a data processing request. This data processing request can carry the identifier of TA1 corresponding to application 1 in the TEE environment (such as the name of TA1), the data to be processed, and the operation to be performed on the data (such as identity authentication operation, electronic payment operation, etc.) so as to use TA1 in the TEE environment to perform the corresponding operation on the data to be processed.
[0055] Since virtualized instances typically cannot interact with the host OS 102 within the computing device 100, the client 201 cannot directly send data processing requests to and invoke driver 102-1 in the host OS 102. Therefore, in this embodiment, an agent device 200 is added to the computing device 100. This agent device 200 is deployed independently of the virtualized instances (including container 104 and VM 105) and the host OS 102, and there is no need for isolation between the virtualized instances and the newly added agent device 200 (i.e., data interaction occurs between the virtualized instances and the agent device 200). Furthermore, the client 201 can be configured with an interface for interacting with the agent device 200, allowing it to send generated data processing requests to the agent device 200. Specifically, the client 201 can serialize the data processing request to obtain a byte stream and send this byte stream to the agent device 200 through the interface.
[0056] Accordingly, the agent device 200 receives a data processing request.
[0057] In practice, the proxy device 200 can use the interface facing the client 201 to receive the byte stream corresponding to the data processing request and deserialize the byte stream so as to restore the transmitted information to the original data structure or object content.
[0058] S303: In response to the data processing request, the agent device 200 calls the driver 102-1 in the host OS 102 to enable the virtualization instance to interact with TA1 in the TEE, wherein the host OS 102 is used to build the REE.
[0059] For ease of description, this embodiment uses the example of the agent device 200 receiving and responding to a data processing request. In other embodiments, the data processing request may also be responded to by the processor running the agent device 200 in the computing device 100.
[0060] The agent device 200 and the host OS 102 do not need to meet the isolation characteristics. Therefore, the agent device 200 can access the host OS 102. Thus, the agent device 200 can call the driver 102-1 based on the received data processing request, so as to access the TEE through the driver 102-1, thereby enabling the interaction between the container 104 and TA1, that is, enabling the interaction between the application in the container 104 and TA1.
[0061] For example, the agent device 200 can select a first process from multiple processes (each process can be called a worker) included in the process pool and allocate the first process to application 1. Then, the agent device 200 can use the allocated first process to call driver 102-1 according to the data processing request, so as to enable container 104 to interact with TA1 in the TEE environment. In specific implementation, the agent device 200 can use driver 102-1 to switch the state of the processor in computing device 100 from the REE running state to the TEE running state to execute the first process. This allows the call to enter the software stack on the TEE side, and the TA1 on the TEE side can respond to the data processing operation according to the data processing request. Alternatively, the agent device 200 can use driver 102-1 to allocate the first process to a processor in computing device 100 that is dedicated to supporting the running of TEE, so that the first process can be executed by the processor, enabling container 104 to interact with TA1 in the TEE environment.
[0062] Typically, when application 1 invokes driver 102-1 to access the TEE environment, it interacts with TA1 in the TEE environment based on a data processing request, enabling TA1 to perform corresponding data processing operations using resources within the TEE environment. Accordingly, before accessing TA1, it is usually necessary to deploy the TA1 corresponding to application 1 to the TEE environment. Based on this, in one possible implementation, before allocating a process for a data processing request, the agent device 200 can first verify whether the TA1 corresponding to application 1 is running in the TEE based on the data processing request. For example, the agent device 200 can verify the existence of TA1 in the TEE based on the TA1 identifier carried in the data processing request. Furthermore, when the TA1 corresponding to application 1 is running in the TEE, the agent device 200 can use the allocated first process to invoke driver 102-1 to access the TA1 in the TEE environment. When the TA1 corresponding to application 1 is not running in the TEE environment, the agent device 200 can instruct container 104 (specifically, instruct client 201 within container 104) to upload the TA1 to the computing device. For example, the agent device 200 can return the status information of TA1 to the client 201. This status information indicates that TA1 has not yet been deployed in the TEE environment. Based on this status information, the client 201 can obtain the program file of TA1 provided by the user when deploying application 1, and upload the program file to the computing device 100, or inform the computing device 100 of the storage location of the program file, so that the computing device 100 can add the program file of TA1 to the application directory in the TEE environment, thereby realizing the deployment of TA1 in the TEE.
[0063] In real-world applications, computing device 100 typically deploys multiple applications, each of which calls its own client to request access to the TEE. This causes agent device 200 to receive data processing requests from multiple clients over a period of time, such as... Figure 4 As shown. At this time, the agent device 200 can temporarily store multiple data processing requests in a task queue and obtain information on the available resources of multiple processors (or multiple processor cores) in the hardware layer 101. Based on the obtained information on the available resources in the hardware layer 101, the agent device 200 can sequentially allocate processes and processors (or processor cores) to execute each data processing request in the task queue. Thus, for multiple received data processing requests, the agent device 200 can utilize multiple processes to call the driver 102-1 in parallel, and use the processor (or processor core) executing the process to perform the operations required in the TEE environment as indicated by each application, thereby enabling multiple applications to access the TEE environment simultaneously.
[0064] In this embodiment, although the isolation characteristics of virtualization technology prevent application 1 in container 104 from directly accessing driver 102-1 in host OS 102, application 1 can indirectly invoke driver 102-1 through proxy device 200, thereby gaining access to the TEE environment. Thus, application 1 in container 104 can also perform trusted data processing operations within the TEE environment, thereby improving data security. Similarly, application 2 in VM 105 can also indirectly invoke driver 102-1 through proxy device 200, thereby gaining access to the TEE environment.
[0065] The above Figure 3 In the illustrated embodiment, application 1 (or the container 104 containing application 1) resides on a computing device 100 with both REE and TEE environments. However, in other possible implementations, application 1 may be deployed separately from the computing device with both REE and TEE environments, allowing the computing device to support applications on remote nodes accessing the TEE environment via remote calls. The following, in conjunction with the above... Figure 2 The scene shown and Figure 5 The method flow shown provides an example of how application 1 remotely accesses TA1 in the TEE environment.
[0066] See Figure 5 This illustrates a flowchart of another data processing method. Figure 5 The method shown can be applied to application scenarios as shown in Figure 2. Specifically, the method may include:
[0067] S501: Application 1 in container 104 registers with the security authentication framework 107.
[0068] S502: The security authentication framework 107 performs the registration of application 1 and sends the registered account and authentication information back to application 1 and client 203.
[0069] The security authentication framework 107 can be used to perform secure identification and authentication of applications, thereby improving the security of application production. For example, the security authentication framework 107 may be a Secure Production Identity Framework For Everyone (SPIFFE), or other applicable security authentication frameworks, etc., and this embodiment does not limit it in this way.
[0070] In practice, application 1 can send a registration request to the security authentication framework 107, which carries the identifier of application 1. The security authentication framework 107 can respond to the registration request, create an account for application 1, and generate authentication information for legitimacy authentication. Then, the security authentication framework 107 sends the account created for application 1 and the generated authentication information to application 1 and the client 203 provided by the proxy device 200 to the security authentication framework 107, respectively. Application 1 and client 203 can save the received account and authentication information accordingly.
[0071] S503: Application 1 sends authentication information to client 201.
[0072] Client 201 saves the received authentication information.
[0073] The authentication information is used to authenticate the legitimacy of application 1. For example, it can be a token, such as a JWT (JSON Web Token), or a digital signature. In practical applications, the authentication information can also be other types of information that can be used to achieve legitimacy authentication; this embodiment does not limit this.
[0074] S504: Application 1 uploads the TA1 corresponding to Application 1 to computing device 300 through client 201.
[0075] In this embodiment, the client 201 can also define an interface for the TA1 state to the application 1. The application 1 can send the program file (or image file of TA1, etc.) corresponding to TA1 to the client 201 through this interface. Accordingly, the client 201 can remotely send the program file corresponding to TA1 to the computing device 300, so that the computing device 300 can add the program file of TA1 to the application directory in the TEE environment, thereby deploying TA1 in the TEE environment.
[0076] S505: Computing device 300 deploys TA1 in a TEE environment.
[0077] S506: Application 1 calls client 201, triggering access to TA1 in TEE.
[0078] S507: Client 201 sends a data processing request to agent device 200, which requests the execution of a data processing operation in TEE.
[0079] In specific implementation, client 201 can generate a data processing request, which includes the identifier of TA1, the data to be processed, the operation to be performed on the data, and authentication information. Then, client 201 can remotely send the data processing request to proxy device 200. Communication between client 201 and proxy device 200 can be based on RPC protocol or other protocols; this embodiment does not limit this.
[0080] S508: The agent device 200 parses the received data processing request to obtain the identifier and authentication information of TA1.
[0081] S509: Agent device 200 verifies whether TA1 is deployed in the TEE environment based on the identifier of TA1. If yes, proceed to step S510; otherwise, agent device 200 instructs client 201 to upload TA1.
[0082] S510: The agent device 200 uses the client 203 to verify whether the application 1 has passed the legality authentication based on the authentication information. If yes, the agent device 200 continues to execute step S510. If no, the agent device 200 refuses to call the driver 102-1 and returns a legality authentication failure to the client 201.
[0083] As an implementation example, the proxy device 200 can send the parsed authentication information to the client 203. Upon receiving the authentication information, the client 203 can retrieve the authentication information corresponding to application 1 from the stored authentication information sent by the security authentication framework 107, and perform a consistency check between the received authentication information and the retrieved authentication information. When the two authentication information match, the client 203 can report to the proxy device 200 that application 1 has passed the authentication; conversely, when the two authentication information do not match, the client 203 can report to the proxy device 200 that application 1 has failed the authentication.
[0084] In another implementation example, after parsing the authentication information from the data processing request, the proxy device 200 can instruct the client 203 to provide the authentication information corresponding to application 1 sent by the security authentication framework 107. After obtaining these two authentication information sets, the proxy device 200 can perform a consistency check. When the two authentication information sets match, the client 203 can report to the proxy device 200 that application 1 has passed the authentication; when the two authentication information sets do not match, the client 203 can report to the proxy device 200 that application 1 has failed the authentication.
[0085] It is worth noting that in this embodiment, the security authentication framework 107 sends authentication information to the client 203 and the client 203 performs the legitimacy authentication process as an example for illustrative purposes. In other embodiments, the client 201 may send an initialization request to the proxy device 200 before the application 1 requests access to the TEE. This initialization request carries the identifier of TA1 (or the identifier of application 1) and authentication information, which is then stored by the proxy device 200. In this way, after receiving the data processing request sent by the client 201, the proxy device 200 can determine whether the application 1 has passed the legitimacy authentication by comparing whether the authentication information carried in the data processing request is consistent with the authentication information in the previously received initialization request.
[0086] S511: The agent device 200 calls the driver 102-1 in the host OS 102 according to the data processing request to realize the interaction between the application 1 and TA1.
[0087] In a specific implementation, the agent device 200 can select a first process from the multiple processes (each process can be called a worker) included in the process pool and allocate the first process to the application 1. Then, the agent device 200 can call the driver 102-1 using the allocated first process according to the data processing request to realize interaction with TA1 in the TEE environment.
[0088] In this way, application 1 located in computing device 400 can also remotely call driver 102-1 through client 201 and agent device 200 to perform confidential calculations of data in TEE environment, ensuring the security of data processing.
[0089] Furthermore, when deploying application 1, since the application does not need to be deployed on computing device 300 with REE and TEE environments, but can be deployed on computing device 400 which is remotely connected to computing device 300, the requirements for the CPU architecture of computing device 400 for deploying application 1 can be reduced. For example, when the CPU architecture of computing device 300 is ARM architecture, application 1 can be deployed on computing device with ARM architecture or computing device with x86 architecture, thus enabling application deployment in homogeneous or heterogeneous scenarios. Moreover, when deploying application 1 on computing device 400, application 1 does not need to be aware of whether the deployment method is in container 104 or VM 105, thereby improving the user's application deployment experience.
[0090] In practical applications, when the agent device 200 simultaneously receives data processing requests from application 1 via client 201 and application 2 via client 202, the agent device 200 can allocate a first process for application 1 and a second process for application 2. Thus, the agent device 200 can use the allocated first process to call driver 102-1 based on the data processing request sent by client 201, enabling application 1 to interact with TA1 in the TEE environment. Similarly, based on the data processing request sent by client 202, the agent device 200 can use the allocated second process to call driver 102-1, enabling application 2 to interact with TA2 in the TEE environment. This allows for parallel processing of multiple data processing requests.
[0091] It is worth noting that other reasonable combinations of steps that can be conceived by those skilled in the art based on the above description also fall within the scope of protection of this application. Secondly, those skilled in the art should also be aware that the embodiments described in the specification are preferred embodiments, and the actions involved are not necessarily essential to this application.
[0092] The above combination Figures 1 to 5 The data processing method provided in the embodiments of this application will be introduced. Next, the functions of the proxy device provided in the embodiments of this application and the computing device for implementing the proxy device will be introduced with reference to the accompanying drawings.
[0093] See Figure 6The diagram illustrates the structure of a proxy device 600 applied to a first computing device, in which REE and TEE are running. The proxy device 600 includes:
[0094] Acquisition module 601 is used for data processing requests, the data processing requests are used to request the execution of data processing operations in the TEE, and the data processing requests are generated by the virtualization instance;
[0095] Module 602 is invoked in response to the data processing request to invoke the target driver in the host operating system so that the virtualization instance can interact with the trusted application TA in the TEE, wherein the host operating system is used to construct the REE.
[0096] It should be understood that the device 600 of this application can be implemented by a central processing unit (CPU), an application-specific integrated circuit (ASIC), or a programmable logic device (PLD). The PLD can be a complex programmable logical device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), a data processing unit (DPU), a system-on-chip (SoC), or any combination thereof. It can also be implemented in software. Figures 3 to 5 In the data processing method shown, the device 600 and its various modules can also be software modules.
[0097] In one possible implementation, the virtualization instance is deployed on the first computing device;
[0098] Alternatively, the virtualization instance may be deployed on a second computing device, which is connected to the first computing device.
[0099] In one possible implementation, when the virtualization instance is deployed on a second computing device, the second computing device has a different CPU architecture than the first device.
[0100] In one possible implementation, the virtualization instance includes an application, and the calling module 602 is specifically used for:
[0101] Based on the data processing request, verify whether the TA corresponding to the application is running in the TEE;
[0102] When the TA is running in the TEE, the target driver in the host operating system is called.
[0103] In one possible implementation, the agent device 600 further includes:
[0104] The upload module 603 is used to instruct the application to upload the TA corresponding to the application to the first computing device when the application is not running in the TEE.
[0105] In one possible implementation, the calling module 602 is specifically used for:
[0106] Parse the authentication information carried in the data processing request;
[0107] The virtualization instance is authenticated based on the authentication information.
[0108] When the virtualization instance passes the legitimacy authentication, the target driver in the host operating system is invoked.
[0109] In one possible implementation, the calling module 602 is specifically used for:
[0110] Select the first process from among multiple processes; this first process is used to implement the call to the target driver.
[0111] The first process is used to call the target driver for the virtual machine instance.
[0112] because Figure 6 The agent device 600 shown corresponds to Figure 3 as well as Figure 5 The method executed by the proxy device 200 in the illustrated embodiment, therefore Figure 6 The specific implementation of the agent device 600 and its technical effects can be found in the relevant descriptions in the foregoing embodiments, and will not be repeated here.
[0113] Figure 7 This is a schematic diagram of a computing device 700 provided in this application, which can realize the above-mentioned functions. Figure 3 as well as Figure 5 The method performed by the agent device 200 in the illustrated embodiment.
[0114] like Figure 7As shown, the computing device 700 includes a processor 701, a memory 702, and a communication interface 703. The processor 701, memory 702, and communication interface 703 communicate via a bus 704, or via wireless transmission or other means. The memory 702 stores instructions, and the processor 701 executes the instructions stored in the memory 702. Further, the computing device 700 may also include a memory unit 705, which is connected to the processor 701, the storage medium 702, and the communication interface 703 via the bus 704. The memory 702 stores program code, and the processor 701 can call the program code stored in the memory 702 to perform the following operations:
[0115] A data processing request is obtained, which is used to request the execution of a data processing operation in the TEE. The data processing request is generated by the virtualization instance and obtained through the agent device in the first computing device.
[0116] In response to the data processing request, the target driver in the host operating system is invoked to enable the virtualization instance to interact with the trusted application TA in the TEE, the host operating system being used to construct the REE.
[0117] It should be understood that in the embodiments of this application, processor 701 may be a CPU, or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete device assemblies, etc. General-purpose processors may be microprocessors or any conventional processors, etc.
[0118] Memory 702 may include read-only memory and random access memory, and provides instructions and data to processor 701. Memory 702 may also include non-volatile random access memory. For example, memory 702 may also store device type information.
[0119] The memory 702 can be volatile memory or non-volatile memory, or it can include both. The non-volatile memory can be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), or flash memory. The volatile memory can be random access memory (RAM), which is used as an external cache. By way of example, but not limitation, many forms of RAM are available, such as static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), double data rate synchronous dynamic random access memory (DDR SDRAM), enhanced synchronous dynamic random access memory (ESDRAM), synchronous linked dynamic random access memory (SLDRAM), and direct rambus RAM (DR RAM).
[0120] The communication interface 703 is used for communication with other devices connected to the computing device 700. The bus 704 may include a data bus, a power bus, a control bus, and a status signal bus, etc. However, for clarity, all buses are labeled as bus 704 in the figure.
[0121] It should be understood that the computing device 700 according to the embodiments of this application may correspond to the agent device 600 in the embodiments of this application, and may correspond to the execution of the embodiment of this application. Figure 3 as well as Figure 5 The agent device 200 and the computing device 700 in the method shown implement the above and other operations and / or functions respectively to achieve Figure 3 as well as Figure 5 For the sake of brevity, the corresponding process of the Chinese method will not be elaborated here.
[0122] This application also provides a processor connected to a memory, which executes instructions stored in the memory to cause the processor to perform the above-described... Figure 3 as well as Figure 5 The data processing method executed by the agent device 200 in the illustrated embodiment.
[0123] This application also provides a chip, the chip including a processor and a power supply circuit, the processor being used to implement, for example... Figures 3 to 5 The operational steps of the data processing method executed by the agent device 200 in the method described above.
[0124] The above embodiments can be implemented, in whole or in part, by software, hardware, firmware, or any other combination thereof. When implemented using software, the above embodiments can be implemented, in whole or in part, as a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded or executed on a computer, all or part of the processes or functions described in the embodiments of this application are generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, the computer instructions can be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that includes one or more sets of available media. The available medium can be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. A semiconductor medium can be a solid-state drive.
[0125] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any person skilled in the art can easily conceive of various equivalent modifications or substitutions within the technical scope disclosed in this application, and these modifications or substitutions should all be covered within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
Claims
1. A data processing method, characterized in that, The method is applied to a first computing device, wherein a Rich Execution Environment (REE) and a Trusted Execution Environment (TEE) are running in the first computing device, and the method includes: A data processing request is obtained, which is used to request the execution of a data processing operation in the TEE. The data processing request is generated by the virtualization instance and obtained through the agent device in the first computing device. Wherein, when the virtualization instance is deployed on the second computing device, the data processing request is transmitted to the agent device through the virtualization instance based on the remote procedure call protocol. The second computing device is connected to the first computing device, and the second computing device and the first computing device have different CPU architectures. In response to the data processing request, the target driver in the host operating system is invoked to enable the virtualization instance to interact with the trusted application TA in the TEE, the host operating system being used to construct the REE.
2. The method according to claim 1, characterized in that, The virtualization instance is also deployed on the first computing device.
3. The method according to claim 1 or 2, characterized in that, The virtualization instance includes an application, and the step of invoking a target driver in the host operating system in response to the data processing request includes: Based on the data processing request, verify whether the TA corresponding to the application is running in the TEE; When the TA is running in the TEE, the target driver in the host operating system is called.
4. The method according to claim 3, characterized in that, The method further includes: If the application corresponding to the TA is not running in the TEE, the application is instructed to upload the application corresponding to the TA to the first computing device.
5. The method according to claim 1, characterized in that, The step of responding to the data processing request by invoking the target driver in the host operating system includes: Parse the authentication information carried in the data processing request; The virtualization instance is authenticated based on the authentication information. When the virtualization instance passes the legitimacy authentication, the target driver in the host operating system is invoked.
6. An agent device, characterized in that, The proxy device is applied to a first computing device, in which a Rich Execution Environment (REE) and a Trusted Execution Environment (TEE) are running. The proxy device includes: The acquisition module is used to acquire a data processing request, which is used to request the execution of a data processing operation in the TEE, and the data processing request is generated by the virtualization instance. Wherein, when the virtualization instance is deployed on the second computing device, the data processing request is transmitted to the agent device through the virtualization instance based on the remote procedure call protocol. The second computing device is connected to the first computing device, and the second computing device and the first computing device have different CPU architectures. The calling module is used to respond to the data processing request by calling the target driver in the host operating system so that the virtualization instance can interact with the trusted application TA in the TEE, and the host operating system is used to build the REE.
7. The agent device according to claim 6, characterized in that, The virtualization instance is also deployed on the first computing device.
8. A processor, characterized in that, The processor is connected to a memory and is configured to execute instructions stored in the memory to cause the processor to perform the steps of the method as described in any one of claims 1 to 5.
9. A computing device, characterized in that, Including processor and memory; The processor is configured to execute instructions stored in the memory to cause the computing device to perform the steps of the method as described in any one of claims 1 to 5.