WO2025026051A1 - Implementation method and apparatus for virtual machine, and computer-readable storage medium - Google Patents

Abstract

Provided in the present application are an implementation method and apparatus for a virtual machine, and a computer-readable storage medium, all of which can be applied to a computing device, wherein hardware resources of the computing device are divided into an REE side and a TEE side, and the computing device comprises a first hypervisor. The method comprises the following steps: a processor of a computing device running a first hypervisor at EL3, so as to start a first virtual machine, wherein the first virtual machine is deployed on a TEE side. It can be understood that after the first virtual machine is started, the processor can subsequently run the first virtual machine to process user data. The method can greatly reduce the risk of a virtual machine in a computing device being attacked, thus improving the security of user data in the virtual machine.

Description

Virtual machine implementation method, device and computer readable storage medium

This application claims the priority of the Chinese patent application filed with the State Intellectual Property Office of China on July 31, 2023, with application number 202310963299.X, and the priority of the Chinese patent application with the invention name “Virtual Machine Implementation Method, Device and Computer-readable Storage Medium”, all contents of which are incorporated by reference in this application.

Technical Field

The present application relates to the field of virtualization technology, and in particular to a virtual machine implementation method, device and computer-readable storage medium.

Background Art

A virtual machine (VM) is a complete computer system that is simulated by software and has complete hardware system functions and runs in a completely isolated environment. Any work that can be done in a computing device (such as a server) can be done in a virtual machine. When creating a virtual machine in a computing device, part of the hard disk and memory capacity of the physical machine needs to be used as the hard disk and memory capacity of the virtual machine. Each virtual machine has an independent hard disk and operating system, and the user of the virtual machine can operate the virtual machine just like using a computing device.

Currently, virtual machines in computing devices are managed by a hypervisor in the host operating system kernel, such as the kernel-based virtual machine (KVM). Once the host operating system kernel is compromised by an attacker, the attacker will be able to control the virtual machines running in the host operating system kernel, posing a security threat to user data in the virtual machines.

Summary of the invention

The present application provides a virtual machine implementation method, device and computer-readable storage medium, which can greatly reduce the risk of virtual machines in computing devices being attacked and improve the security of user data in the virtual machines.

In a first aspect, a virtual machine implementation method is provided, which is applied to a computing device, wherein hardware resources of the computing device are divided into a rich execution environment (REE) side and a trusted execution environment (TEE) side, and the computing device includes a first virtual machine manager. The method specifically includes the following steps: a processor of the computing device runs the above-mentioned first virtual machine manager at an exception level (EL3) to start a first virtual machine, and the first virtual machine is deployed on the TEE side.

It can be understood that in the above scheme, after the processor starts the first virtual machine, it can run the first virtual machine to process user data. Since the processor runs the first virtual machine manager under EL3 to start the first virtual machine, and the first virtual machine is deployed on the TEE side, the virtual machine can be isolated from the host operating system kernel (located on the REE side) through the first virtual machine manager. In other words, the virtual machine is protected by the first virtual machine manager under EL3 and can avoid being accessed by the host operating system kernel on the REE side. Therefore, even if the attacker breaks into the host operating system kernel, the attacker cannot control the virtual machine through the virtual machine manager in the host operating system kernel, such as KVM, thereby protecting the security of the virtual machine in the computing device, and then protecting the security of the user data in the virtual machine.

In a possible implementation, after the processor starts the first virtual machine, the method further includes the following steps:

The processor obtains the encrypted user data on the REE side;

The processor runs the first virtual machine manager under EL3 to obtain the decryption key stored on the TEE side, and uses the decryption key to decrypt the encrypted user data to obtain the user data;

The processor runs the first virtual machine to process user data.

In this implementation, since the user data is encrypted on the REE side and the decryption key is stored on the TEE side, the processor can only obtain the decryption key by running the first virtual machine manager under EL3. The software on the REE side (such as the host operating system kernel and the virtual machine manager in the host operating system kernel) cannot obtain the decryption key stored on the TEE side. Therefore, even if the attacker breaks through the software on the REE side and steals the encrypted data, it is impossible to decrypt the plaintext of the user data. This can meet the demand that user data is not stolen by the software on the REE side, further improving the security of user data.

In one possible implementation, before starting the first virtual machine, the method further includes the following steps: the processor obtains a creation instruction carrying configuration information of the first virtual machine to be created on the REE side, and then the processor runs the first virtual machine manager under EL3 to create the first virtual machine on the TEE side according to the configuration information carried by the creation instruction.

By implementing this implementation method, a virtual machine can be created on the TEE side, which facilitates the subsequent use of the virtual machine to securely process user data.

In a possible implementation, the method further includes the following steps: the processor simulates and obtains the first data on the REE side, then writes the first data into the first virtual machine manager, runs the first virtual machine manager under EL3 to inject the first data into the first virtual machine, and finally runs the first virtual machine according to the first data. The first data includes one or any combination of the following: a virtual interrupt of the first virtual machine, a virtual clock used by the first virtual machine, and memory-mapped input/output (MMIO) information used by the first virtual machine.

By implementing this implementation, it is possible to simulate on the REE side the virtual interrupt, virtual clock, and MMIO information required for the operation of the first virtual machine, thereby facilitating the subsequent secure processing of user data using the virtual machine.

In addition, in this implementation, the processor simulates the virtual interrupt of the first virtual machine, the virtual clock used by the first virtual machine, and the MMIO information used by the first virtual machine on the REE side, instead of using the first virtual machine manager for simulation, which can make the trusted computing base (TCB) of the first virtual machine manager relatively thin.

In a possible implementation, the processor starts the first virtual machine when the first virtual machine manager running under EL3 determines that the first virtual machine is a secure virtual machine.

Specifically, the processor can run the first virtual machine manager under EL3 to provide the configuration information of the first virtual machine (such as the type of virtual processor cores, the number of virtual processor cores, memory addresses, etc.), the name of the application (APP) installed on the first virtual machine, and the hash value of the image of the first virtual machine, etc., to the user on the REE side for security measurement, that is, the user determines whether the first virtual machine is a secure virtual machine that meets its own expectations, or a non-secure virtual machine with security threats. In the case where the processor runs the first virtual machine manager under EL3 and obtains feedback from the user that the first virtual machine is a secure virtual machine that meets its own expectations, the processor determines that the first virtual machine is a secure virtual machine and starts the first virtual machine. Otherwise, the processor determines that the first virtual machine is a non-secure virtual machine and does not start the first virtual machine.

By implementing this implementation method, the processor starts the virtual machine only when it determines that the virtual machine is safe, which can avoid using an unsafe virtual machine to process user data, thereby improving not only the security of the virtual machine but also the security of user data in the virtual machine.

In a possible implementation, the processor starts the first virtual machine when the first virtual machine manager running under EL3 determines that the computing device is a secure device.

Specifically, the processor can run the first virtual machine manager under EL3 to provide the certificate of the computing device to the user on the REE side for legitimacy check, that is, the user determines whether the computing device is a secure device that meets his expectations or a non-secure device that poses a security threat. In the case where the processor runs the first virtual machine manager under EL3 and obtains feedback from the user that the computing device is a secure device that meets his expectations, the processor determines that the computing device is a secure device and starts the first virtual machine; otherwise, the processor determines that the computing device is a non-secure device and does not start the first virtual machine.

By implementing this implementation method, the processor starts the virtual machine only when it determines that the computing device is safe, which can avoid using an unsafe computing device to run the virtual machine to process user data, thereby improving not only the security of the virtual machine, but also the security of user data in the virtual machine.

In a possible implementation, the method further includes the following steps: the processor obtains a first management command for the life cycle of the first virtual machine on the REE side, and then runs the first virtual machine manager under EL3, and performs one or any combination of the following operations on the first virtual machine according to the first management command: power on, power off, change specifications, migrate, and release.

By implementing this implementation method, the life cycle of the virtual machine on the TEE side can be managed.

In a possible implementation, the method further includes the following steps: the processor obtains a second management command for the first virtual machine on the REE side, and then runs the first virtual machine manager under EL3, and performs one or any combination of the following operations on the first virtual machine according to the second management command: installing an application, starting an application, shutting down an application, upgrading an application, uninstalling an application, and migrating an application.

