TEE cluster implementation method, system, terminal and storage medium

By introducing a control bridge into the TEE cluster to perform trusted boot authentication and identity authentication, and to build trusted I/O channels and communication channels, the problem of untrusted interaction between the network card and the TEE environment in the TEE cluster is solved, thereby improving security and performance.

CN122268684APending Publication Date: 2026-06-23SHENZHEN CONFIDENTIAL COMPUTING TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SHENZHEN CONFIDENTIAL COMPUTING TECH CO LTD
Filing Date
2026-05-26
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

The existing TEE clusters have unreliable I/O paths for network cards to interact with the TEE environment, which makes it impossible to guarantee overall communication security.

Method used

By introducing a control bridge into the TEE cluster, trusted boot authentication and control bridge identity authentication are performed, a trusted I/O channel is built between the TEE environment and the network card device, and inter-node identity authentication and communication key exchange are performed through the TEE environment to establish a trusted communication channel between single TEE nodes.

Benefits of technology

It improves the security of TEE nodes and clusters, reduces the attack surface, enhances cluster performance, and enables secure RDMA communication.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122268684A_ABST
    Figure CN122268684A_ABST
Patent Text Reader

Abstract

The application belongs to the field of data communication, and discloses a TEE cluster implementation method, system, terminal and storage medium, wherein the TEE cluster comprises multiple single-TEE nodes, each single-TEE node comprises a TEE environment, a control bridge and a network card device; the method comprises: when the TEE cluster starts, performing trusted startup authentication and control bridge identity authentication on each single-TEE node in the TEE cluster; based on the control bridge, performing communication key exchange on the TEE environment and the network card device, and constructing a trusted IO channel between the TEE environment and the network card device; based on the trusted IO channel, performing inter-node identity authentication and communication key exchange on each single-TEE node through the TEE environment, and constructing a trusted communication channel between the single-TEE nodes. The application can effectively improve the security of the TEE nodes and the TEE cluster by adding the control bridge to construct the trusted IO channel.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of data communication technology, and in particular to a method, system, terminal, and computer-readable storage medium for implementing a TEE cluster. Background Technology

[0002] A TEE cluster (Trusted Execution Environment Cluster) is a distributed, highly available, and scalable confidential computing cluster formed by networking multiple server nodes that support a hardware-level trusted execution environment (TEE environment) through a secure protocol.

[0003] However, the IO (Input / Output) path for the interaction between the network card and the TEE environment in the existing TEE cluster is unreliable, which means that the overall communication security of the TEE cluster cannot be guaranteed.

[0004] Therefore, existing technologies still need to be improved and developed. Summary of the Invention

[0005] The main objective of this invention is to provide a method, system, terminal, and computer-readable storage medium for implementing a TEE cluster, aiming to solve the problem in the prior art where the IO path for the interaction between the network card and the TEE environment in a TEE cluster is unreliable, thus leading to a lack of overall communication security for the TEE cluster.

[0006] To achieve the above objectives, the present invention provides a method for implementing a TEE cluster, the method comprising the following steps: When the TEE cluster starts, trusted boot authentication and control bridge identity authentication are performed on each individual TEE node in the TEE cluster. When both the trusted boot authentication and the control bridge authentication pass, the TEE environment and the network card device exchange communication keys based on the control bridge, and a trusted I / O channel is established between the TEE environment and the network card device. Based on the trusted IO channel, the TEE environment performs inter-node authentication and communication key exchange for each standalone TEE node, and constructs a trusted communication channel between the standalone TEE nodes.

[0007] Optionally, the implementation method of the TEE cluster, wherein when the TEE cluster starts, performing trusted boot authentication and control bridge identity authentication on each individual TEE node in the TEE cluster specifically includes: When the TEE cluster starts, the node identity information of each single TEE node in the TEE cluster is obtained, and the node identity information is verified by trusted startup using remote authentication to obtain the node identity authentication result. When the node identity authentication result is determined to be successful, the control bridge identity information of the control bridge in each single-machine TEE node is obtained, and the control bridge identity authentication process is performed on the control bridge according to the control bridge identity information to obtain the control bridge identity authentication result.

[0008] Optionally, the implementation method of the TEE cluster, wherein the step of performing control bridge identity authentication processing on the control bridge based on the control bridge identity information to obtain the control bridge identity authentication result specifically includes: Obtain the control bridge identity information of the control bridge in each of the single-machine TEE nodes, and perform identity recognition on the control bridge based on the control bridge identity information to obtain the control bridge identity authentication result; Alternatively, the control bridge can be remotely authenticated based on its identity information to obtain the control bridge authentication result; Alternatively, the control bridge can be identified and remotely authenticated based on its identity information to obtain the control bridge authentication result.

[0009] Optionally, the implementation method of the TEE cluster, wherein the step of remotely authenticating the control bridge based on the control bridge identity information to obtain the control bridge identity authentication result specifically includes: A security status report is generated based on the control bridge identity information, and the security status report is signed using an authentication private key to obtain signature information; The signature information is verified using the authentication public key to obtain the verification result, and the verification result is used as the identity authentication result of the control bridge.

[0010] Optionally, the implementation method of the TEE cluster, wherein when both the trusted boot authentication and the control bridge authentication pass, communication key exchange is performed between the TEE environment and the network interface card (NIC) device based on the control bridge, and a trusted I / O channel is constructed between the TEE environment and the NIC device, specifically includes: When the authentication result of the control bridge is determined to be successful, the target communication key is obtained through the TEE environment, the target communication key is encrypted using the authentication public key to obtain the encrypted target communication key, and the TEE environment sends the encrypted target communication key to the control bridge. The control bridge uses the authentication private key to decrypt the encrypted target communication key to obtain the decrypted target communication key; Based on the decrypted target communication key, a trusted channel is constructed between the TEE environment and the control bridge to obtain a trusted I / O channel between the TEE environment and the control bridge, and the trusted I / O channel is used as the trusted I / O channel between the TEE environment and the network interface card device.

