CN118312946A - Host authentication method, host authentication device and related equipment - Google Patents

Host authentication method, host authentication device and related equipment Download PDF

Info

Publication number
CN118312946A
CN118312946A CN202410489478.9A CN202410489478A CN118312946A CN 118312946 A CN118312946 A CN 118312946A CN 202410489478 A CN202410489478 A CN 202410489478A CN 118312946 A CN118312946 A CN 118312946A
Authority
CN
China
Prior art keywords
virtual machine
authentication
host
secure virtual
report
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410489478.9A
Other languages
Chinese (zh)
Inventor
冯浩
应志伟
陈善
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hygon Information Technology Co Ltd
Original Assignee
Hygon Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hygon Information Technology Co Ltd filed Critical Hygon Information Technology Co Ltd
Priority to CN202410489478.9A priority Critical patent/CN118312946A/en
Publication of CN118312946A publication Critical patent/CN118312946A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)

Abstract

本发明实施例提供一种主机认证方法、主机认证装置及其相关设备,其中主机认证方法包括:获取主机认证报告、安全虚拟机认证报告、主机认证签名证书,以及,安全虚拟机认证签名证书;其中,所述主机认证签名证书和所述安全虚拟机认证签名证书基于芯片根密钥认证签名;获取所述芯片根密钥对应的芯片根密钥证书;基于所述主机认证签名证书验签所述主机认证报告;基于所述安全虚拟机认证签名证书验证所述安全虚拟机认证报告;若所述主机认证报告和所述安全虚拟机认证报告验签通过,则基于所述芯片根密钥证书验证所述主机认证签名证书和所述安全虚拟机认证签名证书;若验证通过,则所述主机为可信设备,从而保障了安全虚拟机的安全。

An embodiment of the present invention provides a host authentication method, a host authentication device and related equipment, wherein the host authentication method includes: obtaining a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate, and a secure virtual machine authentication signature certificate; wherein the host authentication signature certificate and the secure virtual machine authentication signature certificate are based on a chip root key authentication signature; obtaining a chip root key certificate corresponding to the chip root key; verifying the host authentication report based on the host authentication signature certificate; verifying the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate; if the host authentication report and the secure virtual machine authentication report are verified, then verifying the host authentication signature certificate and the secure virtual machine authentication signature certificate based on the chip root key certificate; if the verification is successful, the host is a trusted device, thereby ensuring the security of the secure virtual machine.