By implementing this implementation method, it is possible to manage applications on the virtual machine on the TEE side.

In a possible implementation, the method further includes the following steps: when an exception occurs in the first virtual machine, the processor runs the first virtual machine manager under EL3 to establish the context of the first virtual machine, and handles the exception that occurs in the first virtual machine. After handling the exception that occurs in the first virtual machine, the context of the first virtual machine is restored to the first virtual machine to resume the operation of the first virtual machine.

By implementing this implementation method, it is possible to handle exceptions that occur in the virtual machine on the TEE side.

In a possible implementation, when the exception occurring in the first virtual machine is a page fault exception, an MMIO operation exception, or a data termination synchronization exception, the processor runs the first virtual machine manager to process the exception occurring in the first virtual machine, including:

The processor runs the first virtual machine manager to receive a page fault exception handling instruction, an MMIO operation exception handling instruction, or a data termination synchronization exception handling instruction sent by the first virtual machine, wherein the page fault exception handling instruction, the MMIO operation exception handling instruction, or the data termination synchronization exception handling instruction is a secure monitor call (SMC) type instruction, and the MMIO operation exception is an exception caused when the first virtual machine performs an MMIO operation;

The processor runs the first virtual machine manager to handle the page fault exception according to the page fault exception handling instruction;

Alternatively, the processor runs the first virtual machine manager to handle the MMIO operation exception according to the MMIO operation exception handling instruction;

Alternatively, the processor runs the first virtual machine manager to process the data termination synchronization exception according to the data termination synchronization exception processing instruction.

In a possible implementation, the method further includes the following steps: the processor runs the first virtual machine manager under EL3 to perform one or any combination of the following operations: creating, changing or destroying a first-level page table of the first virtual machine, wherein the first-level page table of the first virtual machine refers to a page table that maps the virtual address (virtual adress, VA) of the first virtual machine to a physical address (physical address, PA) allocated to the first virtual machine in the computing device.

By implementing this implementation method, the memory of the virtual machine on the TEE side can be managed.

In order to improve the flexibility of the solution, in a possible implementation, the method can manage the memory of the virtual machine on the TEE side in the following manner: the processor runs the first virtual machine manager under EL3 to perform one or any combination of the following operations: create, change or destroy the secondary page table of the first virtual machine, wherein the secondary page table of the first virtual machine refers to mapping the VA of the first virtual machine to an intermediate physical address (IPA), and mapping the IPA to a page table of the PA allocated to the first virtual machine in the computing device.

In a possible implementation, the REE side includes a second virtual machine manager, the first virtual machine is deployed with a virtualized input/output (VirtIO) front-end driver, the second virtual machine manager is deployed with a VirtIO back-end driver, the first virtual machine manager is deployed with a memory synchronization module, the TEE side includes a first memory for data transmission between the VirtIO front-end driver and the VirtIO back-end driver, the REE side includes a second memory, and the memory synchronization module includes a mapping relationship between the first memory and the second memory; the method further includes the following steps:

The processor runs a memory synchronization module to synchronize first data in the first memory to the second memory according to a mapping relationship between the first memory and the second memory, wherein the first data is data that the VirtIO front-end driver needs to send to the VirtIO back-end driver;

or,

The processor runs a memory synchronization module to synchronize second data in the second memory to the first memory according to a mapping relationship between the first memory and the second memory, wherein the second data is data from the VirtIO backend driver that the VirtIO frontend driver needs to receive.

By implementing this implementation method, the virtual machine on the TEE side can perform I/O communication through the VirtIO front-end driver and the VirtIO back-end driver.

In a second aspect, a virtual machine implementation apparatus is provided, which can be applied to a computing device, wherein hardware resources of the computing device are divided into a REE side and a TEE side, and the computing device includes a first virtual machine manager, and the apparatus includes: a processing module;

The processing module is used to run a first virtual machine manager under EL3 to start a first virtual machine, and the first virtual machine is deployed on the TEE side.

In a possible implementation, the apparatus further includes an acquisition module;

The above-mentioned acquisition module is used to obtain encrypted user data on the REE side; the above-mentioned processing module is also used to run the first virtual machine manager under EL3, obtain the decryption key stored on the TEE side, and use the decryption key to decrypt the encrypted user data to obtain the user data; the above-mentioned processing module is also used to run the first virtual machine to process the above-mentioned user data.

In a possible implementation, the acquisition module is also used to obtain a creation instruction on the REE side, where the creation instruction carries configuration information of the first virtual machine to be created; the processing module is also used to run the first virtual machine manager under EL3, and create the first virtual machine on the TEE side according to the configuration information carried by the creation instruction.

In a possible implementation, the acquisition module is further used to simulate and obtain the first data on the REE side, where the first data includes one or any combination of the following: a virtual interrupt of the first virtual machine, a virtual clock used by the first virtual machine, and MMIO information used by the first virtual machine; the processing module is further used to write the first data into the first virtual machine manager; the processing module is further used to run the first virtual machine manager under EL3 and inject the first data into the first virtual machine; the processing module is further used to run the first virtual machine according to the first data.

In a possible implementation, the processing module is also used to run the first virtual machine manager under EL3, determine whether the first virtual machine is a secure virtual machine, and start the first virtual machine if it is determined that the first virtual machine is a secure virtual machine; and do not start the first virtual machine if it is determined that the first virtual machine is a non-secure virtual machine.

In one possible implementation, the processing module is also used to run the first virtual machine manager under EL3 to determine whether the computing device is a secure device. If the computing device is determined to be a secure device, the first virtual machine is started; if the computing device is determined to be a non-secure device, the first virtual machine is not started.

In a possible implementation, the acquisition module is also used to acquire a first management command for the life cycle of the first virtual machine on the REE side; the processing module is also used to run the first virtual machine manager under EL3, and perform one or any combination of the following operations on the first virtual machine according to the first management command: power on, power off, change specifications, migrate, and release.

In a possible implementation, the first acquisition module is further used to acquire, on the REE side, a second management command for the first virtual machine; The processing module is also used to run the first virtual machine manager under EL3, and perform one or any combination of the following operations on the first virtual machine according to the second management command: install, start, shut down, upgrade, uninstall and migrate applications.

In a possible implementation, the processing module is also used to: when an exception occurs in the first virtual machine, run the first virtual machine manager under EL3 to establish the context of the first virtual machine, handle the exception that occurs in the first virtual machine, and after handling the exception that occurs in the first virtual machine, restore the context of the first virtual machine to the first virtual machine to resume the operation of the first virtual machine.

In a possible implementation, when the exception occurring in the first virtual machine is a page fault exception, an MMIO operation exception, or a data termination synchronization exception, the processing module is used to run the first virtual machine manager under EL3, receive a page fault exception handling instruction, an MMIO operation exception handling instruction, or a data termination synchronization exception handling instruction sent by the first virtual machine, and handle the page fault exception occurring in the first virtual machine according to the page fault exception handling instruction, or, handle the MMIO operation exception occurring in the first virtual machine according to the MMIO operation exception handling instruction, or, handle the data termination synchronization exception occurring in the first virtual machine according to the data termination synchronization exception handling instruction. Wherein, the page fault exception handling instruction, the MMIO operation instruction, or the data termination synchronization exception handling instruction is an SMC type instruction, and the MMIO operation exception is an exception caused when the first virtual machine performs an MMIO operation.

In one possible implementation, the processing module is also used to run the first virtual machine manager under EL3, and perform one or any combination of the following operations: create, change or destroy the first-level page table of the first virtual machine, where the first-level page table of the first virtual machine is a page table that maps the VA of the first virtual machine to the PA allocated to the first virtual machine in the computing device.

