CN110647740B - Container trusted starting method and device based on TPM - Google Patents
Container trusted starting method and device based on TPM Download PDFInfo
- Publication number
- CN110647740B CN110647740B CN201810681800.2A CN201810681800A CN110647740B CN 110647740 B CN110647740 B CN 110647740B CN 201810681800 A CN201810681800 A CN 201810681800A CN 110647740 B CN110647740 B CN 110647740B
- Authority
- CN
- China
- Prior art keywords
- container
- tpm
- trusted
- mirror image
- virtual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000012795 verification Methods 0.000 claims abstract description 6
- 230000008569 process Effects 0.000 claims description 15
- 238000005259 measurement Methods 0.000 claims description 10
- 238000004364 calculation method Methods 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 3
- 230000008439 repair process Effects 0.000 claims description 3
- 230000004048 modification Effects 0.000 claims description 2
- 238000012986 modification Methods 0.000 claims description 2
- 238000003752 polymerase chain reaction Methods 0.000 claims 1
- 230000008859 change Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000012550 audit Methods 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 239000004575 stone Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application belongs to the technical field of network and information security, and relates to a trusted starting method and device of a container based on a TPM, wherein the trusted starting method and device consists of a physical TPM, a mirror image abstract library, a vTPM platform and a virtual TPM, wherein the physical TPM is used as a trusted root; the mirror image abstract library uses an improved Merkle trusted tree structure to store the abstract of each layer of mirror image of the container; the vTPM platform is implanted in the container engine and can provide a virtual TPM when the container is started for the first time; the virtual TPM provides trusted verification for the application program in the container, the trusted starting of the container is realized through the physical TPM verification mirror image, and the application in the container is ensured to be trusted through the virtual TPM. The application has good compatibility and is suitable for various container realization modes; the availability is high, the specific mirror image with errors is positioned, the fault tolerance of the starting of the container is provided, and the method can adapt to the scene of rapid change of the container; the method has good expansibility, and the virtual TPM in the container is the same as the physical equipment in use, so that various application programs in various containers can be verified, and the credibility of an application layer is ensured.
Description
Technical Field
The application belongs to the technical field of network and information security, and relates to a trusted starting method and device for a container based on a TPM.
Background
The data display, container technology is yet another hotspot technology following big data and cloud computing. As micro-service architecture becomes the mainstream of developing application systems, the interest of containers as the foundation stone of such architecture is also increasing. The prior art discloses that a container can create a relatively independent running environment in a host machine, but unlike a virtual machine, the container does not need to install a host operating system, directly installs a container layer on the host machine system, and utilizes the kernel of the host machine to realize a lightweight virtual environment.
It is disclosed that, in order to save resources and increase the starting speed, the container adopts a layered structure of images, when the container is started, a new writable layer is loaded on top of the images, and the same images are only stored for all containers to use, so if the images of the bottom layer are tampered, all containers created based on the images are affected, and moreover, the applications in the containers cannot access and use trusted root devices such as a TPM (Trusted Platform Module ) and a TCM (Trusted Cryptography Module, trusted cryptographic module) of the host because of the isolation of file namespaces, and thus the trusted computing support functions of the TPM or the TCM cannot be directly used.
In order to realize the trusted computing support of the Docker, the university of Wuhan proposes a trusted container security reinforcement method based on the Docker, wherein the measurement of images is that hash values are calculated on each image, the hash values are connected and then are calculated again, and the final result is encrypted by a TPM and then stored in a file. Meanwhile, the method adopts a host white list form for monitoring the processes in the container, and forcibly blocks the container from calling the processes outside the white list. The method limits the expansibility of the functions of the containers, can not customize different types of containers, and is difficult to meet the requirements of large-scale container clusters with complex and changeable conditions.
In order to be able to guarantee the trustworthiness of the container mirror layer and the container layer, the inventors of the present application propose a method for verifying the trusted start of a container using a physical trusted module. The application can ensure that the production process of the container is reliable and can provide reliable authentication for the application on the container.
Disclosure of Invention
The application aims at overcoming the defects in the prior art and provides a method for verifying the trusted starting of a container by using a physical trusted module. In particular to a TPM-based container trusted starting method and device.