[0011] Optionally, the implementation method of the TEE cluster, wherein the step of performing inter-node authentication and communication key exchange for each single-machine TEE node through the TEE environment based on the trusted IO channel, and constructing a trusted communication channel between the single-machine TEE nodes, specifically includes: The TEE environment obtains the current node identity information corresponding to the single-machine TEE node and determines the target single-machine TEE node; The TEE environment, based on the trusted IO channel, sends the current node identity information to the target single-machine TEE node and obtains the target node identity information of the target single-machine TEE node; The TEE environment performs inter-node identity authentication processing on the current node identity information and the target node identity information using the remote authentication method. When the inter-node identity authentication processing is determined to be successful, the single-machine TEE node and the target single-machine TEE node are subjected to communication key exchange processing to obtain the inter-node communication key. A trusted channel is constructed between the single-machine TEE node and the target single-machine TEE node using the inter-node communication key, thereby obtaining a trusted communication channel between the single-machine TEE nodes.

[0012] Optionally, the implementation method of the TEE cluster, wherein, after performing inter-node authentication and communication key exchange for each of the single-machine TEE nodes through the TEE environment based on the trusted IO channel, and constructing a trusted communication channel between the single-machine TEE nodes, further includes: When the TEE cluster starts RDMA communication mode, the target management node in the TEE cluster is determined, and a unified RDMA communication encryption key is generated according to the target TEE environment in the target management node. The target management node sends the unified RDMA communication encryption key to each of the single-machine TEE nodes in the TEE cluster through the trusted communication channel; When the TEE environment in each of the single-machine TEE nodes receives the unified RDMA communication encryption key, the control bridge in each of the single-machine TEE nodes is configured through the trusted IO channel according to the unified RDMA communication encryption key, so as to realize the communication between the TEE environment in each of the single-machine TEE nodes and the network card device, as well as the RDMA communication of the TEE cluster.

[0013] Furthermore, to achieve the above objectives, the present invention also provides an implementation system for a TEE cluster, wherein the implementation system for the TEE cluster includes: The startup authentication module is used to perform trusted startup authentication and control bridge identity authentication on each individual TEE node in the TEE cluster when the TEE cluster starts up. A trusted I / O channel construction module is used to exchange communication keys between the TEE environment and the network card device based on the control bridge when both the trusted boot authentication and the control bridge identity authentication are passed, and to construct a trusted I / O channel between the TEE environment and the network card device. The trusted communication channel construction module is used to perform inter-node authentication and communication key exchange for each of the single-machine TEE nodes through the TEE environment based on the trusted IO channel, and to construct a trusted communication channel between the single-machine TEE nodes.

[0014] In addition, to achieve the above objectives, the present invention also provides a terminal, wherein the terminal includes: a memory, a processor, and an implementation program of a TEE cluster stored in the memory and executable on the processor, wherein when the TEE cluster implementation program is executed by the processor, it implements the steps of the TEE cluster implementation method as described above.

[0015] In addition, to achieve the above objectives, the present invention also provides a computer-readable storage medium, wherein the computer-readable storage medium stores an implementation program of a TEE cluster, and the implementation program of the TEE cluster, when executed by a processor, implements the steps of the TEE cluster implementation method as described above.

[0016] In this invention, when the TEE cluster starts, each individual TEE node in the TEE cluster undergoes trusted boot authentication and control bridge authentication. When both trusted boot authentication and control bridge authentication pass, communication key exchange is performed between the TEE environment and the network interface card (NIC) device based on the control bridge, and a trusted I / O channel is established between the TEE environment and the NIC device. Based on the trusted I / O channel, inter-node authentication and communication key exchange are performed on each individual TEE node through the TEE environment, and a trusted communication channel is established between the individual TEE nodes. This invention, by adding a control bridge between the TEE environment and the NIC device, and thereby establishing a trusted I / O channel between the TEE environment and the NIC device, as well as a trusted communication channel between individual TEE nodes, effectively improves the security of TEE nodes and the TEE cluster. Attached Figure Description

[0017] Figure 1This is a flowchart of a preferred embodiment of the TEE cluster implementation method of the present invention; Figure 2 This is a schematic diagram of the system architecture of a preferred embodiment of the TEE cluster implementation method of the present invention; Figure 3 This is a structural diagram of a preferred embodiment of the TEE cluster implementation system of the present invention; Figure 4 This is a structural diagram of a preferred embodiment of the terminal of the present invention. Detailed Implementation

[0018] To make the objectives, technical solutions, and advantages of this invention clearer and more explicit, the invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

[0019] A TEE cluster (Trusted Execution Environment Cluster) is a distributed, highly available, and scalable confidential computing cluster formed by networking multiple server nodes that support a hardware-level trusted execution environment (TEE environment) through a secure protocol.

[0020] The existing TEE clusters have the following drawbacks: 1. In traditional TEE clusters, the IO path for interaction between the network card and the TEE environment is not trustworthy (this is because the DMA (Direct Memory Access) of the NIC (Network Interface Controller, also often called a network card or network adapter) is not encrypted, and the TEE accesses the hardware resources of the NIC in plaintext, which presents a large number of attack surfaces). The security of communication between clusters can only be guaranteed by the data transmission security protocol at the software layer.

[0021] 2. In traditional TEE clusters, communication between nodes is encrypted using software, which significantly impacts cluster performance. Some current approaches offload the encryption, authentication, and key negotiation processes between TEE nodes to the network interface card (NIC), implementing these functions in hardware (but this requires redesigning existing NICs to add the necessary functionality). Furthermore, traditional TEE clusters rely heavily on the NIC, which is itself highly complex, with firmware vulnerabilities far exceeding those of CPU TEEs, drastically increasing security risks.

[0022] 3. Communication between mainstream TEE nodes (such as SGX, TDX, SEV, TrustZone, etc.) uses an unreliable I / O path for interaction between the network card and the TEE environment, and relies on software encryption and decryption. Currently, leading manufacturers are exploring a solution: offloading all encryption, authentication, and key negotiation between TEEs to the network card hardware to address the performance issues of software encryption and decryption.

