一种基于TrustZone的硬件密码资源主动发现与安全使用方法  被引量：1

作　　者：袁露 黄辰林[1] 李韵 程华 YUAN Lu;HUANG Chenlin;LI Yun;CHENG Hua(Academy of Computer Science,National University of Defense Technology,Changsha 410073,China;State Key Laboratory of Mathematical Engineering and Advanced Computing,Wuxi 214083,China)

机构地区：[1]国防科技大学计算机学院,长沙410073 [2]数学工程与先进计算国家重点实验室,无锡214083

出　　处：《信息网络安全》2020年第8期47-54,共8页Netinfo Security

基　　金：国家重点研发计划[2018YFB0803501]。

摘　　要：为解决各类密码设备提供商各自为政、安全运维工作量大和安全应用开发不便的问题,研究者在操作系统层面建立了密码服务框架,以统一各类软硬件密码资源。然而,现有的密码服务框架一方面不具备对系统硬件密码资源主动发现和主动挂载的能力,仍然需要用户主动加载密码设备和将密码资源挂载到密码服务框架,然后才能在安全应用中调用;另一方面可能导致高密级的硬件密码设备被越权访问和使用。为解决上述问题,文章提出一种基于TrustZone的硬件密码资源主动发现与安全使用方法。通过TrustZone提供的安全隔离计算环境对密码服务框架进行扩展;通过与操作系统内核的互动,使得密码服务框架具备主动检测和安全加载系统硬件密码资源的能力。文章在飞腾FT-2000/4处理器平台上实现了原型系统,测试表明,文章所提出的方法能够成功实现硬件密码资源的主动发现和安全使用。In order to solve the problems that various cryptographic equipment providers are independent,the workload of security maintenance is large and the development of security applications is inconvenient,the researchers set up a cryptographic service framework at the operating system level to unify all kinds of hardware and software cryptographic resources.However,on the one hand,existing cryptographic service frameworks do not have the ability to actively discover and apply the hardware cryptographic resources,and users still need to manually load the cryptographic device and mount the cryptographic resources into the cryptographic service framework before they can be invoked and used in the security applications.On the other hand,high level security hardware cryptographic devices may be unauthorized accessed and used.In order to solve the above problems,this paper proposes a method of active discovery and secure use of hardware cryptographic resources based on TrustZone,which extends the cryptographic service framework through the secure isolation computing environment provided by TrustZone,and makes the cryptographic service framework have the ability to actively detect and securely load the system hardware cryptographic resources through the interaction with the operating system kernel.The prototype system is implemented on FT-2000/4 processer platform.The test results show that the proposed method can successfully realize the active discovery and secure use of hardware cryptographic resources.

关 键 词：密码服务框架 硬件密码资源 主动发现 安全使用 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]