The method for verifying the trusted starting of the container by utilizing the physical trusted module comprises a physical TPM, a mirror image abstract library, a vTPM platform and a virtual TPM, wherein the physical TPM is used as a trusted root; the mirror image abstract library uses an improved Merkle trusted tree structure to store the abstract of each layer of mirror image of the container; the vTPM platform is implanted in the container engine and can provide a virtual TPM when the container is started for the first time; the virtual TPM provides trusted verification for the application in the container. The trusted starting of the container is realized through the physical TPM verification mirror image, and the application in the container is ensured to be trusted through the virtual TPM.
Compared with the traditional container architecture, the TPM-based container trusted starting method adds the TPM-authenticated image abstract file in the operating system layer for carrying out trusted measurement on the container image on the TPM-authenticated image abstract file; a vTPM (virtual TPM) platform is added in the container engine, connection is established with a physical TPM, and the virtual TPM is mapped into a plurality of virtual TPM devices for the container; therefore, the modification of software is not needed in the container layer, and only the virtual TPM equipment specially set for the vTPM platform is needed to be mounted when the virtual TPM platform is started.
The container architecture hierarchy of the present application is shown in figure 1.
The process of starting the container of the present application includes (as shown in fig. 2):
the method comprises the steps that firstly, after a user executes trusted starting on a host operating system by utilizing a TPM, a container starting request is initiated;
secondly, measuring the container mirror image by using TPM equipment, if the container mirror image is trusted, allowing the container to be started, otherwise, sending an alarm and prompting a user to operate according to the type of the error; . A specific mirroring metric process is set forth below.
Thirdly, the container is started normally, and corresponding virtual TPM equipment is mounted in the system from the vTPM platform;
fourthly, performing trusted measurement on the application in the container by using the virtual TPM equipment in the container, and starting the trusted application; specific procedures for vTPM mounting and measurement are set forth below.
And fifthly, starting the application in the container to provide services to the outside. The entire container trusted boot process is complete.
In the application, an important step in the mirror measurement process is to verify a mirror abstract, and in the process of calculating the mirror abstract, an improved Merkle trust tree method is used to improve fault tolerance, wherein for each container, firstly, a read-only mirror image part is calculated, each mirror image calculation abstract (an abstract method such as SHA (short time array), CRC (cyclic redundancy check) and the like can be used), then the abstract of the read-only part is calculated by combining the calculation abstracts, and because the read-write mirror image of the top layer of the container needs to be changed frequently, a higher hierarchy is used, each time is modified or a TPM (trusted platform module) is subjected to system authentication, and the value of a corresponding PCR (Platform Configuration Registers, platform configuration register) is notified to be updated after the total abstract is calculated; the values of the total digest and the read-only digest are saved in the PCR.
In the application, the mirror image abstract obtaining mode is shown in fig. 3.
In the application, as shown in fig. 4, after the mirror measurement is started, the related abstract value is read from the PCR register of the TPM device, and then compared with the locally calculated value, if the result is the same, the trust level of the read-only mirror image and the read-write mirror image is further judged, if the read-only mirror image is damaged, the damaged mirror image position is found layer by layer compared with the public or private warehouse of the source by querying the Merkle tree structure, and the partial mirror image is updated, and if the read-write layer is damaged, the trusted backup existing in the host system is searched for repair, or the partial data is discarded.
In the application, the process of trusted starting of applications in a container is shown in fig. 5, while the container is started, a vTPM platform can generate a corresponding virtual TPM, only the virtual TPM is provided for the container to use, corresponding equipment files are generated in the step, mapping of virtual PCR and physical PCR is completed, then the files are mounted under a/dev folder of the container, the container can be regarded as a real TPM equipment, the TPM equipment acquires key information on the state of a current system, calculates abstracts on the key system files, stores the abstracts in the virtual PCR, and can record the abstract information by the application which needs to perform trusted authentication on which needs to be determined by the container, and the application can be started only after the comparison before the starting, which accords with the record.
The method of the application has the advantages that:
the patent provides a trusted boot tool for a container, which can authenticate images of all layers of the container and authenticate applications in the container through a virtual TPM device, thereby providing a scheme for trusted boot of the container and trusted boot of applications in the container, and comprises the following steps:
1. good compatibility
The application is applicable to various container implementation modes, and containers conforming to OCI (Open Container Initiative) standards, including Docker, rkt and the like, can be used, and can be internally provided with various container arrangement engines, including kubernetes, docker Swam, meso and the like;
2. high availability
The application uses the improved Merkle credible tree method, can locate the concrete mirror image with error, even if part of the mirror image is tampered, if the part on which the container depends is credible, the container can still be started, and the application can adapt to the scene of quick change of the container because the read-only mirror image and the read-write mirror image are separated to calculate the abstract;
3. good expansibility
Each container has a virtual TPM device inside, which is delivered to the container for use, and the virtual TPM device has no difference from the actual physical TPM in the container, and can be used for verifying various application programs in various containers, so that the credibility of an application layer is ensured.