Description

Host authentication method, host authentication device and related equipment thereof
Technical Field
The embodiment of the invention relates to the technical field of confidential calculation, in particular to a host authentication method, a host authentication device and related equipment thereof.
Background
With the development of information technology, particularly the development and popularization of cloud computing technology, more and more clients deploy business systems in the cloud. The virtualization technology is used as a computer technology applied to a cloud, and a plurality of Virtual Machines (VMs) can be virtualized through a host, so that efficient utilization of hardware resources of the host is realized. In order to improve the security of the virtual machine data, the secure virtualization technology further combines the virtualization technology with a trusted execution environment (Trusted Execution Environment, TEE) technology, so that encryption and isolation of the virtual machine data can be realized in a CPU, and a trusted execution environment taking the secure virtual machine as a unit is constructed.
When the secure virtual machine processes confidential data, the secure virtual machine needs to perform trusted authentication of related equipment, and after the authentication is passed, the secure virtual machine executes corresponding confidential data processing tasks. However, this trusted authentication procedure presents a security risk.
Disclosure of Invention
In view of this, embodiments of the present invention provide a host authentication method, a host authentication device, and related devices, so as to avoid security risks of a trusted authentication process and ensure data security.
In order to achieve the above purpose, the embodiment of the present invention provides the following technical solutions.
In a first aspect, an embodiment of the present invention provides a host authentication method, applied to a secure virtual machine, including:
Acquiring a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report; the host authentication signature certificate and the secure virtual machine authentication signature certificate are based on a chip root key authentication signature;
acquiring a chip root key certificate corresponding to the chip root key;
Validating the host authentication report based on the host authentication signature certificate;
Validating the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate;
If the verification and signing pass of the host authentication report and the security virtual machine authentication report, verifying the host authentication signature certificate and the security virtual machine authentication signature certificate based on the chip root key certificate;
and if the verification is passed, the host is a trusted device.
Optionally, the host authentication report includes a host metric value, first random information, and a host authentication signature; the security virtual machine authentication report comprises a security virtual machine metric value, second random information and a security virtual machine authentication signature; the first random information and the second random information are generated by a secure virtual machine;
The host authentication signature is generated based on a host authentication private key signature, the host authentication signature certificate records a host authentication public key corresponding to the host authentication private key, and the host authentication public key is based on the chip root key authentication signature;
the secure virtual machine authentication signature is generated based on a secure virtual machine authentication private key signature, the secure virtual machine authentication signature certificate records a secure virtual machine authentication public key corresponding to the secure virtual machine authentication private key, and the secure virtual machine authentication public key is based on the chip root key authentication signature.
Optionally, in the step of obtaining a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report, the process of obtaining the host authentication report and the host authentication signature certificate corresponding to the host authentication report includes:
generating and sending a host authentication report request, wherein the host authentication report request comprises first random information;
After the security processor generates a host authentication report based on the host authentication report request, the host authentication report sent by the security processor and a host authentication signature certificate corresponding to the host authentication report are acquired.
Optionally, in the step of obtaining a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report, the process of obtaining the secure virtual machine authentication report and the secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report includes:
Generating and sending a security virtual machine authentication report request, wherein the security virtual machine authentication report request comprises second random information;
And after the security processor generates a security virtual machine authentication report based on the security virtual machine authentication report request, acquiring the security virtual machine authentication report sent by the security processor and a security virtual machine authentication signature certificate corresponding to the security virtual machine authentication report.
Optionally, the step of obtaining the chip root key certificate corresponding to the chip root key and the step of obtaining the security virtual machine authentication report and the security virtual machine authentication signature certificate corresponding to the security virtual machine authentication report are performed simultaneously, specifically:
And after the secure processor generates the secure virtual machine authentication report based on the secure virtual machine authentication report request, acquiring the secure virtual machine authentication report sent by the secure processor, a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report and a chip root key certificate.
Optionally, the verifying the host authentication report based on the host authentication signature certificate includes:
Based on a host authentication public key in the host authentication signature certificate, calculating a host metric value and/or the first random information in the host authentication report to obtain a host to-be-verified signature;
Comparing whether the signature to be verified of the host is consistent with the authentication signature of the host, if so, passing the verification, and if not, not passing the verification.
Optionally, the verifying the host authentication report based on the host authentication signature certificate further includes:
and comparing whether the first random information in the host authentication report request is consistent with the first random information generated by the secure virtual machine, if so, verifying to pass, and if not, verifying to pass.
Optionally, the verifying the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate includes:
Based on a secure virtual machine authentication public key in the secure virtual machine authentication signature certificate, calculating a secure virtual machine metric value and/or the second random information in the secure virtual machine authentication report to obtain a secure virtual machine signature to be verified;
And comparing whether the signature to be verified of the secure virtual machine is consistent with the authentication signature of the secure virtual machine, if so, verifying to pass, and if not, verifying to pass.
Optionally, the verifying the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate further includes:
and comparing whether the second random information in the security virtual machine authentication report request is consistent with the second random information generated by the security virtual machine, if so, passing the verification, and if not, not passing the verification.
Optionally, the verifying the host authentication signature certificate and the secure virtual machine authentication signature certificate based on the chip root key certificate includes:
Calculating a host authentication public key in the host authentication report based on a chip root key public key in the chip root key certificate to obtain a signature to be verified of the host authentication public key; determining whether the signature to be verified of the host authentication public key is consistent with the signature of the host authentication public key in the host authentication signature certificate, if so, passing the verification, and if not, not passing the verification;
Based on the chip root key public key in the chip root key certificate, calculating the security virtual machine authentication public key in the security virtual machine authentication report to obtain a signature to be verified of the security virtual machine authentication public key; and determining whether the signature to be verified of the secure virtual machine authentication public key is consistent with the secure virtual machine authentication public key signature in the secure virtual machine authentication signature certificate, if so, verifying to pass, and if not, verifying to fail.
Optionally, the secure virtual machine is configured with a first application, the host system is configured with a second application corresponding to the first application, and the first application and the second application communicate based on a preset communication link; the host authentication report request is sent to a second application through a first application, and the second application is sent to a security processor; the host authentication report and a host authentication signature certificate corresponding to the host authentication report are sent to the host by the security processor and forwarded by the host second application to the first application of the secure virtual machine.
In a second aspect, an embodiment of the present invention provides a host authentication apparatus, including:
The authentication information acquisition module is used for acquiring a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report; the host authentication signature certificate and the secure virtual machine authentication signature certificate are based on a chip root key authentication signature; acquiring a chip root key certificate corresponding to the chip root key;
A verification module for verifying the host authentication report based on the host authentication signature certificate; and validating the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate; if the host authentication report and the security virtual machine authentication report pass verification, verifying the host authentication signature certificate and the security virtual machine authentication signature certificate based on the chip root key certificate; and if the verification is passed, the host is a trusted device.
In a third aspect, an embodiment of the present invention provides a confidential computing device comprising: a secure virtual machine, a host system, and a secure processor; the security virtual machine is configured with the host authentication device provided by the embodiment of the invention.
Optionally, the secure virtual machine is configured with a first application, the host system is configured with a second application corresponding to the first application, and the first application and the second application communicate based on a preset communication link; the host authentication report request is sent to a second application through a first application, and the second application is sent to a security processor; the host authentication report and a host authentication signature certificate corresponding to the host authentication report are sent by the security processor to the host system and forwarded by a second application of the host system to a first application of the secure virtual machine.
In a fourth aspect, an embodiment of the present invention provides a storage medium, where one or more computer executable instructions are stored, where the one or more computer executable instructions implement the host authentication method provided by the embodiment of the present invention when executed.
The embodiment of the invention provides a host authentication method, a host authentication device and related equipment thereof, wherein the host authentication method is applied to a secure virtual machine and comprises the following steps: acquiring a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report; the host authentication signature certificate and the secure virtual machine authentication signature certificate are based on a chip root key authentication signature; acquiring a chip root key certificate corresponding to the chip root key; verifying the host authentication report based on the host authentication signature certificate; validating the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate; if the verification and signing pass of the host authentication report and the security virtual machine authentication report, verifying the host authentication signature certificate and the security virtual machine authentication signature certificate based on the chip root key certificate; and if the verification is passed, the host is a trusted device.