In a possible implementation, the REE side includes a second virtual machine manager, a VirtIO front-end driver is deployed in the first virtual machine manager, a VirtIO back-end driver is deployed in the second virtual machine manager, a memory synchronization module is deployed in the first virtual machine manager, the TEE side includes a first memory for data transmission between the VirtIO front-end driver and the VirtIO back-end driver, the REE side includes a second memory, and the memory synchronization module includes a mapping relationship between the first memory and the second memory; the processing module is used to run the memory synchronization module to synchronize first data in the first memory to the second memory according to the mapping relationship between the first memory and the second memory, and the first data is data that the VirtIO front-end driver needs to send to the VirtIO back-end driver, or the processing module is used to run the memory synchronization module to synchronize second data in the second memory to the first memory according to the mapping relationship between the first memory and the second memory, and the second data is data from the VirtIO back-end driver that the VirtIO front-end driver needs to receive.

For the relevant beneficial effects and descriptions of the virtual machine implementation device provided in the second aspect and any implementation method of the second aspect, reference can be made to the relevant beneficial effects and descriptions of the aforementioned first aspect and any implementation method of the first aspect, and no further details will be given here.

According to a third aspect, a computing device is provided, comprising a processor and a memory; the processor is used to execute instructions stored in the memory, so that the computing device implements the method provided in the first aspect or any possible implementation of the first aspect.

According to a fourth aspect, a computer-readable storage medium is provided, wherein the computer-readable storage medium stores instructions for implementing the method provided in the first aspect or any possible implementation of the first aspect.

According to a fifth aspect, a computer program product is provided, comprising a computer program. When the computer program is read and executed by a computing device, the computing device executes the method provided in the first aspect or any possible implementation of the first aspect.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a schematic diagram of a virtual machine usage scenario involved in the present application;

FIG2 is a schematic diagram of the hardware architecture of an ARM processor provided in the present application;

FIG3 is a schematic diagram of the structure of a computing device provided by the present application;

FIG4A is a schematic diagram of the structure of a virtual machine implementation method provided by the present application;

FIG4B is a flow chart of a data processing method provided by the present application;

FIG5 is a schematic diagram of the structure of a first virtual machine manager provided by the present application;

FIG6 is a schematic diagram of the creation and operation process of a confidential virtual machine from the perspective of a second virtual machine manager provided by the present application;

FIG7 is a schematic diagram of the structure of another computing device provided by the present application;

FIG8 is a schematic diagram of the structure of a virtual machine implementation device exemplarily shown in the present application;

FIG9 is a schematic diagram of the structure of another computing device provided by the present application.

DETAILED DESCRIPTION

The technical solution provided by this application will be described below in conjunction with the accompanying drawings.

In order to make the technical solution provided by this application clearer, the relevant terms are first explained.

(1) A virtual machine (VM) is a computer that has complete hardware system functions and runs on a completely isolated computer. A complete computer system in a remote environment. Any work that can be done in a computing device (such as a server) can be done in a virtual machine. When creating a virtual machine in a computing device, part of the hard disk and memory capacity of the physical machine is used as the hard disk and memory capacity of the virtual machine. Each virtual machine has an independent hard disk and operating system, and the user of the virtual machine can operate the virtual machine just like using a computing device.

(2) Ordinary virtual machines refer to the virtual machines included in the REE side.

(3) Confidential virtual machine refers to the virtual machine included in the TEE side, which can also be called a trusted virtual machine, etc.

(4) Input/output (I/O) devices refer to hardware that can transmit data to and from computing devices. The most common I/O devices include keyboards, mice, block devices (such as disks), and network devices (such as network cards, modems, etc.).

(5) Memory-mapped input/output (MMIO): It is part of the peripheral component interconnect (PCI) specification. I/O devices are placed in memory space instead of I/O space. From the processor's perspective, memory-mapped I/O allows the processor to access I/O devices like accessing memory.

(6) Virtualized input/output (VirtIO) can be understood as a set of programs for virtualizing general I/O devices. Specifically, VirtIO includes a front-end driver program and a back-end driver program. The front-end driver program and the back-end driver program can work together to simulate a series of virtualized I/O devices for use by virtual machines, such as VirtIO-BLK and VirtIO-NET. Among them, VirtIO-BLK is a virtualized storage device. In fact, VirtIO-BLK is a virtualization program for creating disks (disks are a type of I/O device). Through VirtIO-BLK, virtual disks can be created; VirtIO-NET is a virtualized network device. Similarly, VirtIO-NET is a virtualization program for creating network devices. Through VirtIO-NET, virtualized network devices (such as virtualized network interface controllers, or VNICs) can be created.

(7) Secure monitor call (SMC) is a mechanism for achieving communication between the normal world and the secure world, providing a secure and efficient communication method for TEE on the advanced RISC machines (ARM) platform.

Next, the application scenarios involved in this application are introduced.

The present application involves a scenario in which a tenant uses a virtual machine to process a business. Please refer to Figure 1. Figure 1 is a schematic diagram of a virtual machine usage scenario involved in the present application. As shown in Figure 1, a computing device 100 (such as a server) includes a hardware layer and a software layer. The hardware layer is a conventional configuration of the computing device 100, wherein PCI devices may be, for example, network cards, graphics processing units (GPUs), embedded neural network processing units (NPUs), offload cards, and other devices that can be inserted into the PCI/peripheral component interconnect express (PCIE) slots of the server. The software layer includes a host operating system kernel (also referred to as a host kernel) installed and running on the computing device 100. A virtual machine manager (hypervisor) (such as KVM) is provided in the host operating system kernel. The role of the virtual machine manager is to realize computing virtualization, network virtualization, and storage virtualization of virtual machines, and is responsible for managing virtual machines.

Computing virtualization refers to providing part of the processor and memory of the computing device 100 to the virtual machine, network virtualization refers to providing part of the functions of the network card (such as bandwidth) to the virtual machine, and storage virtualization refers to providing part of the disk to the virtual machine.

The virtual machine manager can also implement logical isolation between different virtual machines and manage virtual machines, such as creating virtual machines, simulating virtual hardware for virtual machines according to the hardware layer (hardware simulation function), deleting virtual machines, forwarding and/or processing network packets between all virtual machines (such as virtual machine 1 and virtual machine 2) running on the computing device 100 or forwarding network packets between the virtual machines on the computing device 100 and the external network (virtual switching function), processing I/O generated by virtual machines, etc.

The operating environments (such as virtual machine applications, operating systems, and virtual hardware) in different virtual machines are completely isolated. For virtual machine 1 and virtual machine 2 to communicate, network messages must be forwarded through the virtual machine manager.

Tenants can remotely log in to the virtual machine and operate the virtual machine to install, configure, and uninstall applications in the virtual machine operating system environment.

As can be seen from Figure 1, the virtual machine is managed by a virtual machine manager in the host operating system kernel, such as KVM. Once the host operating system kernel is compromised by an attacker, the attacker will be able to manipulate the virtual machine manager to manage the virtual machine, posing a security threat to user data in the virtual machine.

Therefore, how to protect the security of user data in virtual machines and meet users' security requirements for virtual machines has become an urgent problem to be solved in this field.

In order to solve the above problems, the present application provides a computing device and a virtual machine implementation method.

In order to facilitate understanding of the computing device and virtual machine implementation method provided by this application, the security zone (TrustZone) technology involved in this application is first introduced below.

As the performance of ARM processors continues to improve, computing devices running ARM processors have brought great convenience to people's lives. At the same time, computing devices also carry more and more user data, and users are paying more and more attention to the security of computing devices. On ARM processors, the current mainstream system-level solution is TrustZone technology.

TrustZone technology was first introduced in the ARMv6 version as a security extension. It divides the hardware resources of computing devices into two worlds, the REE side (also called the normal world) and the TEE side (also called the secure world). TrustZone, as a hardware security feature, works on the TEE side.

The REE side does not mean that the operating system (OS) or software running in it is malicious, but that the security of the environment it is in is lower than that of the TEE side. Because when the processor works on the REE side, the resources on the TEE side (such as registers, memory, cache, peripherals, etc.) are prohibited from access. Once the processor tries to access these resources, the system will crash directly. For example, TrustZone can set sensitive memory to secure memory by configuring the trustzone address space controller (TZASC) register and the trustzone memory adapter (TZMA) register, so that the REE side cannot access this memory. When the processor works on the TEE side, it can access resources on both the TEE side and the REE side. It is precisely because the TEE side has higher permissions than the operating system on the REE side that TrustZone can provide a higher level of security protection for the operating system on the REE side as a trusted root.