In the present application, the terms are as described in the following table 1:
TABLE 1
Drawings
FIG. 1 is a schematic diagram of a container architecture hierarchy of the present application.
FIG. 2 is a schematic illustration of the process of container activation of the present application.
FIG. 3 is a diagram illustrating a mirror summary acquisition scheme according to the present application.
FIG. 4 is a schematic diagram of a process for metering container mirroring in accordance with the present application.
FIG. 5 is a schematic flow chart of trusted initiation of an application within a container of the present application.
FIG. 6 is a schematic diagram of the operation flow of embodiment 1 of the present application.
The specific embodiment is as follows:
example 1
The implementation is described by way of example of a trusted boot of a Docker container providing Apache HTTP service, as shown in fig. 6.
The method comprises the steps that firstly, a host operating system is started reliably, when a user initiates a request for starting a Docker to provide HTTP service, the step of starting the Docker is assumed that the user has started the Docker before, otherwise, a vTPM platform intervenes and mounts a virtual TPM in a container;
secondly, the mirror image measurement module intervenes to audit whether each layer of the mirror image is tampered, if so, the corresponding read-only mirror image and read-write mirror image countermeasures are adopted to repair the mirror image, the damaged mirror image layer is firstly determined in a hierarchical abstract comparison mode, then the mirror image of the layer is obtained again from a mirror image warehouse of the cluster, the error of the read-write mirror image can be repaired in a trusted backup recovery mode, if no backup exists, the read-write layer is discarded, and a user is informed in advance;
thirdly, if the image is trusted, starting the Docker, finishing initialization and loading the virtual TPM equipment. If the mirror image is not trusted, an alarm is sent out, and the start of the Docker is refused;
fourthly, if the trusted audit of Apache is configured before, using the virtual TPM equipment to measure Apache application to confirm whether the application is trusted or not; otherwise, the needed application is configured in a trusted way according to the needs of the user.
And fifthly, if the application is trusted, starting an Apache application in the Docker, otherwise, exiting and giving an alarm prompt to the user. During use by a user, if the read-write layer is modified, the value of the PCR can be updated with the new read-write layer hash value by invoking the bind command of the virtual TPM.
Example 2
Based on the basis of the embodiment 1, the TPM device in the embodiment is replaced by a TCM (trusted cryptography module ) device, and the two encryption algorithms are different but similar in principle;
the Docker in this embodiment is replaced with another container, such as rkt of CoreOS;
apache in this embodiment may be replaced with any other application.
Because the method is a back-end technology, all analysis and processing processes are completed in the background, so that whether other people infringe or not cannot be judged exactly. If a virtual TPM device is found in a container system of another person, the infringement suspicion can be considered.
Claims (3)
1. The trusted starting method for the container based on the TPM is characterized by being a method for verifying the trusted starting of the container by utilizing a physical trusted module, wherein the container consists of a physical TPM trusted platform module, a mirror image abstract library, a vTPM virtual TPM platform and a virtual TPM, and the method comprises the following steps: the physical TPM is used as a trusted root; the mirror image abstract library uses an improved Merkle trusted tree structure to store the abstract of each layer of mirror image of the container; the vTPM platform is implanted in the container engine and can provide a virtual TPM when the container is started for the first time; the virtual TPM provides trusted verification for the application program in the container, the trusted starting of the container is realized through the physical TPM verification mirror image, and the application in the container is ensured to be trusted through the virtual TPM;
the process of starting the container comprises the following steps:
the method comprises the steps that firstly, after a user executes trusted starting on a host operating system by utilizing a TPM, a container starting request is initiated;
secondly, measuring the container mirror image by using TPM equipment, if the container mirror image is trusted, allowing the container to be started, otherwise, sending an alarm and prompting a user to operate according to the type of the error;
thirdly, the container is started normally, and corresponding virtual TPM equipment is mounted in the system from the vTPM platform;
fourthly, performing trusted measurement on the application in the container by using the virtual TPM equipment in the container, and starting the trusted application;
fifthly, starting an application in the container to provide services to the outside;
in the method, an improved Merkle trusted tree method is used in the process of calculating mirror image summaries, so that fault tolerance is improved, wherein for each container, a read-only mirror image part is calculated first, the mirror images are calculated in pairs, then the calculation summaries are combined to calculate the summaries of the read-only part, wherein the higher level is modified each time or at intervals, the total summaries are calculated and then the TPM is informed of updating the corresponding values of the PCR platform configuration registers after system authentication; storing the values of the total abstract and the read-only abstract in the PCR;
the process of measuring the container mirror image in the method comprises the following steps: after the mirror measurement is started, the related abstract value is read from the PCR register of the TPM equipment, then the read-related abstract value is compared with the locally calculated value, if the read-related abstract value is the same, the credibility of the read-only mirror image and the credibility of the read-write mirror image are further judged, if the read-only mirror image is damaged, the damaged mirror image position is found layer by querying the Merkle tree structure and compared with a public or private warehouse from which the read-write mirror image is sourced, the partial mirror image is updated, and if the read-write layer is damaged, the credible backup existing in a host system is searched for repair, or the read-write layer data is discarded.