It can be seen that, according to the host authentication scheme in the embodiment of the present invention, by using the characteristics that the secure virtual machine and the chip root key corresponding to the host running the secure virtual machine are the same key, and the host authentication signature certificate and the secure virtual machine authentication signature certificate are based on the chip root key authentication signature, when the host authentication report is checked based on the host authentication signature certificate, and the secure virtual machine authentication report is checked based on the secure virtual machine authentication signature certificate, the host authentication signature certificate and the secure virtual machine authentication signature certificate are checked based on the chip root key certificate, and when the verification passes, the host authentication signature certificate is checked based on the chip root key authentication signature adopted by the secure virtual machine, so that the host authentication signature certificate is considered to be trusted, and accordingly, the host authentication report passed by the host authentication signature certificate is determined to be trusted. Therefore, the host authentication method provided by the embodiment of the invention can realize the authentication of the host at the secure virtual machine end, thereby avoiding the risk of the third party being unreliable in the trusted authentication process and guaranteeing the data security.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a system architecture diagram of a secure virtual environment.
Fig. 2 is an alternative schematic diagram of a host authentication procedure according to an embodiment of the present invention.
Fig. 3 is an alternative flowchart of step S100 according to an embodiment of the present invention.
Fig. 4 is an alternative signature verification structure diagram of certificate signatures in an embodiment of the present invention.
Fig. 5 is a flowchart of step S100 according to an embodiment of the present invention.
Fig. 6 is an alternative example of a host authentication method according to an embodiment of the present invention.
Fig. 7 is a schematic diagram of another system architecture of a secure virtual environment according to an embodiment of the present invention.
Fig. 8 is an alternative example of another host authentication method according to an embodiment of the present invention.
Fig. 9 is an alternative block diagram of a host authentication device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to a system architecture schematic diagram of a secure virtual environment shown in fig. 1, as shown in fig. 1, a system architecture of the secure virtual environment may include: a general purpose processor (e.g., central processing unit CPU) 1, a memory controller 2, a memory 3, and a secure processor (PSP, platform Secure Processor) 4; the general processor 1 may configure a virtual machine manager (VMM, virtual Machine Monitor) 11 through a host system (hereinafter referred to as a host) 10 running therein, and virtualize a secure virtual machine and a normal virtual machine through a virtualization technology, where the secure virtual machine is a virtual machine configured with a secure isolation memory isolated from the normal memory in a virtualization architecture, and is used to provide a trusted execution environment for the virtualization architecture, and participate in data processing related to data security in the virtualization architecture.
The memory controller 2 is hardware that controls the memory 3 and causes data to be exchanged between the memory 3 and the general-purpose processor 1; the secure processor 4 is a processor responsible for virtual machine data security, which is specifically set by the secure virtualization technology.
The secure processor 4 is a special processor independent of the normal processor, operates based on separate processor hardware, and interacts with the normal processor through a specific interface, with the highest security level. In the running process of the device, the security processor can configure the security isolation memory corresponding to the security virtual machine for the security virtual machine by using the memory controller through the bus, and configures and maintains the nested page table of the security virtual machine for the security virtual machine, so that the security processor accesses the security isolation memory corresponding to the security virtual machine based on the memory controller 2, and the security of the memory data of the security virtual machine is ensured.
The secure virtual machine may support a remote authentication function, for example, in a scenario where the data provider needs to provide confidential data to the secure virtual machine for processing, the confidential data may be provided by first obtaining a secure virtual machine authentication report for the secure virtual machine and verifying that the identity of the secure virtual machine is legitimate.
The security virtual machine authentication report is a report based on the security virtual machine authentication public key signature in the security virtual machine authentication signature certificate, and can include measurement information of information such as security virtual machine identity information, hardware information of the security virtual machine and the like, and a corresponding security virtual machine authentication public key and the like, so that the authentication of the security virtual machine can be performed based on the information.
In order to ensure the security of the hardware information where the secure virtual machine is located, the host of the secure virtual machine is usually authenticated and run, and after the host is a trusted device, a secure virtual machine authentication report is formed.
In an alternative example, remote authentication can be performed by a third party based on a host authentication report to determine the trusted state of the host, and further based on a secure virtual machine authentication report of the secure virtual machine, identity information of the secure virtual machine is verified, and after verification is passed, the trusted state of the host is forwarded to the secure virtual machine, so that authentication of the host by the secure virtual machine is completed.
However, the security of this authentication method is not high.
The inventor considers that the authentication of the host by the secure virtual machine is realized by adopting a third party, which is easily influenced by the credibility of the third party, namely, the credibility of the counterfeit host can occur when the third party is not in the credible state, and then the security risk is generated.
In view of this, an embodiment of the present invention provides a host authentication method, applied to a secure virtual machine, including: acquiring a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report; the host authentication signature certificate and the secure virtual machine authentication signature certificate are based on a chip root key authentication signature; acquiring a chip root key certificate corresponding to the chip root key; validating the host authentication report based on the host authentication signature certificate; validating the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate; if the verification and signing pass of the host authentication report and the security virtual machine authentication report, verifying the host authentication signature certificate and the security virtual machine authentication signature certificate based on the chip root key certificate; and if the verification is passed, the host is a trusted device.
It can be seen that, according to the host authentication scheme in the embodiment of the present invention, by using a secure processor in a hardware environment operated by a secure virtual machine, and a chip root key corresponding to a host operating the secure virtual machine is the same key, and the host authentication signature certificate and the secure virtual machine authentication signature certificate are based on the characteristics of the chip root key authentication signature, when the host authentication report is verified based on the host authentication signature certificate, and the secure virtual machine authentication report is verified based on the secure virtual machine authentication signature certificate, the host authentication signature certificate and the secure virtual machine authentication signature certificate are verified based on the chip root key certificate, and when verification passes, the host authentication signature certificate is indicated to be based on the chip root key authentication signature adopted by the secure virtual machine, so that the host authentication signature certificate is considered to be trusted, and accordingly, the host authentication report that the host authentication signature certificate passes is verified to be trusted, so as to determine that the host is a trusted device.
It can be seen that the host authentication method provided by the embodiment of the invention can realize host authentication at the secure virtual machine end, thereby avoiding the risk of non-trust of a third party in a trusted authentication process and guaranteeing data security.
Next, a host authentication procedure described in the embodiment of the present invention will be described. Specifically, the host authentication process may be executed by a computer system based on the system architecture of the secure virtual environment, and referring to an optional schematic diagram of the host authentication process provided in the embodiment of the present invention shown in fig. 2, the host authentication process includes:
Step S100, a secure virtual machine acquires a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report;
Wherein the host authentication report is a report generated by a trusted module (i.e., a module in the secure processor of the present embodiment) for enabling other objects (i.e., report requesters) to verify the trustworthiness of the host. In a specific example, the host authentication report is generated after a report requester issues a host authentication report request. It should be noted that, in an alternative example, the host authentication report request may include random information (e.g., a random value that may be generated for the report requester), so that a corresponding host authentication report may be generated based on the random information of the host authentication report request, e.g., the random information may be written in the host authentication report, thereby protecting against possible replay attacks.
The host authentication report further includes a host metric value obtained after measuring the software and hardware information of the host, for example, a host metric value obtained after measuring the BIOS (Basic Input Output System ), grub (multiple start manager), kernel, and application program of the host, so as to determine the hardware security of the host based on the host metric value.
In a specific example, a first trusted processing module (e.g., TPM module, trusted Platform Module, trusted platform module) may be provided in the secure processor for trusted verification of the host. For example, the first trusted processing module is a TPM module, and when the host is started, the TPM module may sequentially measure BIOS, grub, kernel, and application of the host, so as to generate a corresponding host measurement value.
The host authentication report further includes a host authentication signature for verifying the host authentication report, where the host authentication signature is calculated based on a preconfigured private key and report information (such as a host metric value and/or random information of a host authentication report request) in the host authentication report, and a public key corresponding to the private key (i.e., a host authentication public key) is recorded in a host authentication signature certificate corresponding to the host authentication report.
When the host authentication report is authenticated, a corresponding public key can be obtained based on a corresponding host authentication signature certificate, report information in the host authentication report is verified based on the public key, namely, a host to-be-verified signature calculated by using the public key and the report information in the host authentication report is compared with whether the host to-be-verified signature is consistent with the host authentication signature, if so, verification is passed, and if not, verification is not passed.
In this embodiment, the report requester is the secure virtual machine, and accordingly, the process of the secure virtual machine in step S100 obtaining the host authentication report and the host authentication signature certificate corresponding to the host authentication report may specifically include, referring to an optional flowchart of step S100 in the embodiment of the present invention shown in fig. 3:
Step S101, a security virtual machine generates and sends out a host authentication report request;
The host authentication report request includes first random information. The first random information may be understood as random information generated by the secure virtual machine, and in this example, the first random information is random information for verifying a host authentication transmission procedure, and is configured in a host authentication report request, and a host authentication report is written in a subsequent procedure to confirm that the host authentication report in the subsequent procedure is generated based on the host authentication report request.
After the host authentication report request is generated, the secure virtual machine may send the host authentication report request to a secure processor, and generate a host authentication report according to first random information in the host authentication report request, where the host measurement value is obtained by a first trusted processing module (refer to fig. 7, and the first trusted processing module may be, for example, a TPM module) in the secure processor based on software and hardware information of the host. In a specific example, referring to the optional signature verification structure diagram of the certificate verification of the embodiment of the present invention shown in fig. 4, the host authentication report may include a host metric value, first random information, and a host authentication signature. In a specific example, the host authentication report may further include other fields, which may be used to record version information of the host software and hardware, and the like.
The host metric value can be obtained from a platform configuration register (PCR, platform Configuration Register), which is a hardware register for storing the measurement result of the computer system; the host authentication signature may be generated by the first trusted processing module based on a host authentication private key (e.g., an AIK private key, wherein AIK is Attestation IDENTITY KEY, a platform identity authentication key) for the host metric value and/or the first random information.
