虚拟平台环境中一种新的可信证书链扩展方法  被引量：3

作　　者：谭良[1,2] 齐能 胡玲碧 TAN Liang;QI Neng;HU Lingbi(College of Computer Science,Sichuan Normal University,Chengdu 610101,China;Institute of Computing Technology,Chinese Academy of Sciences,Beijing 100190,China)

机构地区：[1]四川师范大学计算机科学学院,四川成都610101 [2]中国科学院计算技术研究所,北京100190

出　　处：《通信学报》2018年第6期133-145,共13页Journal on Communications

基　　金：国家自然科学基金资助项目(No.61373162);四川省科技基金资助项目(No.2014GZ0007);可视化计算与虚拟现实四川省重点实验室基金资助项目(No.KJ201402)~~

摘　　要：利用可信计算技术构建可信虚拟平台环境时,如何合理地将底层物理的可信平台模块(TPM,trusted platform module)的证书信任扩展延伸到虚拟机环境是值得关注的问题。目前,已有的证书信任扩展方案均不完善,有的方案存在违背TCG规范的情况,有的方案增加密钥冗余和Privacy CA性能负担,有的方案甚至不能进行证书信任扩展。因此,提出了一种新的可信证书链扩展方法。首先,在TPM中新增一类证书——VMEK(virtual machine extension key),并构建对VMEK的管理机制,该证书的主要特点是其密钥不可迁移,且可对TPM内和TPM外的数据进行签名和加密。其次,利用证书VMEK对v TPM的v EK签名构建底层TPM和虚拟机v TPM的证书信任关系,实现可信证书链在虚拟机中的延伸。最后,在Xen中实现了VMEK证书及其管理机制和基于VMEK的证书信任扩展。实验结果表明,所提方案可以有效地实现虚拟平台的远程证明功能。When using trusted computing technology to build a trusted virtual platform environment, it is a hot problem that how to reasonably extend the underlying physical TPM certificate chain to the virtual machine environment. At present, the certificate trust expansion schemes are not perfect, either there is a violation of the TCG specifications, or TPM and v TPM certificate results inconsistent, either the presence of key redundancy, or privacy CA performance burden, some project cannot even extend the certificate trust. Based on this, a new extension method of trusted certificate chain was proposed. Firstly, a new class of certificate called VMEK（virtual machine extension key） was added in TPM, and the management mechanism of certificate VMEK was constructed, the main feature of which was that its key was not transferable and could be used to sign and encrypt the data inside and outside of TPM. Secondly, it used certificate VMEK to sign v TPM＇s v EK to build the trust relationship between the underlying TPM and virtual machine, and realized extension of trusted certificate chain in virtual machine. Finally, in Xen, VMEK certificate and its management mechanism, and certificate trust extension based on VMEK were realized. The experiment results show that the proposed scheme can effectively realize the remote attestation function of virtual platform.

关 键 词：可信计算 虚拟平台 可信平台模块 vTPM 证书链扩展 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]