2. The TPM-based container trusted boot method as claimed in claim 1, wherein a TPM-authenticated image digest file is added at an operating system layer for performing a trusted measurement on a container image thereon; adding a vTPM virtual TPM platform in the container engine, establishing connection with a physical TPM, and mapping the virtual TPM platform into a plurality of virtual TPM devices for the container; the modification of software is not needed in the container layer, and only the virtual TPM equipment specially set for the vTPM platform is needed to be mounted when the virtual TPM equipment is started.
3. The method for trusted boot of a TPM-based container of claim 1, wherein the process of trusted boot of an application within the container comprises: when the container is started, the vTPM platform generates a corresponding virtual TPM, only provides the virtual TPM for the container, generates corresponding equipment files in the step, completes mapping of virtual PCRs and physical PCRs, then mounts the files under a/dev folder of the container, the container is considered as a real TPM device, the TPM device acquires key information on the state of the current system, calculates abstracts on the key system files, stores the abstracts in the virtual PCRs, and can decide which applications need to be trusted by the container itself, the trusted authentication applications need to record the abstracts information, and compares the abstracts information before starting, and the virtual TPM device can be started only after meeting the record.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810681800.2A CN110647740B (en) | 2018-06-27 | 2018-06-27 | Container trusted starting method and device based on TPM |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810681800.2A CN110647740B (en) | 2018-06-27 | 2018-06-27 | Container trusted starting method and device based on TPM |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110647740A CN110647740A (en) | 2020-01-03 |
CN110647740B true CN110647740B (en) | 2023-12-05 |
Family
ID=68988833
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810681800.2A Active CN110647740B (en) | 2018-06-27 | 2018-06-27 | Container trusted starting method and device based on TPM |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110647740B (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113032736A (en) * | 2021-03-05 | 2021-06-25 | 海能达通信股份有限公司 | Encryption and decryption method of Docker layered mirror image and related device |
CN113391880B (en) * | 2021-06-21 | 2023-04-07 | 超越科技股份有限公司 | Trusted mirror image transmission method for layered double hash verification |
CN114372283A (en) * | 2021-09-15 | 2022-04-19 | 统信软件技术有限公司 | Method and device for realizing trusted reference library and computing equipment |
CN113791786B (en) * | 2021-09-23 | 2024-01-19 | 安然 | APP page control automation method and device based on IOS system |
CN114048485B (en) * | 2021-11-12 | 2023-04-07 | 四川大学 | Dynamic monitoring method for integrity of process code segment in Docker container |
CN114780168B (en) * | 2022-03-30 | 2023-04-28 | 全球能源互联网研究院有限公司南京分公司 | Method and device for dynamically changing security policy of intelligent terminal container and electronic equipment |
CN115314495A (en) * | 2022-08-08 | 2022-11-08 | 国网智能电网研究院有限公司 | Container reinforcement system and reinforcement method for 5G edge computing node |
CN117971347B (en) * | 2024-03-28 | 2024-06-11 | 中国人民解放军国防科技大学 | TrustZone-based container trusted service design method, trustZone-based container trusted service design equipment and storage medium |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101539973A (en) * | 2009-04-28 | 2009-09-23 | 北京交通大学 | Method of seamless operation of integrity measurement technology in trusted virtual domain |
WO2011149329A1 (en) * | 2010-05-26 | 2011-12-01 | Mimos Berhad | Method of providing trusted application services |