[0023] To address the aforementioned issues, this invention provides a method for implementing a TEE cluster. By adding a control bridge, a trusted I / O channel with the NIC is established, significantly reducing the attack surface of the current TEE cluster and effectively improving the security of nodes and the cluster as a whole. This invention relates to the fields of TEE clusters, device sharing, RDMA, and confidential computing.

[0024] The purpose of this invention: 1. This invention enables secure virtualization and use of the network card within a single machine's TEE environment by setting up a control bridge. Based on this, a multi-TEE node cluster is established, effectively solving the problem of unreliable I / O paths in traditional TEE clusters and the interaction between the network card and the TEE environment.

[0025] 2. The control bridge set in this invention focuses solely on providing security capabilities (including hardware encryption and decryption, authentication, and key negotiation, etc.). Its functions are much simpler than those of a network card, and its design is also more concise. While achieving the same performance as a trusted network card, it can effectively reduce security risks.

[0026] 3. The use of the control bridge in this invention is applicable to any network card and does not require redesigning existing network cards.

[0027] The preferred embodiment of the present invention describes the implementation method of a TEE cluster, such as... Figure 1 and Figure 2 As shown, the implementation method of the TEE cluster includes the following steps: Step S10: When the TEE cluster starts, perform trusted startup authentication and control bridge identity authentication on each individual TEE node in the TEE cluster.

[0028] like Figure 2 As shown, the TEE cluster includes multiple single-machine TEE nodes. Each single-machine TEE node includes a TEE environment, a control bridge, and a network interface card (NIC) device, which is plugged into the control bridge.

[0029] Before the TEE cluster is officially started, it is necessary to authenticate each individual TEE node in the TEE cluster and the control bridge set in the individual TEE node to improve the security of the TEE cluster startup.

[0030] Specifically, when the TEE cluster starts, the node identity information of each single-machine TEE node in the TEE cluster is obtained, and the node identity information is used for trusted startup authentication using a remote authentication method to obtain the node identity authentication result; when the node identity authentication result is determined to be successful, the control bridge identity information of the control bridge in each single-machine TEE node is obtained, and the control bridge is identified based on the control bridge identity information to obtain the control bridge identity authentication result; or a security status report is generated based on the control bridge identity information, and the security status report is signed using an authentication private key to obtain signature information; the signature information is verified using an authentication public key to obtain a verification result, and the verification result is used as the control bridge identity authentication result; or the control bridge is identified and remotely authenticated based on the control bridge identity information to obtain the control bridge identity authentication result.

[0031] The node identity information of a single TEE node includes network ID, hardware certificate, metric hash, and corresponding key.

[0032] The following describes the use of network interface cards (NICs) in a TEE environment: A TEE environment can be an independent trusted execution environment (TEE) like an SPU, or a trusted virtual machine environment like a SEV / TDX. When using an SPU as the TEE environment, a NIC device is virtualized within the environment; when using SEV / TDX, a trusted I / O channel is established between the TEE environment and the actual NIC device by controlling the NIC device, thus enabling secure and trusted use of the NIC.

[0033] When RDMA communication is required between TEE nodes, secure RDMA communication between nodes is achieved by constructing a trusted communication channel.

[0034] The trusted startup process for a TEE cluster is as follows: When the TEE cluster starts, the TEE environment within each node (i.e., the single-machine TEE node in this invention) first completes its own trusted boot (i.e., trusted boot authentication in this invention, which may include remote verification of its own identity). According to the control bridge protocol, the "control bridge" enters the authentication state and completes the identity authentication of the control bridge (i.e., the identity authentication of the control bridge in this invention). If necessary, it can request the security status report of the control bridge (the content of the security status report includes, but is not limited to: information of the virtual device, the address information of the connecting bridge EP1, and the control register, etc.) and complete remote authentication.

[0035] Understandably, when the control bridge is powered on, it will automatically enter the initialization state and complete trusted boot. The trusted boot process includes: 1. Checking necessary parameters; if firmware or software exists, measuring the firmware and software. 2. After successful trusted boot, establishing a startup flag and ensuring that the connected virtual device is properly reset. This can be achieved through PCIe hardware reset, logic reset, or by powering down the control device. 3. The connecting bridge obtains the authentication public key from the control bridge, and after the startup flag is valid and an initialization completion command is received, the control bridge enters the usable state.

[0036] Furthermore, after the control bridge enters the available state, if it receives a command to start a non-secure task, it enters the non-secure task running state. In this state, the control bridge cannot use any security functions, such as authentication, data encryption / decryption, and flow control. Upon receiving a command to stop a non-secure task, it enters the initialization state. Conversely, if it receives a command to start a secure task, the control bridge enters the authentication state, where it performs authentication and obtains the communication key.

[0037] In this invention, the authentication of each standalone TEE node includes either remote authentication or identity verification. Therefore, each standalone TEE node and the control bridge can choose remote authentication to determine the legitimacy of the control bridge's identity; the control bridge can also choose an industry-recognized identity verification method, such as the national standard GB / T15843.3-2016. Of course, in some implementations, remote authentication and identity verification can be combined for more accurate authentication of the control bridge.

[0038] Furthermore, upon receiving a security status report request, the control bridge locks security-related configuration parameters, including but not limited to: virtual device information, bridge EP1 address information, and control registers. Then, it uses the locked parameters as part of the security status report, signs the report using its authentication private key, and sends it to the network interface card (NIC). Upon receiving the security status report, the NIC verifies the signature using the control bridge's authentication public key. If the verification is successful, the NIC evaluates the security status report to determine whether the control bridge is in a secure state.

[0039] Step S20: When both the trusted boot authentication and the control bridge authentication are successful, the TEE environment and the network card device exchange communication keys based on the control bridge, and a trusted I / O channel is established between the TEE environment and the network card device.

