基于TPCM的容器云可信环境研究  被引量：1

作　　者：刘国杰 张建标 杨萍[3] 李铮 LIU Guojie;ZHANG Jianbiao;YANG Ping;LI Zheng(Faculty of Information Technology,Beijing University of Technology,Beijing 100124,China;Beijing Key Laboratory of Trusted Computing,Beijing 100124,China;Beijing Information Science and Technology University,Beijing 100192,China)

机构地区：[1]北京工业大学信息学部,北京100124 [2]可信计算北京市重点实验室,北京100124 [3]北京信息科技大学,北京100192

出　　处：《网络与信息安全学报》2021年第4期164-174,共11页Chinese Journal of Network and Information Security

基　　金：国家自然科学基金(61971014);国防科技实验信息安全实验室对外开放项目(2017XXAQ08)。

摘　　要：容器技术是一种轻量级的操作系统虚拟化技术,被广泛应用于云计算环境,是云计算领域的研究热点,其安全性备受关注。提出了一种采用主动免疫可信计算进行容器云可信环境构建方法,其安全性符合网络安全等级保护标准要求。首先,通过TPCM对容器云服务器进行度量,由TPCM到容器的运行环境建立一条可信链。然后,通过在TSB增加容器可信的度量代理,实现对容器运行过程的可信度量与可信远程证明。最后,基于Docker与Kubernetes建立实验原型并进行实验。实验结果表明,所提方法能保障云服务器的启动过程与容器运行过程的可信,符合网络安全等级保护标准测评要求。Container technology is a lightweight operating system virtualization technology that is widely used in cloud computing environments and is a research hotspot in the field of cloud computing.The security of container technology has attracted much attention.A method for constructing a trusted environment of container cloud using active immune trusted computing was proposed,and its security meet the requirements of network security level protection standards.First,container cloud servers were measured through the TPCM and a trust chain from the TPCM to the container's operating environment was established.Then,by adding the trusted measurement agent of the container to the TSB,the trusted measurement and trusted remote attestation of the running process of the container were realized.Finally,an experimental prototype based on Docker and Kubernetes and conduct experiments were built.The experimental results show that the proposed method can ensure the credibility of the boot process of the cloud server and the running process of the container and meet the requirements of the network security level protection standard evaluation.

关 键 词：可信计算 可信启动 可信度量 远程证明 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]