Taking ARMv8.0 as an example, Figure 2 describes the hardware architecture of ARM. The left side is the architecture of the REE side, and the right side is the architecture of the TEE side. The REE side includes four working permissions: exception level 0 (EL0), EL1, EL2, and EL3, and the TEE side includes three working permissions: secure exception level 0 (SEL0), SEL1, and EL3. Among them, EL0 can also be called the user state layer, EL1 can also be called the kernel state layer, EL2 can also be called the virtual machine manager layer, and EL3 can also be called the secure monitor layer. The higher the level of the level, the higher the level of the level, and the smaller the level of the level, the lower the level of the level. The exception level can be understood as the privilege level.

User applications run in EL0 on the REE side, and operating systems or some privileged functions run in EL1 on the REE side, such as the operating system of a virtual machine running in EL1. Virtual machine managers such as KVM run in EL2. ARM trusted firmware runs in EL3. ARM trusted firmware (ATF) is the first component that runs when the processor starts. It is the underlying firmware officially provided by ARM. This firmware unifies the ARM underlying interface standards, such as the power status control interface (PSCI), trusted board boot requirements (TBBR), and SMC operations for switching between secure world state and normal world state.

Under EL3, the processor has the highest privilege level and can access not only all resources on the TEE side, but also all resources on the REE side.

The above is an introduction to the TrustZone technology. Next, the computing device provided by this application will be introduced. The computing device provided by this application is mainly a computing device running the ARM processor shown in Figure 2 above.

Please refer to Figure 3, which is a schematic diagram of a computing device 300 provided in the present application. As shown in Figure 3, the hardware resources of the computing device 300 are divided into a REE side and a TEE side. The TEE side includes one or more confidential virtual machines. In Figure 3, the TEE side includes a confidential virtual machine as an example. The REE side may include one or more ordinary virtual machines. In Figure 3, the REE side includes two ordinary virtual machines as an example.

As shown in FIG3 , the computing device 300 also includes a virtual machine manager for managing the confidential virtual machine on the TEE side. In order to distinguish the virtual machine manager from the virtual machine manager deployed in the host kernel of the computing device 100 shown in FIG1 , in the following embodiments, the virtual machine manager for managing the confidential virtual machine on the TEE side is referred to as the first virtual machine manager, and the virtual machine manager deployed in the host kernel for managing the ordinary virtual machine on the REE side is referred to as the second virtual machine manager. In a specific implementation, the virtual machine manager on the TEE side may also be referred to as a trustzone management monitor (TMM) or a trustzone virtual machine manager, etc. This application does not specifically limit the name of the virtual machine manager on the TEE side.

The first virtual machine manager is used to deploy the confidential virtual machine on the TEE side of the computing device 300, and to start the confidential virtual machine. It can be understood that after starting the confidential virtual machine, the processor can run the confidential virtual machine to process user data.

The first virtual machine manager can also manage the life cycle of the confidential virtual machine, such as powering on, powering off, changing specifications, migrating, and releasing. The first virtual machine manager can also manage the apps installed on the confidential virtual machine, such as installing, starting, shutting down, upgrading, uninstalling, and migrating the apps. The first virtual machine manager can also perform other management operations on the confidential virtual machine, which will be described in detail below.

As can be seen from Figure 3, the confidential virtual machine is similar to an ordinary virtual machine, including an operating system kernel and an APP. Among them, the operating system kernel in the confidential virtual machine can be a rich operating system (rich OS) kernel such as Linux, or it can be other types of operating system kernels. That is to say, the operating system in the confidential virtual machine can be a rich operating system such as Linux, or it can be other types of operating systems. This application does not limit this. It can be understood that when the operating system in the confidential virtual machine is a Linux operating system, the confidential virtual machine can be migrated from an ordinary Linux virtual machine. It can also be understood that when the operating system in the confidential virtual machine is a rich operating system such as a Linux operating system, since the rich operating system has relatively powerful functions, when the tenant installs an APP (such as an artificial intelligence (AI) application with high requirements for the operating environment) in the confidential virtual machine, it can be installed directly without modifying the APP, and zero-modification installation of the APP can be achieved.

In a specific embodiment of the present application, as shown in FIG3 , the processor of the computing device 300 runs the first virtual machine manager under EL3. It can be understood that since the processor runs the first virtual machine manager under EL3, the first virtual machine manager has the corresponding permissions of EL3, and can access resources on the TEE side as well as resources on the REE side. In a possible embodiment, the first virtual machine manager is deployed in the ARM trusted firmware.

In a possible embodiment, as shown in FIG3 , the REE side may further include a shadow of the confidential virtual machine. The shadow of the confidential virtual machine may be used by the processor to save the context of the confidential virtual machine when the processor stops running the confidential virtual machine and runs other programs instead. When the processor completes executing other programs and resumes running the confidential virtual machine, the processor restores the context of the confidential virtual machine saved in the shadow of the confidential virtual machine to the confidential virtual machine, thereby resuming the operation of the confidential virtual machine.

It should be understood that the computing device 300 is only an example provided in the embodiment of the present application, and the computing device 300 may have more or fewer components than those shown in FIG. 3 , or may have different configurations of the components.

The following describes the process of implementing a virtual machine by the computing device 300 shown in FIG. 3 in conjunction with the flowchart of a virtual machine implementation method provided by the present application shown in FIG. 4A .

S401: The processor runs the first virtual machine manager under EL3 to create a first confidential virtual machine on the TEE side.

Specifically, the processor of the computing device 300 can obtain the configuration information of the first confidential virtual machine to be created on the REE side, and then run the first virtual machine manager under EL3, and create the first confidential virtual machine on the TEE side according to the configuration information of the first confidential virtual machine. The configuration information includes the specifications of the first confidential virtual machine to be created, such as the size of the memory, the type of the memory, the size of the memory, the type of the memory, the type of the processor core, the number of processor cores, the computing speed of the processor core, the number of cores of the processor core, the network bandwidth, the operating system kernel and the file system, etc. When creating the first confidential virtual machine, the processor can provide the first confidential virtual machine with virtual hardware resources matching the configuration information based on the configuration information, for example, based on the memory information included in the configuration information, divide the memory matching the memory information and used by the first confidential virtual machine from the memory resources on the TEE side, simulate the virtual processor core matching the processor core information and used by the first confidential virtual machine based on the processor core information included in the configuration information, and load the operating system kernel and the file system included in the configuration information into the memory corresponding to the first confidential virtual machine, etc., so as to achieve the creation of the first confidential virtual machine.

The method for the processor to obtain the configuration information of the first confidential virtual machine on the REE side may refer to any one of the following methods 1 or 2:

Mode 1: The configuration information may be input by the user on the interface of the computing device 300. The user may input the required processor core type, number of processor cores, computing power requirements of the processor cores, type of memory, number of memory, size of memory, type of memory, network bandwidth requirements, etc. according to his/her needs. At this time, the first confidential virtual machine may be understood as being customized. After obtaining the configuration information input by the user, the computing device 300 stores the configuration information in the memory on the REE side. The subsequent processor runs the first virtual machine manager under EL3 to obtain the configuration information from the memory on the REE side.

Mode 2: The configuration information can be selected by the user from a variety of possible configuration information provided by the interface of the computing device 300. That is to say, the user can only select from a variety of configuration information, and cannot decide the type of processor core, the number of processor cores, the computing power requirements of the processor cores, the type of memory, the number of memories, the size of memory, the type of memory, the requirements of network bandwidth, etc. according to their own needs. At this time, the first confidential virtual machine can be understood as provided according to specifications, and the user can only select the specifications that suit him from the limited specifications. After obtaining the configuration information selected by the user, the computing device 300 stores the configuration information in the memory on the REE side, and the subsequent processor runs the first virtual machine manager under EL3 to obtain the configuration information from the memory on the REE side.

