摘要
针对当前基于内核的虚拟机(Kernel-based Virtual Machine,KVM)平台下的开源组件虚拟化仿真软件(Quick Emulator,QEMU)中的虚拟可信平台模块(virtual Trusted Platform Module,vTPM)热迁移的实现缺少安全性考虑的问题,提出了一种新的安全的v TPM虚拟机热迁移协议和实际的实现方法。首先,设计了一种基于物理可信平台模块(physical Trusted Platform Module,pTPM)的vTPM虚拟证书链扩展方法,避免了vTPM迁移后的密钥再生。其次,利用这种密钥结构构建了一套私有云场景下的安全的v TPM热迁移协议,有效减轻了在v TPM迁移阶段遭受的拒绝服务攻击。此外,所提协议中的双向远程可信证明方法和vTPM迁移数据过程中的安全防护都基于pTPM实现,能为vTPM热迁移提供基于硬件的信任根的安全强度。
A new secure vTPM virtual machine live migration protocol and a practical implementation method are proposed to address the lack of security considerations in the implementation of vTPM(virtual trusted platform Module)live migration in the open source component QEMU under the current KVM(Kernel-based Virtual Machine)platform.First,a vTPM virtual certificate chain extension method based on pTPM(physical Trusted Platform Module)is designed to avoid key regeneration after vTPM migration.Then,this key structure is used to build a secure vTPM live migration protocol for private cloud scenarios,which effectively reduces denial-of-service attacks during the vTPM migration phase.In addition,the bidirectional remote trusted proof method in the proposed protocol and the security protection during the vTPM data migration process are all implemented based on pTPM,which can provide hardware based trust root security strength for vTPM live migration.
作者
潘利华
兰清程
李雪兵
石元兵
张舒黎
任玉霞
PAN Lihua;LAN Qingcheng;LI Xuebing;SHI Yuanbing;ZHANG Shuli;REN Yuxia(CETC Cyberspace Security Technology Co.,Ltd.,Chengdu Sichuan 610065,China;Trusted Cloud Computing and Big Data Key Laboratory of Sichuan Province,Chengdu Sichuan 610065,China)
出处
《通信技术》
2023年第11期1324-1333,共10页
Communications Technology
基金
可信云计算与大数据四川省重点实验室开放课题项目。