CN102722665A (en) * | 2012-05-22 | 2012-10-10 | 中国科学院计算技术研究所 | Method and system for generating trusted program list based on trusted platform module (TPM)/virtual trusted platform module (VTPM) |
CN103747036A (en) * | 2013-12-23 | 2014-04-23 | 中国航天科工集团第二研究院七〇六所 | Trusted security enhancement method in desktop virtualization environment |
CN104715183A (en) * | 2013-12-13 | 2015-06-17 | ***通信集团公司 | Trusted verifying method and equipment used in running process of virtual machine |
CN105069353A (en) * | 2015-08-11 | 2015-11-18 | 武汉大学 | Security reinforcement method for credible container based on Docker |
CN105956465A (en) * | 2016-05-04 | 2016-09-21 | 浪潮电子信息产业股份有限公司 | Method for constructing virtual trusted platform based on VTPM |
CN106354550A (en) * | 2016-11-01 | 2017-01-25 | 广东浪潮大数据研究有限公司 | Method, device and system for protecting security of virtual machine |
-
2018
- 2018-06-27 CN CN201810681800.2A patent/CN110647740B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101539973A (en) * | 2009-04-28 | 2009-09-23 | 北京交通大学 | Method of seamless operation of integrity measurement technology in trusted virtual domain |
WO2011149329A1 (en) * | 2010-05-26 | 2011-12-01 | Mimos Berhad | Method of providing trusted application services |
CN102722665A (en) * | 2012-05-22 | 2012-10-10 | 中国科学院计算技术研究所 | Method and system for generating trusted program list based on trusted platform module (TPM)/virtual trusted platform module (VTPM) |
CN104715183A (en) * | 2013-12-13 | 2015-06-17 | ***通信集团公司 | Trusted verifying method and equipment used in running process of virtual machine |
CN103747036A (en) * | 2013-12-23 | 2014-04-23 | 中国航天科工集团第二研究院七〇六所 | Trusted security enhancement method in desktop virtualization environment |
CN105069353A (en) * | 2015-08-11 | 2015-11-18 | 武汉大学 | Security reinforcement method for credible container based on Docker |
CN105956465A (en) * | 2016-05-04 | 2016-09-21 | 浪潮电子信息产业股份有限公司 | Method for constructing virtual trusted platform based on VTPM |
CN106354550A (en) * | 2016-11-01 | 2017-01-25 | 广东浪潮大数据研究有限公司 | Method, device and system for protecting security of virtual machine |
Also Published As
Publication number | Publication date |
---|---|
CN110647740A (en) | 2020-01-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110647740B (en) | Container trusted starting method and device based on TPM | |
US10338946B1 (en) | Composable machine image | |
US10372914B2 (en) | Validating firmware on a computing device | |
EP3542298B1 (en) | Verified boot and key rotation | |
CN111324895B (en) | Trust services for client devices | |
KR102618665B1 (en) | Version history management using blockchain | |
CN110069316B (en) | Integrity verification of entities | |
CN107045611B (en) | Safe starting method and device | |
US20140250215A1 (en) | Configuration and verification by trusted provider | |
US11252193B2 (en) | Attestation service for enforcing payload security policies in a data center | |
US20200142682A1 (en) | Blockchain-based secure customized catalog system | |
US10725767B2 (en) | Systems and methods for reinforced update package authenticity | |
US10379894B1 (en) | Lineage-based trust for virtual machine images | |
CN108345805B (en) | Method and device for verifying firmware | |
JP2020510924A (en) | Remote management of initial operating system setup options | |
WO2020145944A1 (en) | Securing node groups | |
EP3647979B1 (en) | Device attestation techniques | |
US11157660B2 (en) | Virtual host upgrade using a secured disk image | |
WO2018233638A1 (en) | Method and apparatus for determining security state of ai software system | |
CN111565111B (en) | Trusted computing management system and method based on C/S architecture | |
US20240020387A1 (en) | Secure boot attestation in a cloud platform | |
CN117519812A (en) | Software starting method, controller, vehicle and storage medium | |
CN116208383A (en) | Webhook-based cloud primary credibility measurement method, system and storage medium | |
WO2024063903A1 (en) | Verifiable attribute maps |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |