JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE) ›› 2019, Vol. 54 ›› Issue (7): 77-88.doi: 10.6040/j.issn.1671-9352.2.2018.211

Previous Articles     Next Articles

vTCM: a virtualized trusted cryptography module based on the virtualization of physical trusted computing environment

Jun HU(),Zi-peng DIAO   

  1. Faculty of Information Technology, Beijing University of Technology, Beijing 100124, China
  • Received:2018-09-20 Online:2019-07-20 Published:2019-06-27
  • Supported by:
    国家自然科学基金资助项目(61501007)

RichHTML

20

PDF (PC)

812

Abstract:

The trust of virtual machine is one of the key issues of virtual machine security. As the source of computer trust, the application of trust cryptography module(TCM) in virtual machine gets more and more attention. A virtual trust cryptography module scheme is presented, which designs a physical vTCM(virtual trusted cryptography module) running environment which can be implemented by expand current TCM(trusted cryptography module) scheme to several switchable vTCM scene, and schedule these vTCM scene to support the TCM access of virtual machines, assign a bound vTCM instance to each virtual machine, and all vTCM instances would run in vTCM scene in turn. The scheme can enhance the trust of vTCM, make management and migration of vTCM more easier. The scheme is implemented in KVM virtualization platform, it shows a good compatibility with existing systems.

Key words: trusted cryptography module, virtual machine trusting, trust migration, KVM

CLC Number: 

  • TP309

Fig.1

Architecture of vTCM"

Fig.2

Physical struct of vTCM"

Fig.3

Data format of vTCM"

Fig.4

Command format of vTCM"

Fig.5

Scheduling format of vTCM"

Fig.6

Modules scheduling of vTCM"

Fig.7

Scheduling modules of vTCM"

Fig.8

Flow diagram for creation of vTCM"

Fig.9

Flow Diagram for Metrics of vTCM"

Fig.10

Flow diagram for migration of vTCM"

Table 1

Command list of vTCM"

命令码名称命令码取值命令码功能
VTCM_INIT0x01初始化一个vTCM示例
VTCM_STOP0x02停止一个vTCM实例
VTCM_CLEAN0x03清除一个vTCM实例,并输出vTCM清除的校验信息。
VTCM_STARTUP0x04启动特定vTCM实例
VTCM_KEYSET0x05为特定vTCM实例设置上下文密钥
VTCM_KEYUPDATE0x06更新特定vTCM实例的上下文密钥
VTCM_KEYEXPORT0x07导出vTCM实例的上下文密钥
VTCM_KEYIMPORT0x08导入vTCM实例的上下文密钥
VTCM_EXPORT0x09导出vTCM实例上下文
VTCM_IMPORT0x0a导入vTCM实例上下文
VTCM_MIG_READY0x10在移植目标机上执行,准备vTCM实例移植,生成一个移植封装密钥
VTCM_MIG_EXPORTKEY0x11在移植源机器上执行,输入移植封装密钥,输出封装的上下文密钥
VTCM_MIG_IMPORTKEY0x12  在移植目标机上执行,输入封装的上下文密钥,返回解封成功/失败消息,如解封成功,移植目标机将可以直接导入vTCM上下文,但需待激活后才可以使用
VTCM_MIG_CLEAN0x13  在移植源机器上完成VTCM_MIG_EXPORTKEY命令后执行,输出vTCM本地清除的校验信息
VTCM_MIG_ACTIVE0x14  在移植目标机导入vTCM上下文后使用,输入移植源机器vTCM本地清除后的校验信息,输出激活结果。如校验信息验证通过则激活成功,此时vTCM可以正常使用。这一机制是为了确保同一时刻只有一个vTCM实例存在。
1 国家密码管理局.GM/T 0012—2012可信计算-可信密码模块接口规范[S].北京:中国标准出版社, 2012: 11.
State Cryptography Administration.GM/T 0012—2012, Trusted computing.Interface specification of trusted cryptography module[S]. Beijing: Standards Press of China, 2012: 11.
2 沈昌祥, 公备. 基于国产密码体系的可信计算体系框架[J]. 密码学报, 2015, 2 (5): 381- 389.
SHEN Changxiang , GONG Bei . The innovation of trusted computing based on the domestic cryptography[J]. Journal of Cryptologic Research, 2015, 2 (5): 381- 389.
3 国家密码管理局.GM/T 0013—2012,可信计算-可信密码模块接口符合性测试规范[S].北京:中国标准出版社, 2012: 11.
State Cryptography Administration.GM/T 0013—2012, Trusted computing.Trusted cryptography module interface compliance[S]. Beijing: Standards Press of China, 2012: 11.
4 Trusted Computing Group. TCG PC client specific implementation specification for conventional BIOS[EB/OL]. (2005-07-13[2018-10-10]. https://trustedcomputinggroup.org/wp-content/uploads/PC-Client-Implementation-for-BIOS.pdf
5 WAN X, XIAO Z T, REN Y. Trusted virtual private datacenter: a model toward secure IaaS cloud[C]// 2012 Fourth International Conference on Multimedia Information Networking and Security. Nanjing: IEEE, 2012: 55-58.
6 WANG Chunlu , LIU Chuanyi , LIU Bin , et al. DIV: dynamic integrity validation framework for detecting compromises on virtual machine based cloud services in real time[J]. China Communications, 2014, 11 (8): 15- 27.
doi: 10.1109/CC.2014.6911084
7 SUN Y Z , FANG H F , SONG Y , et al. TRainbow: a new trusted virtual machine based platform[J]. Frontiers of Computer Science in China, 2010, 4 (1): 47- 64.
doi: 10.1007/s11704-009-0076-5
8 YU Z L , ZHANG W P , DAI H J . A trusted architecture for virtual machines on cloud servers with trusted platform module and certificate authority[J]. Journal of Signal Processing Systems, 2017, 86 (2/3): 327- 336.
9 SINGH J , PASQUIER T , BACON J , et al. Twenty security considerations for cloud-supported internet of things[J]. IEEE Internet of Things Journal, 2016, 3 (3): 269- 284.
doi: 10.1109/JIOT.2015.2460333
10 BERGER S, GOLDMAN K A, PEREZ R, et al. vTPM: virtualizing the trusted platform module[C]// Conference on Usenix Security Symposium. California: USENIX Association, 2006.
11 STUMPF F, ECKERT C. Enhancing trusted platform modules with hardware-based virtualization techniques[C]// 2008 Second International Conference on Emerging Security Information, Systems and Technologies. Cap Esterel: IEEE, 2008: 1-9.
12 CHEN C, RAJ H, SAROIU S, et al. cTPM: a cloud TPM for cross-device trusted applications[C]// NSDI′14 Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation. California: USENIX Association, 2014: 187-201.
13 Trusted Computing Group. Virtualized platform architecture specification[EB/OL]. (2011-9-27)[2018-10-12] https://trustedcomputinggroup.org/virtualized-trusted-platform-architecture-specification/.
14 DANEV B. Enabling secure VM-vTPM migration in private clouds[C]// Twenty-seventh Computer Security Applications Conference. Florida: DBLP, 2011.
15 HONG Z , WANG J , ZHANG H G . A trusted VM-vTPM live migration protocol in clouds[J]. Proceedings of International Workshop on Cloud Computing & Information Security, 2013, 52 (1391): 299- 302.
[1] HUANG Yu-qing, ZHAO Bo, XIAO Yu, TAO Wei. A vTPM-VM live migration scheme based on KVM [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2017, 52(6): 69-75.
[2] ZHAO Dan-dan, CHEN Xing-shu, JIN Xin. A study on security enhancement technology for KVM Hypervisor [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2017, 52(3): 38-43.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
[1] SUN Xiao-ting1, JIN Lan2*. Application of DOSY in oligosaccharide mixture analysis[J]. J4, 2013, 48(1): 43 -45 .
[2] MAO Ai-qin1,2, YANG Ming-jun2, 3, YU Hai-yun2, ZHANG Pin1, PAN Ren-ming1*. Study on thermal decomposition mechanism of  pentafluoroethane fire extinguishing agent[J]. J4, 2013, 48(1): 51 -55 .
[3] REN Min1,2, ZHANG Guang-hui1. Absorbing probabilities of random walks in an independent random  environment convergence in distribution on the half-line[J]. J4, 2013, 48(1): 93 -99 .
[4] ZHAO Jun1, ZHAO Jing2, FAN Ting-jun1*, YUAN Wen-peng1,3, ZHANG Zheng1, CONG Ri-shan1. Purification and anti-tumor activity examination of water-soluble asterosaponin from Asterias rollestoni Bell[J]. J4, 2013, 48(1): 30 -35 .
[5] YANG Yong-wei1, 2, HE Peng-fei2, LI Yi-jun2,3. On strict filters of BL-algebras#br#[J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2014, 49(03): 63 -67 .
[6] LI Min1,2, LI Qi-qiang1. Observer-based sliding mode control of uncertain singular time-delay systems#br#[J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2014, 49(03): 37 -42 .
[7] TANG Feng-qin1, BAI Jian-ming2. The precise large deviations for a risk model with extended negatively upper orthant dependent claim  sizes[J]. J4, 2013, 48(1): 100 -106 .
[8] QIU Tao-rong, WANG Lu, XIONG Shu-jie, BAI Xiao-ming. A granular computing approach for knowledge hiding[J]. J4, 2010, 45(7): 60 -64 .
[9] XUE Qiu-fang1,2, GAO Xing-bao1*, LIU Xiao-guang1. Several equivalent conditions for H-matrix based on the extrapolated GaussSeidel iterative method[J]. J4, 2013, 48(4): 65 -71 .
[10] SHI Ai-ling1, MA Ming2*, ZHENG Ying2. Customer lifetime value and property with #br# homogeneous Poisson response[J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2014, 49(03): 96 -100 .
Copyright 2018 © Editorial office of JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE)
Supported by Beijing Magtech Co.Ltd