Correspondingly, the host authentication public key corresponding to the host authentication private key may be recorded in the host authentication signature certificate. Wherein, referring to fig. 4, the host authentication signature certificate is based on a chip root key (such as CEK, chip Endorsement Key, an SM2 key) authentication signature, i.e. the host authentication public key is based on the chip root key authentication. Specifically, the host authentication public key signature is further recorded in the host authentication signature certificate in addition to the host authentication public key, and the host authentication public key signature is obtained by calculating the host authentication public key by using the chip root key private key.
The chip root key can be arranged in preset firmware of the host hardware, the chip root key corresponds to the host hardware to which the chip root key belongs one by one, and the preset firmware only allows the secure processor to access; correspondingly, the chip root key certificate records a chip root key public key corresponding to the chip root key, and when the host authentication signature certificate is verified, the verification of the host authentication signature certificate can be performed based on the information recorded by the chip root key certificate.
With continued reference to fig. 3, step S102 is executed, and the security processor generates a host authentication report based on the host authentication report request;
wherein the host authentication report is used to be provided as an authenticated object to an authenticator (i.e., the secure virtual machine in this embodiment) so that the authenticator performs secure authentication based on the host authentication report.
The host authentication report is generated based on a host authentication report request. When the first random information is included in the host authentication report request, the generated host authentication report simultaneously records the first random information, and when the host authentication signature is generated, the signature is performed based on the host metric value and/or the first random information.
Further, as described above, the host authentication signature is signed based on a host authentication private key (e.g., AIK private key), and the corresponding host authentication public key may be recorded in the host authentication signature certificate.
With continued reference to fig. 3, step S103 is performed in which the security processor transmits the host authentication report and a host authentication signature certificate corresponding to the host authentication report;
After generating the host authentication report, the security processor may send the host authentication report and a host authentication signature certificate corresponding to the host authentication report to a verifier (i.e., a secure virtual machine in this embodiment) so that the verifier (i.e., the secure virtual machine in this embodiment) performs trusted verification based on the host authentication report and the host authentication signature certificate.
Accordingly, the secure virtual machine may obtain the host authentication report and a host authentication signature certificate corresponding to the host authentication report.
Further, in the embodiment of the present invention, the secure virtual machine further obtains a secure virtual machine authentication report, where the secure virtual machine authentication report is a report generated by the secure processor and used for enabling other objects (i.e. report requesters) to verify the credibility of the secure virtual machine. In a specific example, the secure virtual machine authentication report is generated after the report requester issues a secure virtual machine authentication report request. It should be noted that, in an alternative example, the secure virtual machine authentication report request may include random information (e.g., a random value that may be generated for the report requester), so that a corresponding secure virtual machine authentication report may be generated based on the random information of the secure virtual machine authentication report request, e.g., the random information may be written in the secure virtual machine authentication report, so as to defend against possible replay attacks.
The security virtual machine authentication report further comprises a security virtual machine measurement value obtained after the software and hardware information of the security virtual machine is measured, so that the software and hardware security of the security virtual machine is determined based on the security virtual machine measurement value.
In a specific example, a second trusted processing module (refer to fig. 7, and the second trusted processing module may be, for example, a CSV module, where CSV is China Secure Virtualization, a national standard secure virtualization technology) may be provided in the secure processor, for performing trust verification on the secure virtual machine. For example, the second trusted processing module is a CSV module, and the CSV module may measure software and hardware information (such as firmware, kernel, etc. files of the secure virtual machine) of the secure virtual machine, so as to generate a corresponding secure virtual machine measurement value.
The secure virtual machine authentication report further includes a secure virtual machine authentication signature for verifying the secure virtual machine authentication report, where the secure virtual machine authentication signature is calculated based on a pre-configured private key and report information (e.g., a secure virtual machine metric value and/or random information of a secure virtual machine authentication report request) in the secure virtual machine authentication report, and a public key corresponding to the private key is recorded in a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report.
When the authentication of the secure virtual machine authentication report is performed, a corresponding public key (namely, a secure virtual machine authentication public key) can be obtained based on a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication signature certificate, report information in the secure virtual machine authentication report is verified based on the public key, namely, a secure virtual machine to-be-verified signature calculated by using the public key and the report information in the secure virtual machine authentication report is compared with whether the secure virtual machine to-be-verified signature is consistent with the secure virtual machine authentication signature, if so, the secure virtual machine to-be-verified signature passes the verification, and if not, the verification is not passed.
In this embodiment, the report requester is the secure virtual machine, and accordingly, the process of the secure virtual machine obtaining the secure virtual machine authentication report and the secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report in step S100 may specifically include, referring to another optional flowchart of step S100 in the embodiment of the present invention shown in fig. 5:
step S104, the secure virtual machine generates and sends a secure virtual machine authentication report request;
the secure virtual machine authentication report request includes second random information. The second random information may be understood as random information generated by the secure virtual machine, in this example, the second random information is random information for verifying a secure virtual machine authentication transmission procedure, and the second random information is configured in a secure virtual machine authentication report request, and a secure virtual machine authentication report is written in a subsequent procedure to confirm that the secure virtual machine authentication report in the subsequent procedure is generated based on the secure virtual machine authentication report request.
After the secure virtual machine generates the secure virtual machine authentication report request, the secure virtual machine may send the secure virtual machine authentication report request to a secure processor, where a secure virtual machine metric value obtained by a second trusted processing module (e.g., a CSV module) in the secure processor based on software and hardware information of the secure virtual machine, and generate a secure virtual machine authentication report corresponding to second random information in the secure virtual machine authentication report request. In a specific example, referring to fig. 4, the secure virtual machine authentication report may include a secure virtual machine metric value, second random information in a corresponding secure virtual machine authentication report request, and a secure virtual machine authentication signature. In a specific example, the secure virtual machine authentication report may further include other fields, where the other fields may be used to record version information of the secure virtual machine software and hardware (such as a version number of the secure virtual machine), and so on.
The secure virtual machine authentication signature may be generated by the second trusted processing module based on a secure virtual machine authentication private key (e.g., PEK private key, where PEK is Platform Endorsement Key, an SM2 key) by signing the secure virtual machine metric value and/or the second random information.
Accordingly, referring to fig. 4, the secure virtual machine authentication public key corresponding to the secure virtual machine authentication private key may be recorded in the secure virtual machine authentication signature certificate. The secure virtual machine authentication signature certificate is based on a chip root key (such as CEK) authentication signature, namely, the secure virtual machine authentication public key is based on the chip root key authentication. Specifically, the secure virtual machine authentication signature certificate further records a secure virtual machine authentication public key signature in addition to the secure virtual machine authentication public key, and the secure virtual machine authentication public key signature is obtained by calculating the secure virtual machine authentication public key by using the chip root key private key.
The chip root key can be arranged in preset firmware of the host hardware, the chip root key corresponds to the host hardware to which the chip root key belongs one by one, and the preset firmware only allows the secure processor to access; correspondingly, the chip root key certificate records a chip root key public key corresponding to the chip root key, and when the verification of the secure virtual machine authentication signature certificate is performed, the verification of the secure virtual machine authentication signature certificate can be performed based on the information recorded by the chip root key certificate.
With continued reference to fig. 5, step S105 is executed, and the secure processor generates a secure virtual machine authentication report based on the secure virtual machine authentication report request;
Wherein the secure virtual machine authentication report is used to be provided as an object to be authenticated to an authenticator (i.e., the secure virtual machine in the present embodiment), so that the authenticator performs secure authentication based on the secure virtual machine authentication report.
The secure virtual machine authentication report is generated based on the secure virtual machine authentication report request. And when the security virtual machine authentication report request comprises second random information, the generated security virtual machine authentication report simultaneously records the second random information, and when a security virtual machine authentication signature is generated, the signature is carried out based on the security virtual machine metric value and/or the second random information.
Further, as described above, the secure virtual machine authentication signature is signed based on a secure virtual machine authentication private key (e.g., PEK private key), and the corresponding secure virtual machine authentication public key may be recorded in the secure virtual machine authentication signature certificate.
With continued reference to fig. 5, step S106 is executed, where the secure processor sends the secure virtual machine authentication report and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report;
After generating the secure virtual machine authentication report, the secure processor may send the secure virtual machine authentication report and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report to a verifier (i.e., the secure virtual machine in this embodiment) so that the verifier (i.e., the secure virtual machine in this embodiment) performs trusted verification based on the secure virtual machine authentication report and the secure virtual machine authentication signature certificate.
Correspondingly, the secure virtual machine can acquire the secure virtual machine authentication report and the secure virtual machine authentication signature certificate.
After obtaining a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report, the secure virtual machine further obtains a chip root key certificate to execute the verification process according to the embodiment of the invention based on the chip root key certificate.
With continued reference to fig. 2, step S110 is executed, where the secure virtual machine obtains a chip root key certificate corresponding to the chip root key;
The chip root key may be obtained from a secure processor or downloaded from a certificate server. Based on the hardware independence of the security processor and the high-level security level of the security processor, the chip root key certificate corresponding to the chip root key is obtained from the security processor, so that the credibility of the chip root key certificate can be guaranteed to the greatest extent.
