基于可信平台控制模块的可信虚拟执行环境构建方法  被引量：6

作　　者：王晓 张建标 曾志强 WANG Xiao;ZHANG Jianbiao;ZENG Zhiqiang(Faculty of Information Technology, Beijing University of Technology, Beijing 100124, China;Beijing Key Laboratory of Trusted Computing, Beijing 100124, China;Science and Technology on Information Assurance Laboratory, Beijing 100124, China)

机构地区：[1]北京工业大学信息学部,北京100124 [2]可信计算北京市重点实验室,北京100124 [3]信息保障技术重点实验室,北京100124

出　　处：《北京工业大学学报》2019年第6期554-565,共12页Journal of Beijing University of Technology

基　　金：信息保障技术重点实验室开放基金资助项目(KJ-17-004);国防科技实验信息安全实验室对外开放项目(2015XXAQ08)

摘　　要：针对云计算环境中单个计算节点可信性问题以及虚拟机迁移过程中多个节点间信任关系保持问题,基于我国可信计算技术的可信平台控制模块(trusted platform control module,TPCM)提出了一种可信虚拟执行环境构建方法.该方法通过将国产可信根TPCM虚拟化为云中的每个虚拟机生成了虚拟可信根,并将云信任链从物理层传递到虚拟层,实现了单个计算节点可信执行环境的构造;针对云虚拟机的动态迁移特性,基于多级认证中心设计了适合虚拟可信根迁移的证书生成及管理机制,并提出了一种虚拟可信根动态可信迁移方案,保障了迁移过程中信任关系在多个节点间的保持.实验结果表明:该方案能构造虚拟可信执行环境,实现虚拟可信根的动态可信迁移.To solve problems of trustworthiness of a single virtual computing node in cloud computing environment and the maintenance of trust relationship among multiple nodes during the migration process, based on trusted platform control module (TPCM), the trusted root of trusted computing technology in China, a method was proposed to construct a trusted virtual execution environment. By virtualizing the TPCM, the virtual trusted root was generated for each virtual computing node in the cloud, and the cloud trusted chain was transferred from the physical node to the virtual node. For the dynamic migration characteristics of cloud virtual computing nodes, based on multi-level certificate authority (CA), a mechanism for certificate generation and management suitable for virtual root migration was designed, and a virtual root dynamic trusted migration scheme was proposed, which guaranteed the maintenance of trust relationship among multiple nodes in the migration process. Experimental results show that the scheme proposed can construct a virtual trusted execution environment and realize the dynamic trusted migration of virtual trusted roots.

关 键 词：可信计算 云计算 云安全 可信平台控制模块 可信根虚拟化 虚拟可信根迁移 

分 类 号：U461TP308[机械工程—车辆工程]