[0040] To achieve encrypted and secure communication between the TEE environment and the network card device, a control bridge is set up in this invention. The control bridge is located between the TEE environment and the network card device. By setting up the control bridge, the communication keys between the TEE environment and the network card device can be exchanged, thereby constructing a trusted IO channel between the TEE environment and the network card device. The trusted IO channel enables secure and reliable use of the network card device.

[0041] Specifically, when the authentication result of the control bridge is passed, the target communication key is obtained through the TEE environment, and the target communication key is encrypted using the authentication public key to obtain the encrypted target communication key. The TEE environment then sends the encrypted target communication key to the control bridge. The control bridge decrypts the encrypted target communication key using the authentication private key to obtain the decrypted target communication key. Based on the decrypted target communication key, a trusted channel is constructed between the TEE environment and the control bridge to obtain a trusted I / O channel between the TEE environment and the control bridge. This trusted I / O channel is then used as the trusted I / O channel between the TEE environment and the network interface card (NIC) device.

[0042] It is understood that this invention completes the communication key exchange (such as using the SM2 key exchange protocol) according to the control bridge protocol, allowing the "control bridge" to enter the running secure task state, thereby enabling the TEE environment to establish a trusted IO channel with the network card through the control bridge.

[0043] The control bridge obtains a communication key upon request from the network interface card (NIC). This key can be negotiated between the NIC and the control bridge, using algorithms such as the DH algorithm or the SM2 key exchange protocol; or the NIC can directly distribute the key, in which case it uses the control bridge's authentication public key to encrypt it. After successfully obtaining the communication key, the control bridge enters a secure task state. Based on this key, it encrypts all data output to the TEE environment bus and decrypts all data input to the NIC bus.

[0044] Then, the communication key exchange between the TEE environment and the network card device can be completed based on the decrypted key, thereby constructing a trusted I / O channel between the TEE environment and the network card device.

[0045] Step S30: Based on the trusted IO channel, perform inter-node authentication and communication key exchange for each standalone TEE node through the TEE environment, and construct a trusted communication channel between the standalone TEE nodes.

[0046] Once the trusted I / O channel is established, an encrypted and secure channel between the TEE environment and the network card device is realized. In order to enable communication between each standalone TEE node, a trusted communication channel needs to be built. Before building a trusted communication channel, the TEE environment needs to perform inter-node authentication and communication key exchange on each standalone TEE node. Only when authentication and key exchange are successful can the construction of the trusted communication channel be completed.

[0047] Specifically, the TEE environment obtains the current node identity information of the corresponding standalone TEE node and determines the target standalone TEE node; the TEE environment sends the current node identity information to the target standalone TEE node based on the trusted IO channel, and obtains the target node identity information of the target standalone TEE node; the TEE environment performs inter-node identity authentication processing on the current node identity information and the target node identity information respectively using the remote authentication method; when the inter-node identity authentication processing is determined to be successful, the standalone TEE node and the target standalone TEE node perform communication key exchange processing to obtain an inter-node communication key; a trusted channel is constructed between the standalone TEE node and the target standalone TEE node using the inter-node communication key to obtain a trusted communication channel between the standalone TEE nodes.

[0048] It is understood that in this invention, each TEE node in the TEE cluster completes mutual authentication and communication key exchange through network interface card devices, thereby establishing a trusted communication channel between TEE nodes, and finally completing the trusted startup of the entire cluster through the trusted communication channel.

[0049] Based on the trusted I / O channel, this invention enables the network interface card (NIC) device to obtain the current node identity information of the corresponding standalone TEE node. The trusted I / O channel is a pre-established hardware-level isolated communication link between the NIC device and the standalone TEE node, jointly maintained by the NIC firmware and the TEE kernel. It possesses basic security features such as encrypted data transmission, anti-tampering, and anti-eavesdropping, effectively preventing the theft or alteration of node identity information during transmission. The NIC device proactively initiates an identity information retrieval request to the standalone TEE node by calling a preset identity information reading interface in its own firmware. After the request is encrypted and verified by the trusted I / O channel, the standalone TEE node extracts complete current node identity information from its trusted execution environment (TEE environment), including basic network identity (Node ID, node IP / port, UUID, etc.) and hardware trusted root identity (PCK certificate chain, MR). The identity information includes Signer hash, encryption key identity (TEE environment public / private key pair, AK proof key, etc.), environment metric identity (RTMR measurement hash, TCB trust baseline, etc.), and cluster role and permission information. All identity information carries the digital signature of the TEE node to ensure the authenticity of the information source. Then, the complete current node identity information is fed back to the network card device through the trusted IO channel. The network card device performs preliminary format verification and signature integrity verification on the received identity information. After confirming that there are no errors, it completes the acquisition of the current node identity information.

[0050] First, the network interface card (NIC) device determines the corresponding target single-machine TEE node based on the cluster network configuration (such as the node routing table and the node list agreed upon by the cluster consensus protocol) and communication requirements. The selection of the target node must be verified by the cluster access whitelist to ensure that the target node is a legitimate TEE node that has been registered within the cluster. Then, the NIC device re-encrypts the current node's identity information (using a temporary encryption key built into the NIC firmware) and sends the encrypted current node's identity information to the target single-machine TEE node through a pre-set secure transmission link within the cluster (relying on the NIC's DMA hardware acceleration capability to reduce CPU usage and improve transmission efficiency). After receiving the information, the target single-machine TEE node decrypts the information through its own trusted I / O channel and performs a preliminary verification of the format, signature, and cluster access permissions of the current node's identity information. After the verification is passed, it extracts the complete target node's identity information (consistent with the composition of the current node's identity information) from its own TEE environment, also carrying its own digital signature, and feeds it back to the NIC device that initiated the request through the trusted I / O channel. After receiving the information, the NIC device completes the acquisition of the target node's identity information and performs another preliminary verification of the format and signature to ensure the integrity and traceability of the identity information at both ends.

[0051] The network interface card (NIC) device performs inter-node authentication processing on the current node's identity information and the target node's identity information using the remote authentication method. When the inter-node authentication process is deemed successful, a communication key exchange is performed between the single-machine TEE node and the target single-machine TEE node to obtain an inter-node communication key. The remote authentication method uses a common remote proof protocol for TEE clusters (such as Intel TDX's Quote remote proof or AMDSEV-SNP's Attestation proof). The NIC device acts as an authentication intermediary, coordinating the identity verification between the two nodes. The process is as follows: First, the NIC device extracts core authentication elements from the current and target node identity information, including the hardware trusted root certificate (PCK certificate chain), environment metric hash (RTMR), and AK proof key. Second, the NIC device calls the remote authentication service to verify the legality of the hardware trusted root of both nodes (verifying whether the PCK certificate chain was issued by an authoritative CA and is within its validity period) and to verify the consistency of the environment metric hash (confirming that the TEE firmware, OS image, and application of both nodes have not been tampered with). The system uses a combined cluster TCB trust baseline and verifies the validity of the digital signatures of both nodes using the AK proof key to confirm that the identity information has not been forged. If all verification items pass, the inter-node identity authentication is deemed successful. At this point, the network interface card (NIC) device initiates a key exchange process, using a secure key negotiation protocol (such as ECC key exchange or IKE protocol) to coordinate the generation of temporary key pairs by the current node and the target node. The public key is exchanged through the encrypted transmission link of the NIC device, and combined with the private key of the TEE environment of both nodes, a unique inter-node communication key is calculated. This communication key is jointly stored by the NIC device and both TEE nodes and is only valid in this communication session. It is automatically destroyed after the session ends to ensure the security and timeliness of the key.

[0052] Furthermore, after the inter-node communication key is generated, the network interface card (NIC) synchronizes the key to both the current and target single-machine TEE nodes. The synchronization process uses a trusted I / O channel for encrypted transmission to prevent key leakage. Subsequently, the NIC initiates the trusted channel construction process, configuring encryption rules (using high-strength encryption algorithms such as AES) and integrity verification rules (using SHA-256 hash verification) for the communication link. It also enables the hardware acceleration function of the NIC firmware (relying on the NIC's DMA capability to achieve high-speed transmission of encrypted data and reduce CPU load). Simultaneously, the NIC sends the inter-node communication key to the Node.js keys of both ends. IDs and UUIDs are bound together to ensure that the key is used only for communication between the two nodes in this instance, preventing the key from being illegally reused. After construction, the trusted communication channel has three core characteristics: first, identity legitimacy, only nodes that have passed identity authentication can access the channel; second, data confidentiality, all transmitted data is encrypted using the inter-node communication key, which cannot be decrypted externally; and third, data integrity, hash verification prevents data from being tampered with during transmission. In addition, the network card device will monitor the channel status in real time and synchronize the heartbeat information of the two nodes. If key leakage, abnormal node identity, or channel interruption is detected, the current communication key will be destroyed immediately, the channel communication will be terminated, and the identity authentication and key exchange process will be retried to ensure that the communication between individual TEE nodes is in a trusted and secure isolated environment throughout the entire process, supporting the core business of TEE cluster consensus synchronization, data interaction, etc.

[0053] Furthermore, when the TEE cluster starts the RDMA communication mode, it obtains a unified RDMA communication encryption key and configures the control bridge in each of the single TEE nodes according to the unified RDMA communication encryption key based on the trusted communication channel to complete the RDMA communication of the TEE cluster.

[0054] RDMA, or Remote Direct Memory Access, is a high-speed network technology that allows one machine to directly read and write the memory of another. When a TEE cluster needs to initiate RDMA communication mode, the target management node in the TEE cluster generates a unified RDMA communication encryption key. This key is then sent to the TEE environment in each individual TEE node via a trusted communication channel and a trusted I / O channel. The TEE environment then configures the control bridge according to the unified RDMA encryption key, completing communication with the network interface card (NIC) and thus achieving secure communication throughout the entire TEE cluster.

[0055] Specifically, when the TEE cluster initiates RDMA communication mode, a target management node in the TEE cluster is identified, and a unified RDMA communication encryption key is generated based on the target TEE environment in the target management node. The target management node sends the unified RDMA communication encryption key to each individual TEE node in the TEE cluster through the trusted communication channel. After receiving the unified RDMA communication encryption key, the TEE environment in each individual TEE node configures the control bridge in each individual TEE node according to the unified RDMA communication encryption key through the trusted I / O channel, thereby enabling communication between the TEE environment in each individual TEE node and the network interface card (NIC) device, as well as RDMA communication of the TEE cluster. Further, the unified RDMA communication encryption key is used to enhance the security of application data transmitted between each individual TEE node.

[0056] The specific implementation process of the RDMA communication mode set in this invention is as follows: After enabling the RDMA communication mode in the TEE cluster, the TEE environment of the Master node of the TEE cluster (i.e., the target management node in this invention) generates an RDMA data key (i.e., the unified RDMA communication encryption key in this invention) and distributes the key through a trusted communication channel between TEE nodes. After receiving the RDMA data key, each node's TEE environment configures the control bridge through a trusted I / O channel with the control bridge. Through this method, the keys of each control bridge participating in RDMA communication are consistent, thereby ensuring smooth RDMA communication within the cluster.

[0057] After the control bridge enters the safe operation state, it acquires the transmission data between the TEE environment bus and the network interface card (NIC). If the transmission data is application data for RDMA transmission, a specific communication key (i.e., the unified RDMA communication encryption key in this invention) is acquired. The application data for RDMA transmission includes memory data that has been registered in memory. Based on the specific communication key, security enhancement processing is performed on the application data for RDMA transmission. This security enhancement processing is independent of the communication security processing between the TEE environment bus and the NIC. This invention, through security enhancement processing, can solve the data security problem during the RDMA operation process of the NIC using the TEE environment.

[0058] Furthermore, in practical applications, this invention can also be configured to rotate the key to further enhance data security.

[0059] The present invention has the following effects: 1. This invention enables secure virtualization and use of network cards in a standalone TEE environment.

[0060] 2. This invention enables secure RDMA communication between TEE nodes.

[0061] 3. This invention increases the security of TEE nodes and clusters while also improving cluster performance.

[0062] In summary, the key technical points or points to be protected in this invention include: 1. This invention provides a method for implementing a TEE cluster (Trusted Execution Environment Cluster, which is a distributed, highly available, and scalable confidential computing cluster formed by networking multiple server nodes supporting hardware-level Trusted Execution Environments (TEEs) through a secure protocol. It extends the security isolation capabilities of a single node to the entire cluster, enabling large-scale, distributed, data-available but invisible secure computing). The cluster consists of multiple single-machine TEE nodes that communicate with each other over a network. This invention adds a control bridge to the network interface card (NIC) device to ensure a trusted I / O channel is established between the TEE and the NIC within a node, greatly reducing the attack surface of the TEE nodes and improving the security of the TEE nodes and the entire TEE cluster. The RDMA security enhancement function of the control bridge enables secure and trusted RDMA communication between TEE nodes within the cluster, significantly improving the implementation efficiency and performance of the TEE cluster. In the traditional TEE (Telecommunication Equipment) mode where it directly uses the NIC (Network Interface Controller, also commonly known as a network card or network adapter), the NIC's DMA (Direct Memory Access) is unencrypted, and the TEE's access to the NIC's hardware resources is also in plaintext. The host can see the DMA descriptor and buffer, thus allowing for sophisticated side-channel attacks by controlling the DMA sequence, observing traffic timing, and performing DMA replay. Using the method of this invention, secure and reliable communication between the NIC and TEE is achieved by setting up a control bridge. The TEE's access to the NIC's hardware resources is encrypted, and DMA operations are also encrypted, preventing the host from manipulating DMA details or performing DMA replay attacks.

[0063] 2. During cluster startup, each TEE node first completes its own trusted boot process (which may include remote authentication of its own identity), authenticates the control bridge connected to the network interface card (which may include remote authentication of the control bridge itself), and exchanges communication keys, establishing a trusted I / O channel. Within the cluster, each TEE node completes inter-node authentication (which may include remote authentication of the node's identity) and exchanges communication keys through its securely connected network interface card, establishing a trusted communication channel between TEE nodes, ultimately completing the trusted boot of the entire cluster.

[0064] 3. After enabling RDMA (Remote Direct Memory Access, a high-speed network technology that allows one machine to directly read and write memory to another) communication mode in the cluster, each node in the cluster obtains a unified RDMA communication encryption key. For example, if the cluster has a management node, the key can be securely generated by the management node's TEE and distributed to the TEE environments of each node through a trusted communication channel. Each node's TEE environment then configures the control bridge through a trusted I / O channel with the control bridge. This ensures that the keys of all control bridges participating in RDMA communication are consistent, thereby guaranteeing smooth RDMA communication within the cluster.

[0065] Furthermore, such as Figure 3 As shown, based on the above-described method for implementing a TEE cluster, this invention also provides a corresponding system for implementing a TEE cluster, wherein the system for implementing a TEE cluster includes: The startup authentication module 51 is used to perform trusted startup authentication and control bridge identity authentication on each single TEE node in the TEE cluster when the TEE cluster starts. The trusted I / O channel construction module 52 is used to exchange communication keys between the TEE environment and the network card device based on the control bridge when the trusted boot authentication and the control bridge identity authentication are both passed, and to construct a trusted I / O channel between the TEE environment and the network card device. The trusted communication channel construction module 53 is used to perform inter-node authentication and communication key exchange for each of the single-machine TEE nodes through the TEE environment based on the trusted IO channel, and to construct a trusted communication channel between the single-machine TEE nodes.

[0066] Furthermore, such as Figure 4 As shown, based on the above-mentioned TEE cluster implementation method and system, the present invention also provides a terminal, which includes a processor 10, a memory 20 and a display 30. Figure 4 Only some of the terminal components are shown; however, it should be understood that it is not required to implement all of the components shown, and more or fewer components may be implemented instead.

[0067] In some embodiments, the memory 20 may be an internal storage unit of the terminal, such as a hard disk or memory. In other embodiments, the memory 20 may be an external storage device of the terminal, such as a plug-in hard disk, smart media card (SMC), secure digital card (SD), flash card, etc. Further, the memory 20 may include both internal and external storage devices. The memory 20 is used to store application software and various types of data installed on the terminal, such as the program code installed on the terminal. The memory 20 can also be used to temporarily store data that has been output or will be output. In one embodiment, the memory 20 stores an implementation program 40 for a TEE cluster, which can be executed by the processor 10 to implement the TEE cluster implementation method of this application.

[0068] In some embodiments, the processor 10 may be a central processing unit (CPU), a microprocessor, or other data processing chip, used to run program code stored in the memory 20 or process data, such as executing the implementation method of the TEE cluster.

[0069] In some embodiments, the display 30 may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, or an OLED (Organic Light-Emitting Diode) touchscreen. The display 30 is used to display information on the terminal and to display a visual user interface.

[0070] In one embodiment, when the processor 10 executes the TEE cluster implementation program 40 in the memory 20, it implements the following steps of the TEE cluster implementation method: When the TEE cluster starts, trusted boot authentication and control bridge identity authentication are performed on each individual TEE node in the TEE cluster. When both the trusted boot authentication and the control bridge authentication pass, the TEE environment and the network card device exchange communication keys based on the control bridge, and a trusted I / O channel is established between the TEE environment and the network card device. Based on the trusted IO channel, the TEE environment performs inter-node authentication and communication key exchange for each standalone TEE node, and constructs a trusted communication channel between the standalone TEE nodes.

[0071] Specifically, when the TEE cluster starts, performing trusted boot authentication and control bridge identity authentication on each individual TEE node in the TEE cluster includes: When the TEE cluster starts, the node identity information of each single TEE node in the TEE cluster is obtained, and the node identity information is verified by trusted startup using remote authentication to obtain the node identity authentication result. When the node identity authentication result is determined to be successful, the control bridge identity information of the control bridge in each single-machine TEE node is obtained, and the control bridge identity authentication process is performed on the control bridge according to the control bridge identity information to obtain the control bridge identity authentication result.

[0072] Specifically, the step of performing control bridge identity authentication processing on the control bridge based on the control bridge identity information to obtain the control bridge identity authentication result includes: Obtain the control bridge identity information of the control bridge in each of the single-machine TEE nodes, and perform identity recognition on the control bridge based on the control bridge identity information to obtain the control bridge identity authentication result; Alternatively, the control bridge can be remotely authenticated based on its identity information to obtain the control bridge authentication result; Alternatively, the control bridge can be identified and remotely authenticated based on its identity information to obtain the control bridge authentication result.

[0073] Specifically, the step of remotely authenticating the control bridge based on its identity information to obtain the control bridge authentication result includes: A security status report is generated based on the control bridge identity information, and the security status report is signed using an authentication private key to obtain signature information; The signature information is verified using the authentication public key to obtain the verification result, and the verification result is used as the identity authentication result of the control bridge.

[0074] Specifically, when both the trusted boot authentication and the control bridge authentication pass, the communication key exchange between the TEE environment and the network interface card (NIC) device is performed based on the control bridge, and a trusted I / O channel is established between the TEE environment and the NIC device. This includes: When the authentication result of the control bridge is determined to be successful, the target communication key is obtained through the TEE environment, the target communication key is encrypted using the authentication public key to obtain the encrypted target communication key, and the TEE environment sends the encrypted target communication key to the control bridge. The control bridge uses the authentication private key to decrypt the encrypted target communication key to obtain the decrypted target communication key; Based on the decrypted target communication key, a trusted channel is constructed between the TEE environment and the control bridge to obtain a trusted I / O channel between the TEE environment and the control bridge, and the trusted I / O channel is used as the trusted I / O channel between the TEE environment and the network interface card device.

[0075] Specifically, the step of performing inter-node authentication and communication key exchange for each standalone TEE node based on the trusted IO channel through the TEE environment, and constructing a trusted communication channel between the standalone TEE nodes, includes: The TEE environment obtains the current node identity information corresponding to the single-machine TEE node and determines the target single-machine TEE node; The TEE environment, based on the trusted IO channel, sends the current node identity information to the target single-machine TEE node and obtains the target node identity information of the target single-machine TEE node; The TEE environment performs inter-node identity authentication processing on the current node identity information and the target node identity information using the remote authentication method. When the inter-node identity authentication processing is determined to be successful, the single-machine TEE node and the target single-machine TEE node are subjected to communication key exchange processing to obtain the inter-node communication key. A trusted channel is constructed between the single-machine TEE node and the target single-machine TEE node using the inter-node communication key, thereby obtaining a trusted communication channel between the single-machine TEE nodes.

[0076] The step of performing inter-node authentication and communication key exchange for each standalone TEE node based on the trusted I / O channel through the TEE environment, and constructing a trusted communication channel between the standalone TEE nodes, further includes: When the TEE cluster starts RDMA communication mode, the target management node in the TEE cluster is determined, and a unified RDMA communication encryption key is generated according to the target TEE environment in the target management node. The target management node sends the unified RDMA communication encryption key to each of the single-machine TEE nodes in the TEE cluster through the trusted communication channel; When the TEE environment in each of the single-machine TEE nodes receives the unified RDMA communication encryption key, the control bridge in each of the single-machine TEE nodes is configured through the trusted IO channel according to the unified RDMA communication encryption key, so as to realize the communication between the TEE environment in each of the single-machine TEE nodes and the network card device, as well as the RDMA communication of the TEE cluster.

[0077] The present invention also provides a computer-readable storage medium, wherein the computer-readable storage medium stores an implementation program of a TEE cluster, and the implementation program of the TEE cluster, when executed by a processor, implements the steps of the TEE cluster implementation method as described above.

[0078] In summary, this invention provides a method, system, terminal, and storage medium for implementing a TEE cluster. The method includes: when the TEE cluster starts, performing trusted boot authentication and control bridge authentication on each individual TEE node in the TEE cluster; when both trusted boot authentication and control bridge authentication are successful, exchanging communication keys between the TEE environment and the network interface card (NIC) device based on the control bridge, and constructing a trusted I / O channel between the TEE environment and the NIC device; based on the trusted I / O channel, performing inter-node authentication and communication key exchange on each individual TEE node through the TEE environment, and constructing a trusted communication channel between the individual TEE nodes. This invention, by adding a control bridge between the TEE environment and the NIC device, thereby constructing a trusted I / O channel between the TEE environment and the NIC device, and a trusted communication channel between individual TEE nodes, can effectively improve the security of TEE nodes and the TEE cluster.

[0079] It should be noted that, in this document, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or terminal. Unless otherwise specified, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or terminal that includes that element.

[0080] Of course, those skilled in the art will understand that all or part of the processes in the above embodiments can be implemented by a computer program instructing related hardware (such as a processor, controller, etc.). The program can be stored in a computer-readable storage medium, and when executed, it can include the processes described in the above method embodiments. The computer-readable storage medium can be a memory, magnetic disk, optical disk, etc.

[0081] It should be understood that the application of the present invention is not limited to the examples above. Those skilled in the art can make improvements or modifications based on the above description, and all such improvements and modifications should fall within the protection scope of the appended claims.

Claims

1. A method for implementing a TEE cluster, characterized in that, The TEE cluster includes multiple single-machine TEE nodes. Each single-machine TEE node includes a TEE environment, a control bridge, and a network interface card (NIC) device. The NIC device is plugged into the control bridge. The implementation method of the TEE cluster includes: When the TEE cluster starts, trusted boot authentication and control bridge identity authentication are performed on each individual TEE node in the TEE cluster. When both the trusted boot authentication and the control bridge authentication pass, the TEE environment and the network card device exchange communication keys based on the control bridge, and a trusted I / O channel is established between the TEE environment and the network card device. Based on the trusted IO channel, the TEE environment performs inter-node authentication and communication key exchange for each standalone TEE node, and constructs a trusted communication channel between the standalone TEE nodes.

2. The implementation method of the TEE cluster according to claim 1, characterized in that, When the TEE cluster starts, the trusted startup authentication and control bridge identity authentication are performed on each individual TEE node in the TEE cluster, specifically including: When the TEE cluster starts, the node identity information of each single TEE node in the TEE cluster is obtained, and the node identity information is verified by trusted startup using remote authentication to obtain the node identity authentication result. When the node identity authentication result is determined to be successful, the control bridge identity information of the control bridge in each single-machine TEE node is obtained, and the control bridge identity authentication process is performed on the control bridge according to the control bridge identity information to obtain the control bridge identity authentication result.

3. The implementation method of the TEE cluster according to claim 2, characterized in that, The step of performing control bridge identity authentication processing on the control bridge based on the control bridge identity information to obtain the control bridge identity authentication result specifically includes: Obtain the control bridge identity information of the control bridge in each of the single-machine TEE nodes, and perform identity recognition on the control bridge based on the control bridge identity information to obtain the control bridge identity authentication result; Alternatively, the control bridge can be remotely authenticated based on its identity information to obtain the control bridge authentication result; Alternatively, the control bridge can be identified and remotely authenticated based on its identity information to obtain the control bridge authentication result.

4. The implementation method of the TEE cluster according to claim 3, characterized in that, The step of remotely authenticating the control bridge based on its identity information to obtain the control bridge authentication result specifically includes: A security status report is generated based on the control bridge identity information, and the security status report is signed using an authentication private key to obtain signature information; The signature information is verified using the authentication public key to obtain the verification result, and the verification result is used as the identity authentication result of the control bridge.

5. The implementation method of the TEE cluster according to claim 4, characterized in that, When both the trusted boot authentication and the control bridge authentication pass, the TEE environment and the network interface card (NIC) device exchange communication keys based on the control bridge, and a trusted I / O channel is established between the TEE environment and the NIC device, specifically including: When the authentication result of the control bridge is determined to be successful, the target communication key is obtained through the TEE environment, the target communication key is encrypted using the authentication public key to obtain the encrypted target communication key, and the TEE environment sends the encrypted target communication key to the control bridge. The control bridge uses the authentication private key to decrypt the encrypted target communication key to obtain the decrypted target communication key; Based on the decrypted target communication key, a trusted channel is constructed between the TEE environment and the control bridge to obtain a trusted I / O channel between the TEE environment and the control bridge, and the trusted I / O channel is used as the trusted I / O channel between the TEE environment and the network interface card device.

6. The implementation method of the TEE cluster according to claim 2, characterized in that, The step of performing inter-node authentication and communication key exchange for each standalone TEE node based on the trusted I / O channel through the TEE environment, and constructing a trusted communication channel between the standalone TEE nodes, specifically includes: The TEE environment obtains the current node identity information corresponding to the single-machine TEE node and determines the target single-machine TEE node; The TEE environment, based on the trusted IO channel, sends the current node identity information to the target single-machine TEE node and obtains the target node identity information of the target single-machine TEE node; The TEE environment performs inter-node identity authentication processing on the current node identity information and the target node identity information using the remote authentication method. When the inter-node identity authentication processing is determined to be successful, the single-machine TEE node and the target single-machine TEE node are subjected to communication key exchange processing to obtain the inter-node communication key. A trusted channel is constructed between the single-machine TEE node and the target single-machine TEE node using the inter-node communication key, thereby obtaining a trusted communication channel between the single-machine TEE nodes.

7. The implementation method of the TEE cluster according to claim 1, characterized in that, The step of performing inter-node authentication and communication key exchange for each standalone TEE node based on the trusted I / O channel through the TEE environment, and constructing a trusted communication channel between the standalone TEE nodes, further includes: When the TEE cluster starts RDMA communication mode, the target management node in the TEE cluster is determined, and a unified RDMA communication encryption key is generated according to the target TEE environment in the target management node. The target management node sends the unified RDMA communication encryption key to each of the single-machine TEE nodes in the TEE cluster through the trusted communication channel; When the TEE environment in each of the single-machine TEE nodes receives the unified RDMA communication encryption key, the control bridge in each of the single-machine TEE nodes is configured through the trusted IO channel according to the unified RDMA communication encryption key, so as to realize the communication between the TEE environment in each of the single-machine TEE nodes and the network card device, as well as the RDMA communication of the TEE cluster.

8. A system for implementing a TEE cluster, characterized in that, The implementation system of the TEE cluster includes: The startup authentication module is used to perform trusted startup authentication and control bridge identity authentication on each individual TEE node in the TEE cluster when the TEE cluster starts up. A trusted I / O channel construction module is used to exchange communication keys between the TEE environment and the network card device based on the control bridge when both the trusted boot authentication and the control bridge identity authentication are passed, and to construct a trusted I / O channel between the TEE environment and the network card device. The trusted communication channel construction module is used to perform inter-node authentication and communication key exchange for each of the single-machine TEE nodes through the TEE environment based on the trusted IO channel, and to construct a trusted communication channel between the single-machine TEE nodes.

9. A terminal, characterized in that, The terminal includes: a memory, a processor, and an implementation program for a TEE cluster stored in the memory and executable on the processor. When the TEE cluster implementation program is executed by the processor, it implements the steps of the TEE cluster implementation method as described in any one of claims 1-7.

10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores an implementation program for a TEE cluster, which, when executed by a processor, implements the steps of the TEE cluster implementation method as described in any one of claims 1-7.