The secure virtual machine may issue a chip root key certificate access request, and enable the secure processor to feed back a chip root key certificate to the secure virtual machine based on the chip root key certificate access request. Accordingly, the secure virtual machine may obtain the root key certificate.
In a further example, the secure processor may also send the chip root key certificate to the secure virtual machine based on a secure virtual machine authentication report request, while sending the secure virtual machine authentication report and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report to a verifier (i.e., the secure virtual machine in this embodiment). That is, the secure processor transmits the secure virtual machine authentication report, a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report, and a chip root key certificate to the secure virtual machine based on the secure virtual machine authentication report request.
Correspondingly, the secure virtual machine can acquire the secure virtual machine authentication report, the secure virtual machine authentication signature certificate and the chip root key certificate.
With continued reference to fig. 2, step S120 is performed, where the secure virtual machine verifies the host authentication report based on the host authentication signature certificate;
upon obtaining the host authentication report and a host authentication signature certificate corresponding to the host authentication report, the host authentication report may be verified based on the host authentication signature certificate.
Specifically, the host metric value in the host authentication report and/or the first random information in the corresponding host authentication report request may be calculated based on the host authentication public key in the host authentication signature certificate, so as to obtain a signature to be verified of the host, and compare whether the signature to be verified of the host is consistent with the host authentication signature, if so, the verification is passed, and if not, the verification is not passed.
The calculation basis of the signature to be verified of the host is the same as the calculation basis of the authentication signature of the host, namely, when the calculation basis of the authentication signature of the host is a host metric value, the calculation basis of the corresponding signature to be verified of the host is also the host metric value; when the calculation basis of the host authentication signature is the host measurement value and the first random information, the calculation basis of the corresponding host to-be-verified signature is also the host measurement value and the first random information.
In a further example, the verification process may further include verification of the first random information, that is, comparing whether the first random information in the host authentication report is consistent with the first random information of the host authentication report request generated by the secure virtual machine, if so, the verification is passed, and if not, the verification is not passed.
If the verification is passed, executing the next step, if the verification is not passed, reporting an error and exiting the verification process.
With continued reference to fig. 2, step S130 is performed, where the secure virtual machine verifies the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate;
after the secure virtual machine authentication report and the secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report are obtained, the secure virtual machine authentication report may be verified based on the secure virtual machine authentication signature certificate.
Specifically, the secure virtual machine metric value in the secure virtual machine authentication report and/or the second random information in the corresponding secure virtual machine authentication report request may be calculated based on the secure virtual machine authentication public key in the secure virtual machine authentication signature certificate, to obtain a secure virtual machine to-be-verified signature, and compare whether the secure virtual machine to-be-verified signature is consistent with the secure virtual machine authentication signature, if so, the verification is passed, and if not, the verification is not passed.
The calculation basis of the signature to be verified of the secure virtual machine is the same as the calculation basis of the authentication signature of the secure virtual machine, namely, when the calculation basis of the authentication signature of the secure virtual machine is the measurement value of the secure virtual machine, the calculation basis of the corresponding signature to be verified of the secure virtual machine is also the measurement value of the secure virtual machine; when the calculation basis of the authentication signature of the secure virtual machine is the secure virtual machine metric value and the second random information, the calculation basis of the signature to be verified of the corresponding secure virtual machine is also the secure virtual machine metric value and the second random information.
In a further example, the verification process may further include verification of the second random information, that is, comparing whether the second random information in the secure virtual machine authentication report is consistent with the second random information of the secure virtual machine authentication report request generated by the secure virtual machine, if so, the verification is passed, and if not, the verification is not passed.
If the verification is passed, executing the next step, if the verification is not passed, reporting an error and exiting the verification process.
In the embodiment of the present invention, the execution order of step S120 and step S130 is not fixed, step S120 may be performed first, step S130 and step S140 may be performed after the verification is passed, step S130 may be performed first, step S120 and step S140 may be performed after the verification is passed, or step S120 and step S130 may be performed simultaneously, and step S140 may be performed after the verification is passed in both step S120 and step S130.
With continued reference to fig. 2, step S140 is performed, where the secure virtual machine verifies the host authentication signature certificate and the secure virtual machine authentication signature certificate based on the chip root key certificate;
It may be appreciated that, in the normal flow, the host authentication signature certificate and the secure virtual machine authentication signature certificate are signed based on a chip root key authentication, and accordingly, based on the chip root key certificate, whether the host authentication signature certificate and the secure virtual machine authentication signature certificate are authentic may be verified.
Specifically, the process of verifying the host authentication signature certificate may include: and calculating the host authentication public key in the host authentication report based on the chip root key public key in the chip root key certificate to obtain a host authentication public key signature to be verified, determining whether the host authentication public key signature to be verified is consistent with the host authentication public key signature in the host authentication signature certificate, if so, passing the verification, and if not, not passing the verification.
Accordingly, the process of verifying the secure virtual machine authentication signature certificate may include: and calculating the security virtual machine authentication public key in the security virtual machine authentication report based on the chip root key public key in the chip root key certificate to obtain a security virtual machine authentication public key to-be-verified signature, determining whether the security virtual machine authentication public key to-be-verified signature is consistent with the security virtual machine authentication public key signature in the security virtual machine authentication signature certificate, if so, passing the verification, and if not, not passing the verification.
Obviously, when verification passes, the host authentication signature certificate is indicated to be signed based on the chip root key authentication adopted by the secure virtual machine, so that the host authentication signature certificate can be considered to be trusted, and correspondingly, the host authentication report passed by the host authentication signature certificate is trusted, so that the host is determined to be a trusted device, that is, the host is ensured to have no malicious code running therein, and the VMM code of the host is not tampered.
It should be noted that, in a further alternative example, the communication between the secure virtual machine and the secure processor may be implemented based on a communication link between the secure virtual machine and the secure processor, or the communication link between the secure virtual machine and the host may be used to perform transmission of part of host related information, and the communication link between the secure virtual machine and the secure processor may be used to perform transmission of part of secure virtual machine related information. It can be understood that the communication link between the secure virtual machine and the host machine and the communication link between the host machine and the secure processor are used for transmitting part of host related information, so that the host machine can acquire related information based on the authority of the host machine, and the authority logic in the system is prevented from being too complex, thereby generating security risks.
In a specific example, the communication link between the secure virtual machine and the secure processor is implemented based on a virtual machine manager VMM, that is, a secure virtual machine authentication report (CSV authentication report in this example) and a host authentication report (TPM authentication report in this example) are acquired by the virtual machine manager VMM (not shown in the figure), and referring to an alternative example of a host authentication method shown in fig. 6, in this example, the secure virtual machine is configured with a first application for executing a host authentication procedure, a PEK certificate is used as a secure virtual machine authentication signature certificate, a CEK certificate is used as a chip root key certificate, an AIK certificate is used as a host authentication signature certificate, and specifically, the host authentication procedure may include:
Step S201: the first application sends a CSV report request to a CSV module of the security processor and acquires a CSV report;
step S202: the method comprises the steps that a first application obtains a corresponding PEK certificate and a CEK certificate;
Step S203: the first application verifies the signature of the CSV report by using the public key of the PEK certificate, and verifies the measurement value in the CSV report at the same time to confirm whether the working state of the secure virtual machine is credible;
Step S204: the first application sends a TPM report request to a TPM module of the security processor and acquires a TPM report;
Step S205: the first application acquires a corresponding AIK certificate;
Step S206: the first application uses the public key of the AIK certificate to verify the signature of the TPM report, and simultaneously verifies the host measurement value in the TPM report to confirm whether the working state of the host is credible;
Step S207: the first application uses the CEK certificate to verify the signature of the PEK certificate and the AIK certificate, and confirms that the host and the secure virtual machine run on the same physical machine.
Wherein, step S202 and step S205 may each acquire a corresponding certificate from the virtual machine manager. It will be appreciated that the verification steps in the above steps all verify to pass, indicating that the host state is trusted, otherwise the host file may have been tampered with.
Specifically, referring to another system architecture schematic diagram of a secure virtual environment provided by the embodiment of the present invention shown in fig. 7, when a communication link between a secure virtual machine and a host and a communication link between the host and a secure processor are used to transmit part of host related information, the secure virtual machine may be configured with a first application for executing a host authentication procedure, the host may be configured with a second application corresponding to the first application, and communication between the first application and the second application may be performed based on a preset communication link (for example VSOCK or a network, where VSOCK is Virtual Machine Socket, i.e. a virtual machine interface), so that host related information is transmitted based on the first application and the second application. In a specific example, the second application may be configured in a host.
Specifically, the information transmission in step S101 and step S103 may be based on the forwarding of the information by the first application and the second application, that is, the host authentication report request in the secure virtual machine in step S101 is sent to the second application by the first application and sent to the secure processor by the second application, and step S103 the secure processor may send the host authentication report and the host authentication signature certificate corresponding to the host authentication report to the host and forward the host authentication signature certificate to the first application of the secure virtual machine by the second application of the host.
In a specific example, the communication link between the secure virtual machine and the secure processor is implemented based on a virtual machine manager VMM (not shown in the figure) and a host, that is, the secure virtual machine authentication report (CSV authentication report in this example) is obtained by the virtual machine manager VMM, and the host authentication report (TPM authentication report in this example) is obtained by the second application configured in the host, and referring to an alternative example of another host authentication method shown in fig. 8, in this example, the PEK certificate is still used as a secure virtual machine authentication signature certificate, the CEK certificate is used as a chip root key certificate, and the AIK certificate is used as a host authentication signature certificate, and in particular, the host authentication procedure may include:
Step S301: the first application establishes a connection with the second application;
Specifically, in step S301, a connection may be established through VSOCK or a network.
Step S302: the first application sends a TPM report request to the second application, and requests the second application to acquire a TPM authentication report from a TPM module of the security processor;
Step S303: the second application acquires a TPM authentication report and a corresponding AIK certificate;
step S304: the second application sends the TPM report and the AIK certificate to the first application;
Step S305: the first application uses the public key of the AIK certificate to verify the signature of the TPM report, and simultaneously verifies the PCR metric value in the TPM report to confirm whether the working state of the host is credible;
Step S306: the first application sends a CSV report request to a CSV module of the security processor and acquires a CSV report;
step S307: the method comprises the steps that a first application obtains a corresponding PEK certificate and a CEK certificate;
Step S308: the first application verifies the signature of the CSV report by using the public key of the PEK certificate, and verifies the measurement value in the CSV report at the same time to confirm whether the working state of the secure virtual machine is credible;
step S309: the first application uses the CEK certificate to verify the signature of the PEK certificate and the AIK certificate, and confirms that the host and the CSV virtual machine run on the same physical machine.
Step S303 may acquire a corresponding certificate from the host, and step S307 may acquire the PEK certificate and the CEK certificate from the virtual machine manager. It will be appreciated that the verification steps in the above steps all verify to pass, indicating that the host state is trusted, otherwise the host file may have been tampered with.
It can be seen that the host authentication method provided by the embodiment of the invention can realize host authentication at the secure virtual machine end, thereby avoiding the risk of non-trust of a third party in a trusted authentication process and guaranteeing data security.
The host authentication device provided by the embodiment of the present invention is described below, and the host authentication device described below may be considered as a software function module or a hardware function module that needs to be set to implement the host authentication method provided by the embodiment of the present invention; the contents of the data processing apparatus described below may be referred to in correspondence with the contents of the method and the contents of the hardware module described above.
In an optional implementation, fig. 9 shows an optional block diagram of a host authentication device provided by an embodiment of the present invention, where the host authentication device is configured to implement the host authentication method provided by the embodiment of the present invention, as shown in fig. 9, the host authentication device may include:
An authentication information obtaining module 400, configured to obtain a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report; the host authentication signature certificate and the secure virtual machine authentication signature certificate are based on a chip root key authentication signature; acquiring a chip root key certificate corresponding to the chip root key;
A verification module 410 for verifying the host authentication report based on the host authentication signature certificate; and validating the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate; if the host authentication report and the security virtual machine authentication report pass verification, verifying the host authentication signature certificate and the security virtual machine authentication signature certificate based on the chip root key certificate; and if the verification is passed, the host is a trusted device.
Optionally, the host authentication report includes a host metric value, first random information, and a host authentication signature; the security virtual machine authentication report comprises a security virtual machine metric value, second random information and a security virtual machine authentication signature; the first random information and the second random information are generated by a secure virtual machine;
The host authentication signature is generated based on a host authentication private key signature, the host authentication signature certificate records a host authentication public key corresponding to the host authentication private key, and the host authentication public key is based on the chip root key authentication signature;
the secure virtual machine authentication signature is generated based on a secure virtual machine authentication private key signature, the secure virtual machine authentication signature certificate records a secure virtual machine authentication public key corresponding to the secure virtual machine authentication private key, and the secure virtual machine authentication public key is based on the chip root key authentication signature.
Optionally, the authentication information obtaining module 400 is configured to obtain a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report, where obtaining the host authentication report and the host authentication signature certificate corresponding to the host authentication report specifically includes:
generating and sending a host authentication report request, wherein the host authentication report request comprises first random information;
After the security processor generates a host authentication report based on the host authentication report request, the host authentication report sent by the security processor and a host authentication signature certificate corresponding to the host authentication report are acquired.
Optionally, the authentication information obtaining module 400 is configured to obtain a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report, where obtaining the secure virtual machine authentication report and the secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report specifically includes:
Generating and sending a security virtual machine authentication report request, wherein the security virtual machine authentication report request comprises second random information;
And after the security processor generates a security virtual machine authentication report based on the security virtual machine authentication report request, acquiring the security virtual machine authentication report sent by the security processor and a security virtual machine authentication signature certificate corresponding to the security virtual machine authentication report.
Optionally, the step of obtaining, by the authentication information obtaining module 400, a chip root key certificate corresponding to the chip root key is performed simultaneously with the step of obtaining the security virtual machine authentication report and the security virtual machine authentication signature certificate corresponding to the security virtual machine authentication report, specifically:
And after the secure processor generates the secure virtual machine authentication report based on the secure virtual machine authentication report request, acquiring the secure virtual machine authentication report sent by the secure processor, a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report and a chip root key certificate.
Optionally, the verifying module 410 verifies the host authentication report based on the host authentication signature certificate, including:
Based on a host authentication public key in the host authentication signature certificate, calculating a host metric value and/or the first random information in the host authentication report to obtain a host to-be-verified signature;
Comparing whether the signature to be verified of the host is consistent with the authentication signature of the host, if so, passing the verification, and if not, not passing the verification.
Optionally, the verification module 410 verifies the host authentication report based on the host authentication signature certificate, further including:
And comparing whether the first random information in the host authentication report is consistent with the first random information generated by the secure virtual machine, if so, verifying to pass, and if not, verifying to fail.
Optionally, the verifying module 410 verifies the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate, including:
Based on a secure virtual machine authentication public key in the secure virtual machine authentication signature certificate, calculating a secure virtual machine metric value and/or the second random information in the secure virtual machine authentication report to obtain a secure virtual machine signature to be verified;
And comparing whether the signature to be verified of the secure virtual machine is consistent with the authentication signature of the secure virtual machine, if so, verifying to pass, and if not, verifying to pass.
Optionally, the verification module 410 verifies the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate, further including:
and comparing whether the second random information in the security virtual machine authentication report is consistent with the second random information generated by the security virtual machine, if so, passing the verification, and if not, not passing the verification.
Optionally, the verifying module 410 verifies the host authentication signature certificate and the secure virtual machine authentication signature certificate based on the chip root key certificate, including:
Calculating a host authentication public key in the host authentication report based on a chip root key public key in the chip root key certificate to obtain a signature to be verified of the host authentication public key; determining whether the signature to be verified of the host authentication public key is consistent with the signature of the host authentication public key in the host authentication signature certificate, if so, passing the verification, and if not, not passing the verification;
Based on the chip root key public key in the chip root key certificate, calculating the security virtual machine authentication public key in the security virtual machine authentication report to obtain a signature to be verified of the security virtual machine authentication public key; and determining whether the signature to be verified of the secure virtual machine authentication public key is consistent with the secure virtual machine authentication public key signature in the secure virtual machine authentication signature certificate, if so, verifying to pass, and if not, verifying to fail.
Optionally, the secure virtual machine is configured with a first application, the host system is configured with a second application corresponding to the first application, and the first application and the second application communicate based on a preset communication link; the host authentication report request is sent to a second application through a first application, and the second application is sent to a security processor; the host authentication report and a host authentication signature certificate corresponding to the host authentication report are sent by a security processor to the host system and forwarded by the host system second application to the first application of the secure virtual machine.
The embodiment of the invention also provides confidential computing equipment for realizing host authentication. As an alternative implementation, the confidential computing device may include: a secure virtual machine, a host system, and a secure processor; the security virtual machine is configured with the host authentication device provided by the embodiment of the invention.
In a further alternative implementation, referring to fig. 7, the secure virtual machine is configured with a first application, the host system is configured with a second application corresponding to the first application, and the first application and the second application communicate based on a preset communication link; the host authentication report request is sent to a second application through a first application, and the second application is sent to a security processor; the host authentication report and a host authentication signature certificate corresponding to the host authentication report are sent to the host system by the security processor and forwarded by the host system second application to the first application of the secure virtual machine.
In an alternative implementation of host authentication, a more detailed description of the secure processor, host system, and secure virtual machine may be referred to the description of the corresponding portions above, and will not be repeated here.
The embodiment of the invention also provides a storage medium which can store one or more computer executable instructions, and when the one or more computer executable instructions are executed, the host authentication method provided by the embodiment of the invention can be realized.
The foregoing describes several embodiments of the present invention, and the various alternatives presented by the various embodiments may be combined, cross-referenced, with each other without conflict, extending beyond what is possible embodiments, all of which are considered to be embodiments of the present invention disclosed and disclosed.
Although the embodiments of the present invention are disclosed above, the present invention is not limited thereto. Various changes and modifications may be made by one skilled in the art without departing from the spirit and scope of the invention, and the scope of the invention should be assessed accordingly to that of the appended claims.

Claims (15)

1.一种主机认证方法,其特征在于,应用于安全虚拟机,包括:1. A host authentication method, characterized in that it is applied to a secure virtual machine, comprising: 获取主机认证报告、安全虚拟机认证报告、与所述主机认证报告对应的主机认证签名证书,以及,与所述安全虚拟机认证报告对应的安全虚拟机认证签名证书;其中,所述主机认证签名证书和所述安全虚拟机认证签名证书基于芯片根密钥认证签名;Obtain a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report; wherein the host authentication signature certificate and the secure virtual machine authentication signature certificate are based on a chip root key authentication signature; 获取所述芯片根密钥对应的芯片根密钥证书;Obtaining a chip root key certificate corresponding to the chip root key; 基于所述主机认证签名证书验证所述主机认证报告;Verifying the host authentication report based on the host authentication signature certificate; 基于所述安全虚拟机认证签名证书验证所述安全虚拟机认证报告;Verifying the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate; 若所述主机认证报告和所述安全虚拟机认证报告验签通过,则基于所述芯片根密钥证书验证所述主机认证签名证书和所述安全虚拟机认证签名证书;If the host authentication report and the secure virtual machine authentication report are verified, the host authentication signature certificate and the secure virtual machine authentication signature certificate are verified based on the chip root key certificate; 若验证通过,则所述主机为可信设备。If the verification is successful, the host is a trusted device. 2.根据权利要求1所述的方法,其特征在于,所述主机认证报告包括主机度量值、第一随机信息,以及,主机认证签名;所述安全虚拟机认证报告包括安全虚拟机度量值、第二随机信息,以及,安全虚拟机认证签名;所述第一随机信息和所述第二随机信息由安全虚拟机生成;2. The method according to claim 1, characterized in that the host authentication report includes a host measurement value, a first random information, and a host authentication signature; the secure virtual machine authentication report includes a secure virtual machine measurement value, a second random information, and a secure virtual machine authentication signature; the first random information and the second random information are generated by the secure virtual machine; 所述主机认证签名基于主机认证私钥签名生成,所述主机认证签名证书记录有与所述主机认证私钥相对应的主机认证公钥,且所述主机认证公钥基于所述芯片根密钥认证签名;The host authentication signature is generated based on the host authentication private key signature, the host authentication signature certificate records the host authentication public key corresponding to the host authentication private key, and the host authentication public key is based on the chip root key authentication signature; 所述安全虚拟机认证签名基于安全虚拟机认证私钥签名生成,所述安全虚拟机认证签名证书记录有与所述安全虚拟机认证私钥相对应的安全虚拟机认证公钥,且所述安全虚拟机认证公钥基于所述芯片根密钥认证签名。The secure virtual machine authentication signature is generated based on the secure virtual machine authentication private key signature, the secure virtual machine authentication signature certificate records the secure virtual machine authentication public key corresponding to the secure virtual machine authentication private key, and the secure virtual machine authentication public key is based on the chip root key authentication signature. 3.根据权利要求2所述的方法,其特征在于,所述获取主机认证报告、安全虚拟机认证报告、与所述主机认证报告对应的主机认证签名证书,以及,与所述安全虚拟机认证报告对应的安全虚拟机认证签名证书的步骤中,获取主机认证报告和与所述主机认证报告对应的主机认证签名证书的流程包括:3. The method according to claim 2, characterized in that, in the step of obtaining a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report, the process of obtaining the host authentication report and the host authentication signature certificate corresponding to the host authentication report comprises: 生成并发出主机认证报告请求,所述主机认证报告请求中包括第一随机信息;Generate and issue a host authentication report request, wherein the host authentication report request includes first random information; 在安全处理器基于所述主机认证报告请求,生成主机认证报告后,获取所述安全处理器发送的主机认证报告和与所述主机认证报告对应的主机认证签名证书。After the security processor generates a host authentication report based on the host authentication report request, the host authentication report sent by the security processor and a host authentication signature certificate corresponding to the host authentication report are obtained. 4.根据权利要求2所述的方法,其特征在于,所述获取主机认证报告、安全虚拟机认证报告、与所述主机认证报告对应的主机认证签名证书,以及,与所述安全虚拟机认证报告对应的安全虚拟机认证签名证书的步骤中,获取安全虚拟机认证报告和与所述安全虚拟机认证报告对应的安全虚拟机认证签名证书的流程包括:4. The method according to claim 2, characterized in that, in the step of obtaining a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report, the process of obtaining the secure virtual machine authentication report and the secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report comprises: 生成并发出安全虚拟机认证报告请求,所述安全虚拟机认证报告请求中包括第二随机信息;Generate and issue a secure virtual machine authentication report request, wherein the secure virtual machine authentication report request includes second random information; 在安全处理器基于所述安全虚拟机认证报告请求,生成安全虚拟机认证报告后,获取所述安全处理器发送的安全虚拟机认证报告和与所述安全虚拟机认证报告对应的安全虚拟机认证签名证书。After the security processor generates a secure virtual machine authentication report based on the secure virtual machine authentication report request, the secure virtual machine authentication report sent by the security processor and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report are obtained. 5.根据权利要求4所述的方法,其特征在于,所述获取所述芯片根密钥对应的芯片根密钥证书的步骤,与,所述获取所述安全虚拟机认证报告和与所述安全虚拟机认证报告对应的安全虚拟机认证签名证书的步骤同时执行,具体为:5. The method according to claim 4, characterized in that the step of obtaining the chip root key certificate corresponding to the chip root key is performed simultaneously with the step of obtaining the secure virtual machine authentication report and the secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report, specifically: 在安全处理器基于所述安全虚拟机认证报告请求,生成安全虚拟机认证报告后,获取所述安全处理器发送的安全虚拟机认证报告、与所述安全虚拟机认证报告对应的安全虚拟机认证签名证书,和,芯片根密钥证书。After the security processor generates a secure virtual machine authentication report based on the secure virtual machine authentication report request, the secure virtual machine authentication report sent by the security processor, the secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report, and the chip root key certificate are obtained. 6.根据权利要求2所述的方法,其特征在于,所述基于所述主机认证签名证书验证所述主机认证报告,包括:6. The method according to claim 2, wherein the verifying the host authentication report based on the host authentication signature certificate comprises: 基于所述主机认证签名证书中的主机认证公钥,对所述主机认证报告中的主机度量值和/或所述第一随机信息进行计算,得到主机待验证签名;Based on the host authentication public key in the host authentication signature certificate, the host measurement value and/or the first random information in the host authentication report are calculated to obtain a host signature to be verified; 比对主机待验证签名与所述主机认证签名是否一致,若一致,则验证通过,若不一致,则验证不通过。The host signature to be verified is compared with the host authentication signature to see if they are consistent. If they are consistent, the verification is successful. If they are inconsistent, the verification fails. 7.根据权利要求6所述的方法,其特征在于,所述基于所述主机认证签名证书验证所述主机认证报告,还包括:7. The method according to claim 6, wherein the verifying the host authentication report based on the host authentication signature certificate further comprises: 比对主机认证报告中的第一随机信息与安全虚拟机生成的第一随机信息是否一致,若一致,则验证通过,若不一致,则验证不通过。The first random information in the host authentication report is compared with the first random information generated by the secure virtual machine to see if they are consistent. If they are consistent, the verification is successful; if they are inconsistent, the verification fails. 8.根据权利要求2所述的方法,其特征在于,所述基于所述安全虚拟机认证签名证书验证所述安全虚拟机认证报告,包括:8. The method according to claim 2, wherein the verifying the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate comprises: 基于所述安全虚拟机认证签名证书中的安全虚拟机认证公钥,对所述安全虚拟机认证报告中的安全虚拟机度量值和/或所述第二随机信息进行计算,得到安全虚拟机待验证签名;Based on the secure virtual machine authentication public key in the secure virtual machine authentication signature certificate, the secure virtual machine metric value and/or the second random information in the secure virtual machine authentication report are calculated to obtain a secure virtual machine signature to be verified; 比对安全虚拟机待验证签名与所述安全虚拟机认证签名是否一致,若一致,则验证通过,若不一致,则验证不通过。The security virtual machine signature to be verified is compared with the security virtual machine authentication signature to see if they are consistent. If they are consistent, the verification is successful; if they are inconsistent, the verification fails. 9.根据权利要求8所述的方法,其特征在于,所述基于所述安全虚拟机认证签名证书验证所述安全虚拟机认证报告,还包括:9. The method according to claim 8, wherein the verifying the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate further comprises: 比对安全虚拟机认证报告中的第二随机信息与安全虚拟机生成的第二随机信息是否一致,若一致,则验证通过,若不一致,则验证不通过。The second random information in the security virtual machine authentication report is compared with the second random information generated by the security virtual machine to see if they are consistent. If they are consistent, the verification is successful; if they are inconsistent, the verification fails. 10.根据权利要求2所述的方法,其特征在于,所述基于所述芯片根密钥证书验证所述主机认证签名证书和所述安全虚拟机认证签名证书,包括:10. The method according to claim 2, characterized in that the verifying the host authentication signature certificate and the secure virtual machine authentication signature certificate based on the chip root key certificate comprises: 基于所述芯片根密钥证书中的芯片根密钥公钥,对所述主机认证报告中的主机认证公钥进行计算,得到主机认证公钥待验证签名;确定所述主机认证公钥待验证签名与所述主机认证签名证书中的主机认证公钥签名是否一致,若一致,则验证通过,若不一致,则验证不通过;Based on the chip root key public key in the chip root key certificate, the host authentication public key in the host authentication report is calculated to obtain the host authentication public key signature to be verified; determine whether the host authentication public key signature to be verified is consistent with the host authentication public key signature in the host authentication signature certificate, if they are consistent, the verification is passed, if not, the verification is failed; 基于所述芯片根密钥证书中的芯片根密钥公钥,对所述安全虚拟机认证报告中的安全虚拟机认证公钥进行计算,得到安全虚拟机认证公钥待验证签名;确定安全虚拟机认证公钥待验证签名与所述安全虚拟机认证签名证书中的安全虚拟机认证公钥签名是否一致,若一致,则验证通过,若不一致,则验证不通过。Based on the chip root key public key in the chip root key certificate, the secure virtual machine authentication public key in the secure virtual machine authentication report is calculated to obtain the secure virtual machine authentication public key signature to be verified; determine whether the secure virtual machine authentication public key signature to be verified is consistent with the secure virtual machine authentication public key signature in the secure virtual machine authentication signature certificate, if they are consistent, the verification passes, if not, the verification fails. 11.根据权利要求3所述的方法,其特征在于,所述安全虚拟机配置有第一应用,主机系统配置有与所述第一应用对应的第二应用,所述第一应用与所述第二应用基于预设通信链路通信;所述主机认证报告请求经第一应用发送至第二应用,并由第二应用发送至安全处理器;所述主机认证报告和与所述主机认证报告对应的主机认证签名证书由安全处理器发送至所述主机系统,并由所述主机系统第二应用转发至安全虚拟机的第一应用。11. The method according to claim 3 is characterized in that the secure virtual machine is configured with a first application, the host system is configured with a second application corresponding to the first application, and the first application and the second application communicate based on a preset communication link; the host authentication report request is sent to the second application via the first application, and is sent to the security processor by the second application; the host authentication report and the host authentication signature certificate corresponding to the host authentication report are sent to the host system by the security processor, and are forwarded to the first application of the secure virtual machine by the second application of the host system. 12.一种主机认证装置,其特征在于,包括:12. A host authentication device, comprising: 认证信息获取模块,用于获取主机认证报告、安全虚拟机认证报告、与所述主机认证报告对应的主机认证签名证书,以及,与所述安全虚拟机认证报告对应的安全虚拟机认证签名证书;其中,所述主机认证签名证书和所述安全虚拟机认证签名证书基于芯片根密钥认证签名;以及,获取所述芯片根密钥对应的芯片根密钥证书;An authentication information acquisition module is used to obtain a host authentication report, a secure virtual machine authentication report, a host authentication signature certificate corresponding to the host authentication report, and a secure virtual machine authentication signature certificate corresponding to the secure virtual machine authentication report; wherein the host authentication signature certificate and the secure virtual machine authentication signature certificate are based on a chip root key authentication signature; and obtaining a chip root key certificate corresponding to the chip root key; 验证模块,用于基于所述主机认证签名证书验证所述主机认证报告;以及,基于所述安全虚拟机认证签名证书验证所述安全虚拟机认证报告;其中,若所述主机认证报告和所述安全虚拟机认证报告验签通过,则基于所述芯片根密钥证书验证所述主机认证签名证书和所述安全虚拟机认证签名证书;若验证通过,则所述主机为可信设备。A verification module is used to verify the host authentication report based on the host authentication signature certificate; and to verify the secure virtual machine authentication report based on the secure virtual machine authentication signature certificate; wherein, if the host authentication report and the secure virtual machine authentication report are verified, the host authentication signature certificate and the secure virtual machine authentication signature certificate are verified based on the chip root key certificate; if the verification is successful, the host is a trusted device. 13.一种机密计算设备,其特征在于,包括:安全虚拟机、主机系统、以及安全处理器;其中,所述安全虚拟机配置有权利要求12所述的主机认证装置。13. A confidential computing device, comprising: a secure virtual machine, a host system, and a secure processor; wherein the secure virtual machine is configured with the host authentication device described in claim 12. 14.根据权利要求13所述的机密计算设备,其特征在于,所述安全虚拟机配置有第一应用,所述主机系统配置有与所述第一应用对应的第二应用,所述第一应用与所述第二应用基于预设通信链路通信;主机认证报告请求经第一应用发送至第二应用,并由第二应用发送至安全处理器;主机认证报告和与所述主机认证报告对应的主机认证签名证书由安全处理器发送至所述主机系统,并由所述主机系统的第二应用转发至安全虚拟机的第一应用。14. The confidential computing device according to claim 13 is characterized in that the secure virtual machine is configured with a first application, the host system is configured with a second application corresponding to the first application, and the first application and the second application communicate based on a preset communication link; the host authentication report request is sent to the second application via the first application, and is sent to the security processor by the second application; the host authentication report and the host authentication signature certificate corresponding to the host authentication report are sent to the host system by the security processor, and are forwarded to the first application of the secure virtual machine by the second application of the host system. 15.一种存储介质,其特征在于,所述存储介质存储有一条或多条计算机可执行指令,所述一条或多条计算机可执行指令被执行时,实现如权利要求1-11任一项所述的主机认证方法。15. A storage medium, characterized in that the storage medium stores one or more computer executable instructions, and when the one or more computer executable instructions are executed, the host authentication method according to any one of claims 1 to 11 is implemented.
CN202410489478.9A 2024-04-22 2024-04-22 Host authentication method, host authentication device and related equipment Pending CN118312946A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410489478.9A CN118312946A (en) 2024-04-22 2024-04-22 Host authentication method, host authentication device and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410489478.9A CN118312946A (en) 2024-04-22 2024-04-22 Host authentication method, host authentication device and related equipment

Publications (1)

Publication Number Publication Date
CN118312946A true CN118312946A (en) 2024-07-09

Family

ID=91728890

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410489478.9A Pending CN118312946A (en) 2024-04-22 2024-04-22 Host authentication method, host authentication device and related equipment

Country Status (1)

Country Link
CN (1) CN118312946A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119128933A (en) * 2024-08-21 2024-12-13 上海浦东发展银行股份有限公司 Secure communication method, device and computer equipment based on trusted execution environment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119128933A (en) * 2024-08-21 2024-12-13 上海浦东发展银行股份有限公司 Secure communication method, device and computer equipment based on trusted execution environment

Similar Documents

Publication Publication Date Title
US10885197B2 (en) Merging multiple compute nodes with trusted platform modules utilizing authentication protocol with active trusted platform module provisioning
US9497210B2 (en) Stateless attestation system
JP4855679B2 (en) Encapsulation of reliable platform module functions by TCPA inside server management coprocessor subsystem
US9288155B2 (en) Computer system and virtual computer management method
JP6463269B2 (en) Method, system, and computer program product for determining the geographical location of a virtual disk image running on a data center server in a data center
US11206141B2 (en) Merging multiple compute nodes with trusted platform modules utilizing provisioned node certificates
CN107409128B (en) Techniques for secure server access using a trusted license proxy
JP5802337B2 (en) Out-of-band remote authentication
CN113302893B (en) Method and device for trust verification
US9230129B1 (en) Software trusted computing base
US9055052B2 (en) Method and system for improving storage security in a cloud computing environment
CN102947795B (en) The system and method that secure cloud calculates
CN116566613A (en) Securing communications with a secure processor using platform keys
CN105164633A (en) Configuration and verification by trusted provider
CN113906424B (en) Apparatus and method for disk authentication
US11604880B2 (en) Systems and methods to cryptographically verify information handling system configuration
CN118260774B (en) Server startup method and device, storage medium and electronic device
CN116680687A (en) Data processing method, device, device and storage medium
CN118312946A (en) Host authentication method, host authentication device and related equipment
EP3930282A1 (en) System, apparatus and method for remotely authenticating peripheral devices
CN113132330B (en) Method, device, attestation server and readable storage medium for trusted state attestation
CN115549948A (en) A decentralized trust chain authentication method, system and medium based on trusted computing
US20250238252A1 (en) Mutual authentication between workloads and a host memory buffer for confidential and secure memory management systems
US20240333513A1 (en) Systems and Methods for Demonstrating Identity to a Trusted Platform Module
CN115618362A (en) A computer system, access control method and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination