Disclosure of Invention
In view of this, embodiments of the present invention provide a host authentication method, a host authentication device, and related devices, so as to avoid security risks of a trusted authentication process and ensure data security.
In order to achieve the above purpose, the embodiment of the present invention provides the following technical solutions.
In a first aspect, an embodiment of the present invention provides a host authentication method, applied to a secure virtual machine, including:
Acquiring a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report; the host authentication signature certificate and the secure virtual machine authentication signature certificate are based on a chip root key authentication signature;
acquiring a chip root key certificate corresponding to the chip root key;
Validating the host authentication report based on the host authentication signature certificate;
Validating the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate;
If the verification and signing pass of the host authentication report and the security virtual machine authentication report, verifying the host authentication signature certificate and the security virtual machine authentication signature certificate based on the chip root key certificate;
and if the verification is passed, the host is a trusted device.
Optionally, the host authentication report includes a host metric value, first random information, and a host authentication signature; the security virtual machine authentication report comprises a security virtual machine metric value, second random information and a security virtual machine authentication signature; the first random information and the second random information are generated by a secure virtual machine;
The host authentication signature is generated based on a host authentication private key signature, the host authentication signature certificate records a host authentication public key corresponding to the host authentication private key, and the host authentication public key is based on the chip root key authentication signature;
the secure virtual machine authentication signature is generated based on a secure virtual machine authentication private key signature, the secure virtual machine authentication signature certificate records a secure virtual machine authentication public key corresponding to the secure virtual machine authentication private key, and the secure virtual machine authentication public key is based on the chip root key authentication signature.
Optionally, in the step of obtaining a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report, the process of obtaining the host authentication report and the host authentication signature certificate corresponding to the host authentication report includes:
generating and sending a host authentication report request, wherein the host authentication report request comprises first random information;
After the security processor generates a host authentication report based on the host authentication report request, the host authentication report sent by the security processor and a host authentication signature certificate corresponding to the host authentication report are acquired.
Optionally, in the step of obtaining a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report, the process of obtaining the secure virtual machine authentication report and the secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report includes:
Generating and sending a security virtual machine authentication report request, wherein the security virtual machine authentication report request comprises second random information;
And after the security processor generates a security virtual machine authentication report based on the security virtual machine authentication report request, acquiring the security virtual machine authentication report sent by the security processor and a security virtual machine authentication signature certificate corresponding to the security virtual machine authentication report.
Optionally, the step of obtaining the chip root key certificate corresponding to the chip root key and the step of obtaining the security virtual machine authentication report and the security virtual machine authentication signature certificate corresponding to the security virtual machine authentication report are performed simultaneously, specifically:
And after the secure processor generates the secure virtual machine authentication report based on the secure virtual machine authentication report request, acquiring the secure virtual machine authentication report sent by the secure processor, a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report and a chip root key certificate.
Optionally, the verifying the host authentication report based on the host authentication signature certificate includes:
Based on a host authentication public key in the host authentication signature certificate, calculating a host metric value and/or the first random information in the host authentication report to obtain a host to-be-verified signature;
Comparing whether the signature to be verified of the host is consistent with the authentication signature of the host, if so, passing the verification, and if not, not passing the verification.
Optionally, the verifying the host authentication report based on the host authentication signature certificate further includes:
and comparing whether the first random information in the host authentication report request is consistent with the first random information generated by the secure virtual machine, if so, verifying to pass, and if not, verifying to pass.
Optionally, the verifying the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate includes:
Based on a secure virtual machine authentication public key in the secure virtual machine authentication signature certificate, calculating a secure virtual machine metric value and/or the second random information in the secure virtual machine authentication report to obtain a secure virtual machine signature to be verified;
And comparing whether the signature to be verified of the secure virtual machine is consistent with the authentication signature of the secure virtual machine, if so, verifying to pass, and if not, verifying to pass.
Optionally, the verifying the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate further includes:
and comparing whether the second random information in the security virtual machine authentication report request is consistent with the second random information generated by the security virtual machine, if so, passing the verification, and if not, not passing the verification.
Optionally, the verifying the host authentication signature certificate and the secure virtual machine authentication signature certificate based on the chip root key certificate includes:
Calculating a host authentication public key in the host authentication report based on a chip root key public key in the chip root key certificate to obtain a signature to be verified of the host authentication public key; determining whether the signature to be verified of the host authentication public key is consistent with the signature of the host authentication public key in the host authentication signature certificate, if so, passing the verification, and if not, not passing the verification;
Based on the chip root key public key in the chip root key certificate, calculating the security virtual machine authentication public key in the security virtual machine authentication report to obtain a signature to be verified of the security virtual machine authentication public key; and determining whether the signature to be verified of the secure virtual machine authentication public key is consistent with the secure virtual machine authentication public key signature in the secure virtual machine authentication signature certificate, if so, verifying to pass, and if not, verifying to fail.
Optionally, the secure virtual machine is configured with a first application, the host system is configured with a second application corresponding to the first application, and the first application and the second application communicate based on a preset communication link; the host authentication report request is sent to a second application through a first application, and the second application is sent to a security processor; the host authentication report and a host authentication signature certificate corresponding to the host authentication report are sent to the host by the security processor and forwarded by the host second application to the first application of the secure virtual machine.
In a second aspect, an embodiment of the present invention provides a host authentication apparatus, including:
The authentication information acquisition module is used for acquiring a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report; the host authentication signature certificate and the secure virtual machine authentication signature certificate are based on a chip root key authentication signature; acquiring a chip root key certificate corresponding to the chip root key;
A verification module for verifying the host authentication report based on the host authentication signature certificate; and validating the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate; if the host authentication report and the security virtual machine authentication report pass verification, verifying the host authentication signature certificate and the security virtual machine authentication signature certificate based on the chip root key certificate; and if the verification is passed, the host is a trusted device.
In a third aspect, an embodiment of the present invention provides a confidential computing device comprising: a secure virtual machine, a host system, and a secure processor; the security virtual machine is configured with the host authentication device provided by the embodiment of the invention.
Optionally, the secure virtual machine is configured with a first application, the host system is configured with a second application corresponding to the first application, and the first application and the second application communicate based on a preset communication link; the host authentication report request is sent to a second application through a first application, and the second application is sent to a security processor; the host authentication report and a host authentication signature certificate corresponding to the host authentication report are sent by the security processor to the host system and forwarded by a second application of the host system to a first application of the secure virtual machine.
In a fourth aspect, an embodiment of the present invention provides a storage medium, where one or more computer executable instructions are stored, where the one or more computer executable instructions implement the host authentication method provided by the embodiment of the present invention when executed.
The embodiment of the invention provides a host authentication method, a host authentication device and related equipment thereof, wherein the host authentication method is applied to a secure virtual machine and comprises the following steps: acquiring a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report; the host authentication signature certificate and the secure virtual machine authentication signature certificate are based on a chip root key authentication signature; acquiring a chip root key certificate corresponding to the chip root key; verifying the host authentication report based on the host authentication signature certificate; validating the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate; if the verification and signing pass of the host authentication report and the security virtual machine authentication report, verifying the host authentication signature certificate and the security virtual machine authentication signature certificate based on the chip root key certificate; and if the verification is passed, the host is a trusted device.
It can be seen that, according to the host authentication scheme in the embodiment of the present invention, by using the characteristics that the secure virtual machine and the chip root key corresponding to the host running the secure virtual machine are the same key, and the host authentication signature certificate and the secure virtual machine authentication signature certificate are based on the chip root key authentication signature, when the host authentication report is checked based on the host authentication signature certificate, and the secure virtual machine authentication report is checked based on the secure virtual machine authentication signature certificate, the host authentication signature certificate and the secure virtual machine authentication signature certificate are checked based on the chip root key certificate, and when the verification passes, the host authentication signature certificate is checked based on the chip root key authentication signature adopted by the secure virtual machine, so that the host authentication signature certificate is considered to be trusted, and accordingly, the host authentication report passed by the host authentication signature certificate is determined to be trusted. Therefore, the host authentication method provided by the embodiment of the invention can realize the authentication of the host at the secure virtual machine end, thereby avoiding the risk of the third party being unreliable in the trusted authentication process and guaranteeing the data security.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to a system architecture schematic diagram of a secure virtual environment shown in fig. 1, as shown in fig. 1, a system architecture of the secure virtual environment may include: a general purpose processor (e.g., central processing unit CPU) 1, a memory controller 2, a memory 3, and a secure processor (PSP, platform Secure Processor) 4; the general processor 1 may configure a virtual machine manager (VMM, virtual Machine Monitor) 11 through a host system (hereinafter referred to as a host) 10 running therein, and virtualize a secure virtual machine and a normal virtual machine through a virtualization technology, where the secure virtual machine is a virtual machine configured with a secure isolation memory isolated from the normal memory in a virtualization architecture, and is used to provide a trusted execution environment for the virtualization architecture, and participate in data processing related to data security in the virtualization architecture.
The memory controller 2 is hardware that controls the memory 3 and causes data to be exchanged between the memory 3 and the general-purpose processor 1; the secure processor 4 is a processor responsible for virtual machine data security, which is specifically set by the secure virtualization technology.
The secure processor 4 is a special processor independent of the normal processor, operates based on separate processor hardware, and interacts with the normal processor through a specific interface, with the highest security level. In the running process of the device, the security processor can configure the security isolation memory corresponding to the security virtual machine for the security virtual machine by using the memory controller through the bus, and configures and maintains the nested page table of the security virtual machine for the security virtual machine, so that the security processor accesses the security isolation memory corresponding to the security virtual machine based on the memory controller 2, and the security of the memory data of the security virtual machine is ensured.
The secure virtual machine may support a remote authentication function, for example, in a scenario where the data provider needs to provide confidential data to the secure virtual machine for processing, the confidential data may be provided by first obtaining a secure virtual machine authentication report for the secure virtual machine and verifying that the identity of the secure virtual machine is legitimate.
The security virtual machine authentication report is a report based on the security virtual machine authentication public key signature in the security virtual machine authentication signature certificate, and can include measurement information of information such as security virtual machine identity information, hardware information of the security virtual machine and the like, and a corresponding security virtual machine authentication public key and the like, so that the authentication of the security virtual machine can be performed based on the information.
In order to ensure the security of the hardware information where the secure virtual machine is located, the host of the secure virtual machine is usually authenticated and run, and after the host is a trusted device, a secure virtual machine authentication report is formed.
In an alternative example, remote authentication can be performed by a third party based on a host authentication report to determine the trusted state of the host, and further based on a secure virtual machine authentication report of the secure virtual machine, identity information of the secure virtual machine is verified, and after verification is passed, the trusted state of the host is forwarded to the secure virtual machine, so that authentication of the host by the secure virtual machine is completed.
However, the security of this authentication method is not high.
The inventor considers that the authentication of the host by the secure virtual machine is realized by adopting a third party, which is easily influenced by the credibility of the third party, namely, the credibility of the counterfeit host can occur when the third party is not in the credible state, and then the security risk is generated.
In view of this, an embodiment of the present invention provides a host authentication method, applied to a secure virtual machine, including: acquiring a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report; the host authentication signature certificate and the secure virtual machine authentication signature certificate are based on a chip root key authentication signature; acquiring a chip root key certificate corresponding to the chip root key; validating the host authentication report based on the host authentication signature certificate; validating the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate; if the verification and signing pass of the host authentication report and the security virtual machine authentication report, verifying the host authentication signature certificate and the security virtual machine authentication signature certificate based on the chip root key certificate; and if the verification is passed, the host is a trusted device.
It can be seen that, according to the host authentication scheme in the embodiment of the present invention, by using a secure processor in a hardware environment operated by a secure virtual machine, and a chip root key corresponding to a host operating the secure virtual machine is the same key, and the host authentication signature certificate and the secure virtual machine authentication signature certificate are based on the characteristics of the chip root key authentication signature, when the host authentication report is verified based on the host authentication signature certificate, and the secure virtual machine authentication report is verified based on the secure virtual machine authentication signature certificate, the host authentication signature certificate and the secure virtual machine authentication signature certificate are verified based on the chip root key certificate, and when verification passes, the host authentication signature certificate is indicated to be based on the chip root key authentication signature adopted by the secure virtual machine, so that the host authentication signature certificate is considered to be trusted, and accordingly, the host authentication report that the host authentication signature certificate passes is verified to be trusted, so as to determine that the host is a trusted device.
It can be seen that the host authentication method provided by the embodiment of the invention can realize host authentication at the secure virtual machine end, thereby avoiding the risk of non-trust of a third party in a trusted authentication process and guaranteeing data security.
Next, a host authentication procedure described in the embodiment of the present invention will be described. Specifically, the host authentication process may be executed by a computer system based on the system architecture of the secure virtual environment, and referring to an optional schematic diagram of the host authentication process provided in the embodiment of the present invention shown in fig. 2, the host authentication process includes:
Step S100, a secure virtual machine acquires a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report;
Wherein the host authentication report is a report generated by a trusted module (i.e., a module in the secure processor of the present embodiment) for enabling other objects (i.e., report requesters) to verify the trustworthiness of the host. In a specific example, the host authentication report is generated after a report requester issues a host authentication report request. It should be noted that, in an alternative example, the host authentication report request may include random information (e.g., a random value that may be generated for the report requester), so that a corresponding host authentication report may be generated based on the random information of the host authentication report request, e.g., the random information may be written in the host authentication report, thereby protecting against possible replay attacks.
The host authentication report further includes a host metric value obtained after measuring the software and hardware information of the host, for example, a host metric value obtained after measuring the BIOS (Basic Input Output System ), grub (multiple start manager), kernel, and application program of the host, so as to determine the hardware security of the host based on the host metric value.
In a specific example, a first trusted processing module (e.g., TPM module, trusted Platform Module, trusted platform module) may be provided in the secure processor for trusted verification of the host. For example, the first trusted processing module is a TPM module, and when the host is started, the TPM module may sequentially measure BIOS, grub, kernel, and application of the host, so as to generate a corresponding host measurement value.
The host authentication report further includes a host authentication signature for verifying the host authentication report, where the host authentication signature is calculated based on a preconfigured private key and report information (such as a host metric value and/or random information of a host authentication report request) in the host authentication report, and a public key corresponding to the private key (i.e., a host authentication public key) is recorded in a host authentication signature certificate corresponding to the host authentication report.
When the host authentication report is authenticated, a corresponding public key can be obtained based on a corresponding host authentication signature certificate, report information in the host authentication report is verified based on the public key, namely, a host to-be-verified signature calculated by using the public key and the report information in the host authentication report is compared with whether the host to-be-verified signature is consistent with the host authentication signature, if so, verification is passed, and if not, verification is not passed.
In this embodiment, the report requester is the secure virtual machine, and accordingly, the process of the secure virtual machine in step S100 obtaining the host authentication report and the host authentication signature certificate corresponding to the host authentication report may specifically include, referring to an optional flowchart of step S100 in the embodiment of the present invention shown in fig. 3:
Step S101, a security virtual machine generates and sends out a host authentication report request;
The host authentication report request includes first random information. The first random information may be understood as random information generated by the secure virtual machine, and in this example, the first random information is random information for verifying a host authentication transmission procedure, and is configured in a host authentication report request, and a host authentication report is written in a subsequent procedure to confirm that the host authentication report in the subsequent procedure is generated based on the host authentication report request.
After the host authentication report request is generated, the secure virtual machine may send the host authentication report request to a secure processor, and generate a host authentication report according to first random information in the host authentication report request, where the host measurement value is obtained by a first trusted processing module (refer to fig. 7, and the first trusted processing module may be, for example, a TPM module) in the secure processor based on software and hardware information of the host. In a specific example, referring to the optional signature verification structure diagram of the certificate verification of the embodiment of the present invention shown in fig. 4, the host authentication report may include a host metric value, first random information, and a host authentication signature. In a specific example, the host authentication report may further include other fields, which may be used to record version information of the host software and hardware, and the like.
The host metric value can be obtained from a platform configuration register (PCR, platform Configuration Register), which is a hardware register for storing the measurement result of the computer system; the host authentication signature may be generated by the first trusted processing module based on a host authentication private key (e.g., an AIK private key, wherein AIK is Attestation IDENTITY KEY, a platform identity authentication key) for the host metric value and/or the first random information.
Correspondingly, the host authentication public key corresponding to the host authentication private key may be recorded in the host authentication signature certificate. Wherein, referring to fig. 4, the host authentication signature certificate is based on a chip root key (such as CEK, chip Endorsement Key, an SM2 key) authentication signature, i.e. the host authentication public key is based on the chip root key authentication. Specifically, the host authentication public key signature is further recorded in the host authentication signature certificate in addition to the host authentication public key, and the host authentication public key signature is obtained by calculating the host authentication public key by using the chip root key private key.
The chip root key can be arranged in preset firmware of the host hardware, the chip root key corresponds to the host hardware to which the chip root key belongs one by one, and the preset firmware only allows the secure processor to access; correspondingly, the chip root key certificate records a chip root key public key corresponding to the chip root key, and when the host authentication signature certificate is verified, the verification of the host authentication signature certificate can be performed based on the information recorded by the chip root key certificate.
With continued reference to fig. 3, step S102 is executed, and the security processor generates a host authentication report based on the host authentication report request;
wherein the host authentication report is used to be provided as an authenticated object to an authenticator (i.e., the secure virtual machine in this embodiment) so that the authenticator performs secure authentication based on the host authentication report.
The host authentication report is generated based on a host authentication report request. When the first random information is included in the host authentication report request, the generated host authentication report simultaneously records the first random information, and when the host authentication signature is generated, the signature is performed based on the host metric value and/or the first random information.
Further, as described above, the host authentication signature is signed based on a host authentication private key (e.g., AIK private key), and the corresponding host authentication public key may be recorded in the host authentication signature certificate.
With continued reference to fig. 3, step S103 is performed in which the security processor transmits the host authentication report and a host authentication signature certificate corresponding to the host authentication report;
After generating the host authentication report, the security processor may send the host authentication report and a host authentication signature certificate corresponding to the host authentication report to a verifier (i.e., a secure virtual machine in this embodiment) so that the verifier (i.e., the secure virtual machine in this embodiment) performs trusted verification based on the host authentication report and the host authentication signature certificate.
Accordingly, the secure virtual machine may obtain the host authentication report and a host authentication signature certificate corresponding to the host authentication report.
Further, in the embodiment of the present invention, the secure virtual machine further obtains a secure virtual machine authentication report, where the secure virtual machine authentication report is a report generated by the secure processor and used for enabling other objects (i.e. report requesters) to verify the credibility of the secure virtual machine. In a specific example, the secure virtual machine authentication report is generated after the report requester issues a secure virtual machine authentication report request. It should be noted that, in an alternative example, the secure virtual machine authentication report request may include random information (e.g., a random value that may be generated for the report requester), so that a corresponding secure virtual machine authentication report may be generated based on the random information of the secure virtual machine authentication report request, e.g., the random information may be written in the secure virtual machine authentication report, so as to defend against possible replay attacks.
The security virtual machine authentication report further comprises a security virtual machine measurement value obtained after the software and hardware information of the security virtual machine is measured, so that the software and hardware security of the security virtual machine is determined based on the security virtual machine measurement value.
In a specific example, a second trusted processing module (refer to fig. 7, and the second trusted processing module may be, for example, a CSV module, where CSV is China Secure Virtualization, a national standard secure virtualization technology) may be provided in the secure processor, for performing trust verification on the secure virtual machine. For example, the second trusted processing module is a CSV module, and the CSV module may measure software and hardware information (such as firmware, kernel, etc. files of the secure virtual machine) of the secure virtual machine, so as to generate a corresponding secure virtual machine measurement value.
The secure virtual machine authentication report further includes a secure virtual machine authentication signature for verifying the secure virtual machine authentication report, where the secure virtual machine authentication signature is calculated based on a pre-configured private key and report information (e.g., a secure virtual machine metric value and/or random information of a secure virtual machine authentication report request) in the secure virtual machine authentication report, and a public key corresponding to the private key is recorded in a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report.
When the authentication of the secure virtual machine authentication report is performed, a corresponding public key (namely, a secure virtual machine authentication public key) can be obtained based on a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication signature certificate, report information in the secure virtual machine authentication report is verified based on the public key, namely, a secure virtual machine to-be-verified signature calculated by using the public key and the report information in the secure virtual machine authentication report is compared with whether the secure virtual machine to-be-verified signature is consistent with the secure virtual machine authentication signature, if so, the secure virtual machine to-be-verified signature passes the verification, and if not, the verification is not passed.
In this embodiment, the report requester is the secure virtual machine, and accordingly, the process of the secure virtual machine obtaining the secure virtual machine authentication report and the secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report in step S100 may specifically include, referring to another optional flowchart of step S100 in the embodiment of the present invention shown in fig. 5:
step S104, the secure virtual machine generates and sends a secure virtual machine authentication report request;
the secure virtual machine authentication report request includes second random information. The second random information may be understood as random information generated by the secure virtual machine, in this example, the second random information is random information for verifying a secure virtual machine authentication transmission procedure, and the second random information is configured in a secure virtual machine authentication report request, and a secure virtual machine authentication report is written in a subsequent procedure to confirm that the secure virtual machine authentication report in the subsequent procedure is generated based on the secure virtual machine authentication report request.
After the secure virtual machine generates the secure virtual machine authentication report request, the secure virtual machine may send the secure virtual machine authentication report request to a secure processor, where a secure virtual machine metric value obtained by a second trusted processing module (e.g., a CSV module) in the secure processor based on software and hardware information of the secure virtual machine, and generate a secure virtual machine authentication report corresponding to second random information in the secure virtual machine authentication report request. In a specific example, referring to fig. 4, the secure virtual machine authentication report may include a secure virtual machine metric value, second random information in a corresponding secure virtual machine authentication report request, and a secure virtual machine authentication signature. In a specific example, the secure virtual machine authentication report may further include other fields, where the other fields may be used to record version information of the secure virtual machine software and hardware (such as a version number of the secure virtual machine), and so on.
The secure virtual machine authentication signature may be generated by the second trusted processing module based on a secure virtual machine authentication private key (e.g., PEK private key, where PEK is Platform Endorsement Key, an SM2 key) by signing the secure virtual machine metric value and/or the second random information.
Accordingly, referring to fig. 4, the secure virtual machine authentication public key corresponding to the secure virtual machine authentication private key may be recorded in the secure virtual machine authentication signature certificate. The secure virtual machine authentication signature certificate is based on a chip root key (such as CEK) authentication signature, namely, the secure virtual machine authentication public key is based on the chip root key authentication. Specifically, the secure virtual machine authentication signature certificate further records a secure virtual machine authentication public key signature in addition to the secure virtual machine authentication public key, and the secure virtual machine authentication public key signature is obtained by calculating the secure virtual machine authentication public key by using the chip root key private key.
The chip root key can be arranged in preset firmware of the host hardware, the chip root key corresponds to the host hardware to which the chip root key belongs one by one, and the preset firmware only allows the secure processor to access; correspondingly, the chip root key certificate records a chip root key public key corresponding to the chip root key, and when the verification of the secure virtual machine authentication signature certificate is performed, the verification of the secure virtual machine authentication signature certificate can be performed based on the information recorded by the chip root key certificate.
With continued reference to fig. 5, step S105 is executed, and the secure processor generates a secure virtual machine authentication report based on the secure virtual machine authentication report request;
Wherein the secure virtual machine authentication report is used to be provided as an object to be authenticated to an authenticator (i.e., the secure virtual machine in the present embodiment), so that the authenticator performs secure authentication based on the secure virtual machine authentication report.
The secure virtual machine authentication report is generated based on the secure virtual machine authentication report request. And when the security virtual machine authentication report request comprises second random information, the generated security virtual machine authentication report simultaneously records the second random information, and when a security virtual machine authentication signature is generated, the signature is carried out based on the security virtual machine metric value and/or the second random information.
Further, as described above, the secure virtual machine authentication signature is signed based on a secure virtual machine authentication private key (e.g., PEK private key), and the corresponding secure virtual machine authentication public key may be recorded in the secure virtual machine authentication signature certificate.
With continued reference to fig. 5, step S106 is executed, where the secure processor sends the secure virtual machine authentication report and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report;
After generating the secure virtual machine authentication report, the secure processor may send the secure virtual machine authentication report and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report to a verifier (i.e., the secure virtual machine in this embodiment) so that the verifier (i.e., the secure virtual machine in this embodiment) performs trusted verification based on the secure virtual machine authentication report and the secure virtual machine authentication signature certificate.
Correspondingly, the secure virtual machine can acquire the secure virtual machine authentication report and the secure virtual machine authentication signature certificate.
After obtaining a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report, the secure virtual machine further obtains a chip root key certificate to execute the verification process according to the embodiment of the invention based on the chip root key certificate.
With continued reference to fig. 2, step S110 is executed, where the secure virtual machine obtains a chip root key certificate corresponding to the chip root key;
The chip root key may be obtained from a secure processor or downloaded from a certificate server. Based on the hardware independence of the security processor and the high-level security level of the security processor, the chip root key certificate corresponding to the chip root key is obtained from the security processor, so that the credibility of the chip root key certificate can be guaranteed to the greatest extent.
The secure virtual machine may issue a chip root key certificate access request, and enable the secure processor to feed back a chip root key certificate to the secure virtual machine based on the chip root key certificate access request. Accordingly, the secure virtual machine may obtain the root key certificate.
In a further example, the secure processor may also send the chip root key certificate to the secure virtual machine based on a secure virtual machine authentication report request, while sending the secure virtual machine authentication report and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report to a verifier (i.e., the secure virtual machine in this embodiment). That is, the secure processor transmits the secure virtual machine authentication report, a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report, and a chip root key certificate to the secure virtual machine based on the secure virtual machine authentication report request.
Correspondingly, the secure virtual machine can acquire the secure virtual machine authentication report, the secure virtual machine authentication signature certificate and the chip root key certificate.
With continued reference to fig. 2, step S120 is performed, where the secure virtual machine verifies the host authentication report based on the host authentication signature certificate;
upon obtaining the host authentication report and a host authentication signature certificate corresponding to the host authentication report, the host authentication report may be verified based on the host authentication signature certificate.
Specifically, the host metric value in the host authentication report and/or the first random information in the corresponding host authentication report request may be calculated based on the host authentication public key in the host authentication signature certificate, so as to obtain a signature to be verified of the host, and compare whether the signature to be verified of the host is consistent with the host authentication signature, if so, the verification is passed, and if not, the verification is not passed.
The calculation basis of the signature to be verified of the host is the same as the calculation basis of the authentication signature of the host, namely, when the calculation basis of the authentication signature of the host is a host metric value, the calculation basis of the corresponding signature to be verified of the host is also the host metric value; when the calculation basis of the host authentication signature is the host measurement value and the first random information, the calculation basis of the corresponding host to-be-verified signature is also the host measurement value and the first random information.
In a further example, the verification process may further include verification of the first random information, that is, comparing whether the first random information in the host authentication report is consistent with the first random information of the host authentication report request generated by the secure virtual machine, if so, the verification is passed, and if not, the verification is not passed.
If the verification is passed, executing the next step, if the verification is not passed, reporting an error and exiting the verification process.
With continued reference to fig. 2, step S130 is performed, where the secure virtual machine verifies the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate;
after the secure virtual machine authentication report and the secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report are obtained, the secure virtual machine authentication report may be verified based on the secure virtual machine authentication signature certificate.
Specifically, the secure virtual machine metric value in the secure virtual machine authentication report and/or the second random information in the corresponding secure virtual machine authentication report request may be calculated based on the secure virtual machine authentication public key in the secure virtual machine authentication signature certificate, to obtain a secure virtual machine to-be-verified signature, and compare whether the secure virtual machine to-be-verified signature is consistent with the secure virtual machine authentication signature, if so, the verification is passed, and if not, the verification is not passed.
The calculation basis of the signature to be verified of the secure virtual machine is the same as the calculation basis of the authentication signature of the secure virtual machine, namely, when the calculation basis of the authentication signature of the secure virtual machine is the measurement value of the secure virtual machine, the calculation basis of the corresponding signature to be verified of the secure virtual machine is also the measurement value of the secure virtual machine; when the calculation basis of the authentication signature of the secure virtual machine is the secure virtual machine metric value and the second random information, the calculation basis of the signature to be verified of the corresponding secure virtual machine is also the secure virtual machine metric value and the second random information.
In a further example, the verification process may further include verification of the second random information, that is, comparing whether the second random information in the secure virtual machine authentication report is consistent with the second random information of the secure virtual machine authentication report request generated by the secure virtual machine, if so, the verification is passed, and if not, the verification is not passed.
If the verification is passed, executing the next step, if the verification is not passed, reporting an error and exiting the verification process.
In the embodiment of the present invention, the execution order of step S120 and step S130 is not fixed, step S120 may be performed first, step S130 and step S140 may be performed after the verification is passed, step S130 may be performed first, step S120 and step S140 may be performed after the verification is passed, or step S120 and step S130 may be performed simultaneously, and step S140 may be performed after the verification is passed in both step S120 and step S130.
With continued reference to fig. 2, step S140 is performed, where the secure virtual machine verifies the host authentication signature certificate and the secure virtual machine authentication signature certificate based on the chip root key certificate;
It may be appreciated that, in the normal flow, the host authentication signature certificate and the secure virtual machine authentication signature certificate are signed based on a chip root key authentication, and accordingly, based on the chip root key certificate, whether the host authentication signature certificate and the secure virtual machine authentication signature certificate are authentic may be verified.
Specifically, the process of verifying the host authentication signature certificate may include: and calculating the host authentication public key in the host authentication report based on the chip root key public key in the chip root key certificate to obtain a host authentication public key signature to be verified, determining whether the host authentication public key signature to be verified is consistent with the host authentication public key signature in the host authentication signature certificate, if so, passing the verification, and if not, not passing the verification.
Accordingly, the process of verifying the secure virtual machine authentication signature certificate may include: and calculating the security virtual machine authentication public key in the security virtual machine authentication report based on the chip root key public key in the chip root key certificate to obtain a security virtual machine authentication public key to-be-verified signature, determining whether the security virtual machine authentication public key to-be-verified signature is consistent with the security virtual machine authentication public key signature in the security virtual machine authentication signature certificate, if so, passing the verification, and if not, not passing the verification.
Obviously, when verification passes, the host authentication signature certificate is indicated to be signed based on the chip root key authentication adopted by the secure virtual machine, so that the host authentication signature certificate can be considered to be trusted, and correspondingly, the host authentication report passed by the host authentication signature certificate is trusted, so that the host is determined to be a trusted device, that is, the host is ensured to have no malicious code running therein, and the VMM code of the host is not tampered.
It should be noted that, in a further alternative example, the communication between the secure virtual machine and the secure processor may be implemented based on a communication link between the secure virtual machine and the secure processor, or the communication link between the secure virtual machine and the host may be used to perform transmission of part of host related information, and the communication link between the secure virtual machine and the secure processor may be used to perform transmission of part of secure virtual machine related information. It can be understood that the communication link between the secure virtual machine and the host machine and the communication link between the host machine and the secure processor are used for transmitting part of host related information, so that the host machine can acquire related information based on the authority of the host machine, and the authority logic in the system is prevented from being too complex, thereby generating security risks.
In a specific example, the communication link between the secure virtual machine and the secure processor is implemented based on a virtual machine manager VMM, that is, a secure virtual machine authentication report (CSV authentication report in this example) and a host authentication report (TPM authentication report in this example) are acquired by the virtual machine manager VMM (not shown in the figure), and referring to an alternative example of a host authentication method shown in fig. 6, in this example, the secure virtual machine is configured with a first application for executing a host authentication procedure, a PEK certificate is used as a secure virtual machine authentication signature certificate, a CEK certificate is used as a chip root key certificate, an AIK certificate is used as a host authentication signature certificate, and specifically, the host authentication procedure may include:
Step S201: the first application sends a CSV report request to a CSV module of the security processor and acquires a CSV report;
step S202: the method comprises the steps that a first application obtains a corresponding PEK certificate and a CEK certificate;
Step S203: the first application verifies the signature of the CSV report by using the public key of the PEK certificate, and verifies the measurement value in the CSV report at the same time to confirm whether the working state of the secure virtual machine is credible;
Step S204: the first application sends a TPM report request to a TPM module of the security processor and acquires a TPM report;
Step S205: the first application acquires a corresponding AIK certificate;
Step S206: the first application uses the public key of the AIK certificate to verify the signature of the TPM report, and simultaneously verifies the host measurement value in the TPM report to confirm whether the working state of the host is credible;
Step S207: the first application uses the CEK certificate to verify the signature of the PEK certificate and the AIK certificate, and confirms that the host and the secure virtual machine run on the same physical machine.
Wherein, step S202 and step S205 may each acquire a corresponding certificate from the virtual machine manager. It will be appreciated that the verification steps in the above steps all verify to pass, indicating that the host state is trusted, otherwise the host file may have been tampered with.
Specifically, referring to another system architecture schematic diagram of a secure virtual environment provided by the embodiment of the present invention shown in fig. 7, when a communication link between a secure virtual machine and a host and a communication link between the host and a secure processor are used to transmit part of host related information, the secure virtual machine may be configured with a first application for executing a host authentication procedure, the host may be configured with a second application corresponding to the first application, and communication between the first application and the second application may be performed based on a preset communication link (for example VSOCK or a network, where VSOCK is Virtual Machine Socket, i.e. a virtual machine interface), so that host related information is transmitted based on the first application and the second application. In a specific example, the second application may be configured in a host.
Specifically, the information transmission in step S101 and step S103 may be based on the forwarding of the information by the first application and the second application, that is, the host authentication report request in the secure virtual machine in step S101 is sent to the second application by the first application and sent to the secure processor by the second application, and step S103 the secure processor may send the host authentication report and the host authentication signature certificate corresponding to the host authentication report to the host and forward the host authentication signature certificate to the first application of the secure virtual machine by the second application of the host.
In a specific example, the communication link between the secure virtual machine and the secure processor is implemented based on a virtual machine manager VMM (not shown in the figure) and a host, that is, the secure virtual machine authentication report (CSV authentication report in this example) is obtained by the virtual machine manager VMM, and the host authentication report (TPM authentication report in this example) is obtained by the second application configured in the host, and referring to an alternative example of another host authentication method shown in fig. 8, in this example, the PEK certificate is still used as a secure virtual machine authentication signature certificate, the CEK certificate is used as a chip root key certificate, and the AIK certificate is used as a host authentication signature certificate, and in particular, the host authentication procedure may include:
Step S301: the first application establishes a connection with the second application;
Specifically, in step S301, a connection may be established through VSOCK or a network.
Step S302: the first application sends a TPM report request to the second application, and requests the second application to acquire a TPM authentication report from a TPM module of the security processor;
Step S303: the second application acquires a TPM authentication report and a corresponding AIK certificate;
step S304: the second application sends the TPM report and the AIK certificate to the first application;
Step S305: the first application uses the public key of the AIK certificate to verify the signature of the TPM report, and simultaneously verifies the PCR metric value in the TPM report to confirm whether the working state of the host is credible;
Step S306: the first application sends a CSV report request to a CSV module of the security processor and acquires a CSV report;
step S307: the method comprises the steps that a first application obtains a corresponding PEK certificate and a CEK certificate;
Step S308: the first application verifies the signature of the CSV report by using the public key of the PEK certificate, and verifies the measurement value in the CSV report at the same time to confirm whether the working state of the secure virtual machine is credible;
step S309: the first application uses the CEK certificate to verify the signature of the PEK certificate and the AIK certificate, and confirms that the host and the CSV virtual machine run on the same physical machine.
Step S303 may acquire a corresponding certificate from the host, and step S307 may acquire the PEK certificate and the CEK certificate from the virtual machine manager. It will be appreciated that the verification steps in the above steps all verify to pass, indicating that the host state is trusted, otherwise the host file may have been tampered with.
It can be seen that the host authentication method provided by the embodiment of the invention can realize host authentication at the secure virtual machine end, thereby avoiding the risk of non-trust of a third party in a trusted authentication process and guaranteeing data security.
The host authentication device provided by the embodiment of the present invention is described below, and the host authentication device described below may be considered as a software function module or a hardware function module that needs to be set to implement the host authentication method provided by the embodiment of the present invention; the contents of the data processing apparatus described below may be referred to in correspondence with the contents of the method and the contents of the hardware module described above.
In an optional implementation, fig. 9 shows an optional block diagram of a host authentication device provided by an embodiment of the present invention, where the host authentication device is configured to implement the host authentication method provided by the embodiment of the present invention, as shown in fig. 9, the host authentication device may include:
An authentication information obtaining module 400, configured to obtain a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report; the host authentication signature certificate and the secure virtual machine authentication signature certificate are based on a chip root key authentication signature; acquiring a chip root key certificate corresponding to the chip root key;
A verification module 410 for verifying the host authentication report based on the host authentication signature certificate; and validating the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate; if the host authentication report and the security virtual machine authentication report pass verification, verifying the host authentication signature certificate and the security virtual machine authentication signature certificate based on the chip root key certificate; and if the verification is passed, the host is a trusted device.
Optionally, the host authentication report includes a host metric value, first random information, and a host authentication signature; the security virtual machine authentication report comprises a security virtual machine metric value, second random information and a security virtual machine authentication signature; the first random information and the second random information are generated by a secure virtual machine;
The host authentication signature is generated based on a host authentication private key signature, the host authentication signature certificate records a host authentication public key corresponding to the host authentication private key, and the host authentication public key is based on the chip root key authentication signature;
the secure virtual machine authentication signature is generated based on a secure virtual machine authentication private key signature, the secure virtual machine authentication signature certificate records a secure virtual machine authentication public key corresponding to the secure virtual machine authentication private key, and the secure virtual machine authentication public key is based on the chip root key authentication signature.
Optionally, the authentication information obtaining module 400 is configured to obtain a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report, where obtaining the host authentication report and the host authentication signature certificate corresponding to the host authentication report specifically includes:
generating and sending a host authentication report request, wherein the host authentication report request comprises first random information;
After the security processor generates a host authentication report based on the host authentication report request, the host authentication report sent by the security processor and a host authentication signature certificate corresponding to the host authentication report are acquired.
Optionally, the authentication information obtaining module 400 is configured to obtain a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report, where obtaining the secure virtual machine authentication report and the secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report specifically includes:
Generating and sending a security virtual machine authentication report request, wherein the security virtual machine authentication report request comprises second random information;
And after the security processor generates a security virtual machine authentication report based on the security virtual machine authentication report request, acquiring the security virtual machine authentication report sent by the security processor and a security virtual machine authentication signature certificate corresponding to the security virtual machine authentication report.
Optionally, the step of obtaining, by the authentication information obtaining module 400, a chip root key certificate corresponding to the chip root key is performed simultaneously with the step of obtaining the security virtual machine authentication report and the security virtual machine authentication signature certificate corresponding to the security virtual machine authentication report, specifically:
And after the secure processor generates the secure virtual machine authentication report based on the secure virtual machine authentication report request, acquiring the secure virtual machine authentication report sent by the secure processor, a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report and a chip root key certificate.
Optionally, the verifying module 410 verifies the host authentication report based on the host authentication signature certificate, including:
Based on a host authentication public key in the host authentication signature certificate, calculating a host metric value and/or the first random information in the host authentication report to obtain a host to-be-verified signature;
Comparing whether the signature to be verified of the host is consistent with the authentication signature of the host, if so, passing the verification, and if not, not passing the verification.
Optionally, the verification module 410 verifies the host authentication report based on the host authentication signature certificate, further including:
And comparing whether the first random information in the host authentication report is consistent with the first random information generated by the secure virtual machine, if so, verifying to pass, and if not, verifying to fail.
Optionally, the verifying module 410 verifies the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate, including:
Based on a secure virtual machine authentication public key in the secure virtual machine authentication signature certificate, calculating a secure virtual machine metric value and/or the second random information in the secure virtual machine authentication report to obtain a secure virtual machine signature to be verified;
And comparing whether the signature to be verified of the secure virtual machine is consistent with the authentication signature of the secure virtual machine, if so, verifying to pass, and if not, verifying to pass.
Optionally, the verification module 410 verifies the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate, further including:
and comparing whether the second random information in the security virtual machine authentication report is consistent with the second random information generated by the security virtual machine, if so, passing the verification, and if not, not passing the verification.
Optionally, the verifying module 410 verifies the host authentication signature certificate and the secure virtual machine authentication signature certificate based on the chip root key certificate, including:
Calculating a host authentication public key in the host authentication report based on a chip root key public key in the chip root key certificate to obtain a signature to be verified of the host authentication public key; determining whether the signature to be verified of the host authentication public key is consistent with the signature of the host authentication public key in the host authentication signature certificate, if so, passing the verification, and if not, not passing the verification;
Based on the chip root key public key in the chip root key certificate, calculating the security virtual machine authentication public key in the security virtual machine authentication report to obtain a signature to be verified of the security virtual machine authentication public key; and determining whether the signature to be verified of the secure virtual machine authentication public key is consistent with the secure virtual machine authentication public key signature in the secure virtual machine authentication signature certificate, if so, verifying to pass, and if not, verifying to fail.
Optionally, the secure virtual machine is configured with a first application, the host system is configured with a second application corresponding to the first application, and the first application and the second application communicate based on a preset communication link; the host authentication report request is sent to a second application through a first application, and the second application is sent to a security processor; the host authentication report and a host authentication signature certificate corresponding to the host authentication report are sent by a security processor to the host system and forwarded by the host system second application to the first application of the secure virtual machine.
The embodiment of the invention also provides confidential computing equipment for realizing host authentication. As an alternative implementation, the confidential computing device may include: a secure virtual machine, a host system, and a secure processor; the security virtual machine is configured with the host authentication device provided by the embodiment of the invention.
In a further alternative implementation, referring to fig. 7, the secure virtual machine is configured with a first application, the host system is configured with a second application corresponding to the first application, and the first application and the second application communicate based on a preset communication link; the host authentication report request is sent to a second application through a first application, and the second application is sent to a security processor; the host authentication report and a host authentication signature certificate corresponding to the host authentication report are sent to the host system by the security processor and forwarded by the host system second application to the first application of the secure virtual machine.
In an alternative implementation of host authentication, a more detailed description of the secure processor, host system, and secure virtual machine may be referred to the description of the corresponding portions above, and will not be repeated here.
The embodiment of the invention also provides a storage medium which can store one or more computer executable instructions, and when the one or more computer executable instructions are executed, the host authentication method provided by the embodiment of the invention can be realized.
The foregoing describes several embodiments of the present invention, and the various alternatives presented by the various embodiments may be combined, cross-referenced, with each other without conflict, extending beyond what is possible embodiments, all of which are considered to be embodiments of the present invention disclosed and disclosed.
Although the embodiments of the present invention are disclosed above, the present invention is not limited thereto. Various changes and modifications may be made by one skilled in the art without departing from the spirit and scope of the invention, and the scope of the invention should be assessed accordingly to that of the appended claims.