It should be noted that the above-mentioned method 1 and method 2 are merely examples of the method in which the processor obtains the configuration information of the first confidential virtual machine on the REE side. For example, the processor can obtain part of the configuration information of the first confidential virtual machine through the above-mentioned method 1, and obtain another part of the configuration information of the first confidential virtual machine through the above-mentioned method 2. This application does not specifically limit this.

S402: The processor runs the first virtual machine manager under EL3 to start the first confidential virtual machine.

It can be understood that after the processor starts the confidential virtual machine, the processor can run the first confidential virtual machine to process user data.

The following describes a process in which a processor runs a first confidential virtual machine to process user data in conjunction with a flowchart of a data processing method exemplarily illustrated in the present application as shown in FIG. 4B .

As shown in FIG4B , the method comprises the following steps:

S410: The processor obtains user data on the REE side.

User data may be a face image to be recognized, a voice signal to be recognized, text data to be recognized, etc. It may also be a model to be trained and training data, or data to be encrypted and stored. This application does not specifically limit user data.

S420: The processor runs the first confidential virtual machine on the TEE side to process the user data.

In a specific implementation, the user data may be input to the computing device 300 by the user through an interface provided by the computing device 300, and the computing device 300 After obtaining the user data input by the user, the user data is stored in the memory on the REE side, and the subsequent processor runs the first confidential virtual machine to read and process the user data from the memory on the REE side.

In this embodiment, when the user data is a face image to be recognized/a voice signal to be recognized/a text data to be recognized, the processor runs the first confidential virtual machine on the TEE side to recognize the face image/voice signal/text data to obtain the corresponding recognition result, and then provides the recognition result to the user on the REE side. When the user data is a model to be trained and training data, the processor runs the first confidential virtual machine on the TEE side to train the model using the training data to obtain a trained model, and then provides the trained model to the user on the REE side. In other words, the first confidential virtual machine on the TEE side communicates with the external network of the computing device 300 through the REE side. It can be understood that this can improve the security of the first confidential virtual machine.

When the user data is data to be encrypted and stored, the processor runs the first confidential virtual machine on the TEE side to encrypt the data and then stores it in the corresponding location.

In a possible embodiment, in S410, the user data obtained by the processor on the REE side is encrypted data. Before the processor executes S420, the processor will run the first virtual machine manager under EL3 to obtain the decryption key stored on the TEE side for decrypting the encrypted data, and then use the decryption key to decrypt the encrypted data to obtain the plain text of the user data. After that, the processor runs the first confidential virtual machine to process the user data. In other words, the user data exists in an encrypted state on the REE side, and the decryption key is stored on the TEE side. The host operating system kernel and software (such as KVM, ordinary virtual machines, etc.) on the REE side cannot obtain the decryption key stored on the TEE side. Therefore, even if the attacker breaks through the host operating system kernel and software on the REE side and steals the encrypted data, it cannot decrypt the plain text of the user data. In this way, the demand that user data is not stolen by the host operating system kernel and software on the REE side can be met, and the security of user data can be further improved.

In a specific embodiment of the present application, after creating the first confidential virtual machine, the computing device 300 may also manage the first confidential virtual machine, and the management content is as follows:

① Manage the life cycle of the first confidential virtual machine.

The processor of the computing device 300 can obtain the first management command for the life cycle of the first confidential virtual machine on the REE side, and then run the first virtual machine manager under EL3 to perform one or any combination of the following operations on the first confidential virtual machine according to the first management command: power on, power off, change specifications, migrate, and release (destruction).

Specifically, before releasing the first confidential virtual machine, the processor may first determine whether the first confidential virtual machine is in a non-operating state. When it is determined that the first confidential virtual machine is in a non-operating state, the processor releases the first confidential virtual machine. If it is determined that the first confidential virtual machine is in an operating state, the processor waits for the first confidential virtual machine to finish operating before releasing the first confidential virtual machine. The specific process of the processor releasing the first confidential virtual machine may include erasing the context information of the first confidential virtual machine, erasing the content related to the first confidential virtual machine in the memory of the computing device 300, and releasing the resources occupied by the first confidential virtual machine, such as memory.

② Manage the APP on the first confidential virtual machine.

The processor of the computing device 300 can obtain the second management command for the first confidential virtual machine on the REE side, and then run the first virtual machine manager under EL3 to perform one or any combination of the following operations on the first confidential virtual machine according to the second management command: install, start, shut down, upgrade, uninstall and migrate APP.

③ Manage the memory of the first confidential virtual machine.

The processor of the computing device 300 can run the first virtual machine manager under EL3 to create, change or destroy the first-level page table or the second-level page table of the first confidential virtual machine to manage the memory of the first confidential virtual machine. The first-level page table of the first confidential virtual machine refers to a page table that maps the virtual address (VA) of the first confidential virtual machine to a physical address (PA), and the second-level page table of the first confidential virtual machine refers to a page table that maps the VA of the first confidential virtual machine to an intermediate physical address (IPA), and maps the IPA to a PA allocated to the first confidential virtual machine in the computing device.

④ Handle the exceptions that occur in the first confidential virtual machine and manage the context of the first confidential virtual machine.

When an exception occurs in the first confidential virtual machine, the processor of the computing device 300 can run the first virtual machine manager under EL3 to establish the context of the first confidential virtual machine, then handle the exception of the first virtual machine, and after handling the exception, restore the established context of the first confidential virtual machine to the first confidential virtual machine to resume the operation of the first confidential virtual machine. Among them, the exception of the first confidential virtual machine can be a page fault exception, an MMIO operation exception, wait for interrupt (WFI), wait for event (WFE), execute a hypervisor call (HVC) instruction, execute an SMC instruction, read and write a system register, an instruction abort, a data abort (such as a data abort sync exception), an interrupt request (IRQ) and a fast interrupt request (FIQ), a power management instruction exit of the power management interface (PSCI) and a system error exit, etc. MMIO operation refers to the operation of the first confidential virtual machine accessing the I/O device through the MMIO technology, and the MMIO operation exception refers to the exception caused when the first confidential virtual machine performs the MMIO operation.

In a possible embodiment, when the exception occurring in the first confidential virtual machine is a page fault exception, an MMIO operation exception, or a data termination synchronization exception, the process in which the processor runs the first virtual machine manager at EL3 to handle the exception occurring in the first confidential virtual machine may specifically be: the processor runs the first virtual machine manager at EL3, receives a page fault exception handling instruction, an MMIO operation exception handling instruction, or a data termination synchronization exception handling instruction sent by the first confidential virtual machine, and then the processor runs the first virtual machine manager at EL3 to handle the page fault exception occurring in the first confidential virtual machine according to the page fault exception handling instruction, or the processor runs the first virtual machine manager at EL3 to handle the MMIO operation exception occurring in the first confidential virtual machine according to the MMIO operation exception handling instruction, or the processor runs the first virtual machine manager at EL3 to handle the data termination synchronization exception occurring in the first confidential virtual machine according to the data termination synchronization exception handling instruction. Here, the page fault exception handling instruction, the MMIO operation exception handling instruction, or the data termination synchronization exception handling instruction is an SMC type instruction.

⑤ Before running the first confidential virtual machine, check the security of the first confidential virtual machine and check the security of the computing device 300.

In a possible embodiment, the processor can provide the configuration information of the first confidential virtual machine (such as the type of virtual processor cores, the number of virtual processor cores, memory addresses, etc.), the version information of the operating system installed on the first confidential virtual machine, and the APP name, etc. to the user on the REE side for security check by running the first virtual machine manager under EL3, that is, the user determines whether the first confidential virtual machine is a secure virtual machine that meets the user's expectations, or an unsecure virtual machine that poses a security threat. When the processor runs the first virtual machine manager under EL3 and obtains feedback from the user that the first confidential virtual machine is a secure virtual machine that meets the user's expectations, the processor determines that the first confidential virtual machine is a secure virtual machine and starts the first confidential virtual machine. Otherwise, the processor determines that the first confidential virtual machine is an unsecure virtual machine and does not start the first confidential virtual machine. Optionally, the processor can also check the security of the first confidential virtual machine in other ways, which is not specifically limited in this application.

In a possible embodiment, the processor can provide the certificate of the computing device 300 to the user on the REE side for legitimacy check by running the first virtual machine manager under EL3, that is, the user determines whether the computing device 300 is a secure device that meets his expectations or a non-secure device with security threats. In the case where the processor runs the first virtual machine manager under EL3 and obtains feedback from the user that the computing device is a secure device that meets his expectations, the processor determines that the computing device is a secure device and starts the first virtual machine. Otherwise, the processor determines that the computing device is a non-secure device and does not start the first virtual machine. Optionally, the processor can also check the security of the computing device 300 in other ways, which is not specifically limited in this application.

Optionally, if the processor detects that configuration information of the first confidential virtual machine, the operating system kernel version installed on the first confidential virtual machine, the APP name, etc. have been changed during the running of the first confidential virtual machine, the processor can re-determine the security of the changed first confidential virtual machine, and start and run the changed first confidential virtual machine if it is determined that the changed first confidential virtual machine is safe, otherwise refuse to start the changed first confidential virtual machine.

Optionally, if the processor detects that the certificate of the computing device 300 has expired or detects that there is a security risk in the computing device 300 during the process of running the first confidential virtual machine, the processor can remind the user on the REE side that the certificate of the computing device 300 has expired or provide the user with the security risk of the computing device 300, allowing the user to determine whether to continue using the computing device 300 to run the first confidential virtual machine.

It can be understood that running the first confidential virtual machine after checking the security of the first confidential virtual machine and the security of the computing device 300, and continuing to monitor the security of the first confidential virtual machine and the computing device 300 during the operation of the first confidential virtual machine, can improve the security of the first confidential virtual machine, thereby improving the security of user data stored or used in the first confidential virtual machine.

⑥ Manage various virtualization functions of the first confidential virtual machine.

Before the processor of the computing device 300 runs the first confidential virtual machine on the TEE side, it can also obtain one or any combination of the following on the REE side or the TEE side: a virtual interrupt of the first confidential virtual machine, a virtual clock used by the first confidential virtual machine, and memory-mapped input/output (MMIO) information used by the first confidential virtual machine, etc., and then inject this information into the first confidential virtual machine, and then run the first virtual machine according to this information. Among them, the virtual clock can be used for the first confidential virtual machine to measure the time interval, and the purpose of the first confidential virtual machine measuring the time interval can be to perform task scheduling, and the MMIO information can be used by the first confidential virtual machine to access the I/O device like accessing the memory.

It is understandable that if the processor obtains the virtual interrupt of the first confidential virtual machine, the virtual clock and MMIO information used by the first confidential virtual machine on the REE side, rather than obtaining this information on the TEE side, the trusted computing base (TCB) on the TEE side can be made thinner.

In a possible embodiment, as shown in FIG5 , the first virtual machine manager includes a virtual interrupt register 10, a virtual clock register 20 and an MMIO register 30, wherein the virtual interrupt register 10 is used to store the virtual interrupt of the first confidential virtual machine simulated by the processor, the virtual clock register 20 is used to store the virtual clock for use by the first confidential virtual machine simulated by the processor, and the MMIO register 30 is used to store the MMIO information for use by the first confidential virtual machine simulated by the processor. The process of the processor injecting the virtual interrupt, virtual clock and MMIO information into the first confidential virtual machine can be: the processor runs the corresponding register in the first virtual machine manager under EL3 to trigger the The processor generates an interrupt signal and sends the interrupt signal to the first confidential virtual machine. After receiving the interrupt signal, the first confidential virtual machine reads the interrupt information to be processed from the corresponding register in the first virtual machine manager based on the interrupt signal. It can be understood that since the processor runs the first virtual machine manager under EL3, when the first virtual machine manager reads the interrupt information to be processed from the corresponding register in the first virtual machine manager based on the interrupt signal, the instruction executed is an SMC type instruction.

In a possible embodiment, as shown in FIG5 , the first virtual machine manager further includes a virtual machine management module 40, a memory management module 50, an exception handling module 60, and a remote attestation module 70. The virtual machine management module 40 is used to perform the operations of creating and starting the first confidential virtual machine on the TEE side as described in S401 and S402 above, the operations of managing the life cycle of the first confidential virtual machine as described in ① above, and the operations of managing the APP on the first confidential virtual machine as described in ② above; the memory management module 50 is used to perform the operations of managing the memory of the first confidential virtual machine as described in ③ above; the exception handling module 60 is used to perform the operations of handling the exceptions of the first confidential virtual machine as described in ④ above, and optionally, the exception handling module 60 can also be used to perform the operations of managing the context of the first confidential virtual machine as described in ④ above; the remote attestation module 70 is used to perform the operations of checking the security of the first confidential virtual machine as described in ⑤ above and checking the security of the computing device 300, which can be specifically referred to the relevant description above, and for the sake of brevity of the specification, it will not be elaborated here.

It should be understood that the names of the various modules in the first virtual machine manager shown in Figure 5 are merely examples. For example, the virtual machine management module 40 can also be called a first confidential virtual machine management module, the remote attestation module 70 can also be called a security check module, etc., and should not be regarded as specific limitations on the names of the various modules in the first virtual machine manager.

In a specific implementation, the operations performed by the processor of the computing device 300 on the REE side may be implemented by the processor running a second virtual machine manager on the REE side.

It should be noted that in addition to performing the above operations, the processor of the computing device 300 can also perform other operations, such as creating, modifying and destroying the secondary page table on the REE side, such as simulating virtualized I/O devices such as virtual disks, VNICs, etc. for use by the first confidential virtual machine. This application does not specifically limit the operations that the processor of the computing device 300 can perform.

In order to more clearly understand the process of creating and running the first confidential virtual machine, the process of creating and running the first confidential virtual machine is described below from the perspective of the second virtual machine manager such as KVM, see FIG. 6 .

As shown in Figure 6, the process includes the following steps:

S601: The second virtual machine manager obtains a creation instruction, where the creation instruction carries configuration information of a first confidential virtual machine to be created, where the configuration information includes memory information allocated to the first confidential virtual machine, virtual processor core information used by the first confidential virtual machine, an operating system kernel, and a file system.

The configuration information may also include other contents, which are not specifically limited in this application.

S602: The second virtual machine manager calls the memory partitioning interface provided by the first virtual machine manager, and passes the memory information carried by the creation instruction to the first virtual machine manager, so that the first virtual machine manager divides the memory for use by the first confidential virtual machine in the memory resources on the TEE side based on the memory information.

S603: The second virtual machine manager calls the virtual processor core creation interface provided by the first virtual machine manager, and passes the virtual processor core information carried by the creation instruction to the first virtual machine manager, so that the first virtual machine manager simulates a virtual machine processor core for use by the first confidential virtual machine based on the virtual processor core information.

S604: The second virtual machine manager calls the communication interface provided by the first virtual machine manager to pass the operating system kernel and the file system for use by the first confidential virtual machine to the first virtual machine manager, so that the first virtual machine manager stores the operating system kernel and the file system for use by the first confidential virtual machine in the above-mentioned memory for use by the first confidential virtual machine.

S605: The second virtual machine manager calls the virtual machine running interface provided by the first virtual machine manager, and passes the virtual interrupt, virtual clock and MMIO information of the first confidential virtual machine to the first virtual machine manager, so that the first virtual machine manager injects the virtual interrupt, virtual clock and MMIO information into the first confidential virtual machine, and starts running the first confidential virtual machine.

S606: The second virtual machine manager receives the exception handling instruction from the first confidential virtual machine forwarded by the first virtual machine manager.

S607: The second virtual machine manager handles the exception occurring in the first confidential virtual machine according to the exception handling instruction.

S608: After processing the exception of the first confidential virtual machine, the second virtual machine manager calls the virtual machine running interface provided by the first virtual machine manager again, so that the first virtual machine manager resumes the running of the first confidential virtual machine.

In a specific embodiment of the present application, when the processor of the computing device 300 needs to simulate a virtualized I/O device for use by the first confidential virtual machine, it can be achieved through VirtIO technology.

When the computing device 300 obtains a virtualized I/O device for use by the first confidential virtual machine through VirtIO technology simulation, as shown in FIG7 , the operating system kernel of the first confidential virtual machine on the TEE side includes a VirtIO front-end driver, and the second virtual machine manager such as KVM includes a VirtIO back-end driver. In addition to the modules shown in FIG5 , the first virtual machine manager may also include a memory synchronization module. The TEE The memory resources on the REE side include a first memory (VRING) (not shown in FIG. 7 ) used for data transmission between the VirtIO front-end driver and the VirtIO back-end driver, and the memory resources on the REE side include a second memory (not shown in FIG. 7 ) that has a mapping relationship with the first memory. The second memory can be regarded as a shadow memory of the first memory, and the second memory is usually the same size as the first memory.

In the computing device 300 shown in FIG7 , specifically, the processor of the computing device 300 can run the VirtIO backend driver to create a virtualized I/O device, and then after starting the first confidential virtual machine, run the VirtIO front-end driver in the first confidential virtual machine to load the virtualized I/O device, thereby realizing the simulation of the virtualized I/O device. In this way, the computing device 300 can realize the I/O communication of the first confidential virtual machine through the VirtIO technology.

The memory synchronization module is used to synchronize the data (hereinafter referred to as the first data) that the VirtIO front-end driver needs to send to the VirtIO back-end driver in the first memory to the second memory during the I/O communication operation of the first confidential virtual machine implemented by the computing device 300 through the VirtIO technology, and to synchronize the data (hereinafter referred to as the second data) that the VirtIO back-end driver needs to send to the VirtIO front-end driver in the second memory to the first memory. The first data can also be understood as the data that the first confidential virtual machine needs to transmit to the external network of the computing device 300, and the second data can also be understood as the data that the first confidential virtual machine needs to receive from the external network of the computing device 300.

It can be seen that in the computing device 300 and the virtual machine implementation method provided in the present application, since the processor of the computing device 300 runs the first virtual machine manager under EL3 to start the first confidential virtual machine, and the first confidential virtual machine is deployed on the TEE side, the virtual machine can be isolated from the host operating system kernel (located on the REE side) through the first virtual machine manager. In other words, the virtual machine is protected by the first virtual machine manager under EL3 and can avoid being accessed by the host operating system kernel on the REE side. Therefore, even if the attacker breaks into the host operating system kernel, the attacker cannot control the virtual machine through the virtual machine manager in the host operating system kernel, such as KVM, thereby protecting the security of the virtual machine in the computing device, and then protecting the security of user data in the virtual machine.

It should be understood that the size of the serial numbers of the steps in the above embodiments does not mean the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present application.

The above describes in detail the virtual machine implementation method provided by the present application. Based on the same inventive concept, the following further describes the virtual machine implementation apparatus and computing device provided by the present application.

It should be understood that the unit modules within the virtual machine implementation device may also be divided into multiple types, and each module may be a software module, a hardware module, or partly a software module and partly a hardware module, and this application does not limit it. When the virtual machine implementation device includes multiple unit modules, each of the multiple unit modules may be deployed on the same computing device.

Referring to FIG8 , FIG8 is a schematic diagram of the structure of a virtual machine implementation device 800 exemplarily shown in the present application, which can be applied to the computing device 300 whose hardware resources are divided into the REE side and the TEE side as shown in FIG3 . As shown in FIG8 , the virtual machine implementation device 800 includes: a processing module 810. The functions of each module of the virtual machine implementation device 800 are exemplarily introduced below. It should be understood that the functions of each module described below are only the functions that the virtual machine implementation device 800 can have in some embodiments of the present application, and the present application does not limit the functions of each module.

The processing module 810 is used to run a first virtual machine manager under EL3 to start a first virtual machine, where the first virtual machine is deployed on the TEE side.

In this embodiment, the first virtual machine can be understood as the first confidential virtual machine mentioned above.

In some possible embodiments, as shown in FIG8 , the apparatus 800 further includes an acquisition module 820;

The acquisition module 820 is used to acquire encrypted user data on the REE side;

The processing module 810 is further used to run the first virtual machine manager under EL3, obtain the decryption key stored on the TEE side, and use the decryption key to decrypt the encrypted user data to obtain the user data plaintext;

The processing module 810 is further configured to run the first virtual machine to process the above-mentioned user data plaintext.

In some possible embodiments, the acquisition module 820 is also used to acquire a creation instruction on the REE side, where the creation instruction carries configuration information of the first virtual machine to be created; the processing module 810 is also used to run the first virtual machine manager under EL3, and create the first virtual machine on the TEE side according to the configuration information carried by the creation instruction.

In some possible embodiments, the acquisition module 820 is further used to simulate and obtain the first data on the REE side, where the first data includes one or any combination of the following: a virtual interrupt of the first virtual machine, a virtual clock used by the first virtual machine, and MMIO information used by the first virtual machine; the processing module 810 is further used to write the first data into the first virtual machine manager; the processing module 810 is further used to run the first virtual machine manager under EL3 and inject the first data into the first virtual machine; the processing module 810 is further used to run the first virtual machine according to the first data.

In some possible embodiments, the processing module 810 is also used to run the first virtual machine manager under EL3 to determine whether the first virtual machine is a secure virtual machine. If the first virtual machine is determined to be a secure virtual machine, the first virtual machine is started; if the first virtual machine is determined to be a non-secure virtual machine, the first virtual machine is not started.

In some possible embodiments, the processing module 810 is further configured to run the first virtual machine manager under EL3 to determine the computing device The computing device is determined to be a security device. If the computing device is determined to be a security device, the first virtual machine is started; if the computing device is determined to be a non-security device, the first virtual machine is not started.

In some possible embodiments, the acquisition module 820 is also used to acquire a first management command for the life cycle of the first virtual machine on the REE side; the processing module 810 is also used to run the first virtual machine manager under EL3, and perform one or any combination of the following operations on the first virtual machine according to the first management command: power on, power off, change specifications, migrate, and release.

In some possible embodiments, the first acquisition module 820 is further used to acquire a second management command for the first virtual machine on the REE side; the processing module 810 is further used to run the first virtual machine manager under EL3, and perform one or any combination of the following operations on the first virtual machine according to the second management command: install, start, shut down, upgrade, uninstall and migrate applications.

In some possible embodiments, the processing module 810 is also used to: when an exception occurs in the first virtual machine, run the first virtual machine manager under EL3 to establish the context of the first virtual machine, handle the exception that occurs in the first virtual machine, and after handling the exception that occurs in the first virtual machine, restore the context of the first virtual machine to the first virtual machine to resume the operation of the first virtual machine.

In some possible embodiments, when the exception of the first virtual machine is a page fault exception, an MMIO operation exception, or a data termination synchronization exception, the processing module 810 is used to run the first virtual machine manager under EL3, receive a page fault exception processing instruction, an MMIO operation exception processing instruction, or a data termination synchronization exception processing instruction sent by the first virtual machine, and process the page fault exception of the first virtual machine according to the page fault exception processing instruction, or process the MMIO operation exception of the first virtual machine according to the MMIO operation exception processing instruction, or process the data termination synchronization exception of the first virtual machine according to the data termination synchronization exception processing instruction. Wherein, the page fault exception processing instruction, the MMIO operation instruction, or the data termination synchronization exception processing instruction is an SMC type instruction, and the MMIO operation exception is an exception caused when the first virtual machine performs an MMIO operation.

In some possible embodiments, the processing module 810 is also used to run the first virtual machine manager under EL3, and perform one or any combination of the following operations: create, change or destroy the first-level page table of the first virtual machine, where the first-level page table of the first virtual machine is a page table that maps the VA of the first virtual machine to the PA allocated to the first virtual machine in the computing device.

In some possible embodiments, the REE side includes a second virtual machine manager, a VirtIO front-end driver is deployed in the first virtual machine manager, a VirtIO back-end driver is deployed in the second virtual machine manager, a memory synchronization module is deployed in the first virtual machine manager, the TEE side includes a first memory for data transmission between the VirtIO front-end driver and the VirtIO back-end driver, the REE side includes a second memory, and the memory synchronization module includes a mapping relationship between the first memory and the second memory; the processing module 810 is used to run the memory synchronization module to synchronize first data in the first memory to the second memory according to the mapping relationship between the first memory and the second memory, and the first data is data that the VirtIO front-end driver needs to send to the VirtIO back-end driver, or the processing module 810 is used to run the memory synchronization module to synchronize second data in the second memory to the first memory according to the mapping relationship between the first memory and the second memory, and the second data is data from the VirtIO back-end driver that the VirtIO front-end driver needs to receive.

Specifically, the specific implementation of various operations performed by the virtual machine implementation device 800 can refer to the description in the relevant content of the above-mentioned virtual machine implementation method embodiment, and for the sake of brevity of the specification, it will not be repeated here.

Referring to FIG. 9 , FIG. 9 is a schematic diagram of the structure of another computing device 300 provided by the present application, wherein the computing device 300 includes: a processor 310, a memory unit 320, a communication interface 330, a memory 340, an input device 350, and an output device 360, wherein the processor 310, the memory unit 320, the communication interface 330, the memory 340, the input device 350, and the output device 360 can be interconnected via a bus 370.

The processor 310 can read the program code (including instructions) stored in the memory unit 320 and execute the program code stored in the memory unit 320, so that the computing device 300 executes the steps in the virtual machine implementation method provided in the above method embodiment.

The processor 310 may have a variety of specific implementation forms. For example, the processor 310 may be at least one central processing unit (CPU), as shown in FIG9 , including CPU0 and CPU1. The processor 310 may also be a graphics processing unit (GPU), etc. The processor 310 may also be a single-core processor or a multi-core processor. The processor 310 may be a combination of a CPU and a hardware chip. The above-mentioned hardware chip may be implemented by an application-specific integrated circuit (ASIC) or a programmable logic device (PLD). The above-mentioned PLD may be a complex programmable logical device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL) or any combination thereof. The processor 310 may also be implemented by a logic device with built-in processing logic, such as an FPGA or a digital signal processor (DSP).

The memory unit 320 is used to store the kernel, program code, and program data generated when the processor 310 executes the program code stored in the memory unit 320. The program code includes: the code of the acquisition module 820 and the code of the processing module 810, etc. The program data includes: user data, configuration information of the first confidential virtual machine, and processing results obtained by the first confidential virtual machine processing the user data, etc.

The communication interface 330 may be a wired interface (e.g., an Ethernet interface, a fiber optic interface, other types of interfaces (e.g., an infinite bandwidth technology (infiniBand, IB) interface)) or a wireless interface (e.g., a cellular network interface or a wireless local area network interface) for communicating with other computing devices. When the communication interface 330 is a wired interface, the communication interface 330 may adopt a protocol family above the transmission control protocol/internet protocol (TCP/IP), such as the remote function call (RFC) protocol, the simple object access protocol (SOAP) protocol, the simple network management protocol (SNMP) protocol, the common object request broker architecture (CORBA) protocol, and distributed protocols, etc.

The memory 340 may be a non-volatile memory, such as a read-only memory (ROM), a programmable ROM (PROM), an erasable PROM (EPROM), an electrically erasable PROM (EEPROM), or a flash memory. The memory 340 may also be a volatile memory, which may be a random access memory (RAM) used as an external cache.

The input device 350 may include a mouse and a keyboard, etc. The user may input data or instructions to the computing device 300 through the input device 350, such as the above-mentioned data to be processed, configuration information of the confidential virtual machine, the first management instruction, the second management instruction, etc.

The output device 360 may include a display, and the computing device 300 may provide data to the user through the display, such as providing the user with the result of the confidential virtual machine processing the data to be processed, etc. The display may include a cathode ray tube display (CRT), a plasma display panel (PDP), a liquid crystal display (LCD), etc. Taking the display as an LCD as an example, the liquid crystal display includes a liquid crystal panel and a backlight module, wherein the liquid crystal display panel includes a polarizing film, a glass substrate, a black matrix, a color filter, a protective film, a common electrode, a calibration layer, a liquid crystal layer (liquid crystal, a spacer, a sealant), a capacitor, a display electrode, a prism layer, and a light diffusion layer. The backlight module includes: an illumination light source, a reflector, a light guide plate, a diffuser, a brightness enhancement film (prism sheet) and a frame, etc.

The bus 370 may be a PCIE or an extended industry standard architecture (EISA) bus, etc. The bus 370 may be divided into an address bus, a data bus, a control bus, etc. For ease of representation, FIG9 only uses one thick line, but does not mean that there is only one bus or one type of bus.

It should be understood that the computing device 300 of the embodiment of the present application may correspond to the computing device including the virtual machine implementation device 800 in the embodiment of the present application, and may correspond to the execution of the corresponding subjects in the method shown in Figures 4A, 4B, and 6 in the embodiment of the present application, and the operations and/or functions of each module in the computing device 300 are respectively for implementing the corresponding processes of the method shown in Figures 4A, 4B, and 6, which will not be repeated here for the sake of brevity.

It should be understood that computing device 300 is only an example provided in an embodiment of the present application, and computing device 300 may have more or fewer components than those shown in FIG. 9 , may combine two or more components, or may have different configurations of components.

The present application also provides a computer-readable storage medium, in which instructions are stored. When the instructions are executed, some or all of the steps of the virtual machine implementation method recorded in the above embodiment can be implemented.

The present application also provides a computer program product. When the computer program product is read and executed by a computer, it can implement some or all of the steps of the virtual machine implementation method recorded in the above method embodiment.

In the above embodiments, the description of each embodiment has its own emphasis. For parts that are not described in detail in a certain embodiment, reference can be made to the relevant descriptions of other embodiments.

In the above embodiments, it can be implemented in whole or in part by software, hardware or any combination thereof. When implemented using software, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the process or function described in the embodiment of the present application is generated in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website site, computer, server or data center by wired (e.g., coaxial cable, optical fiber, digital subscriber line) or wireless (e.g., infrared, wireless, microwave, etc.) mode to another website site, computer, server or data center. The computer-readable storage medium may be any available medium that a computer can access or a data storage device such as a server or data center that includes one or more available media integration. The available medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a tape), an optical medium, or a semiconductor medium, etc.

The above is only a specific implementation of the present application. Those skilled in the art may conceive of changes or substitutions based on the specific implementation provided by the present application, which should all be included in the protection scope of the present application.

Claims (14)

A virtual machine implementation method, characterized in that it is applied to a computing device, the hardware resources of the computing device are divided into a rich execution environment (REE) side and a trusted execution environment (TEE) side, the computing device includes a first virtual machine manager, and the method includes: The processor of the computing device runs the first virtual machine manager at exception level EL3 to start a first virtual machine, and the first virtual machine is deployed on the TEE side. The method according to claim 1, characterized in that after starting the first virtual machine, the method further comprises: The processor obtains encrypted user data at the REE side; The processor runs the first virtual machine manager under the EL3 to obtain the decryption key stored on the TEE side, and uses the decryption key to decrypt the encrypted user data to obtain the user data; The processor runs the first virtual machine to process the user data. The method according to claim 1 or 2, characterized in that before starting the first virtual machine, the method further comprises: The processor obtains a creation instruction on the REE side, where the creation instruction carries configuration information of the first virtual machine to be created; The processor runs the first virtual machine manager under the EL3, and creates the first virtual machine on the TEE side according to the configuration information carried by the creation instruction. The method according to claim 2 or 3, characterized in that the method further comprises: The processor simulates and obtains first data at the REE side, where the first data includes one or any combination of the following: a virtual interrupt of the first virtual machine, a virtual clock used by the first virtual machine, and memory mapped input and output MMIO information used by the first virtual machine; The processor writes the first data into the first virtual machine manager; The processor runs the first virtual machine manager under the EL3 to inject the first data into the first virtual machine; The processor runs the first virtual machine, including: The processor runs the first virtual machine according to the first data. The method according to any one of claims 1 to 4, wherein the processor starts the first virtual machine, comprising: When the processor runs the first virtual machine manager under the EL3 and determines that the first virtual machine is a secure virtual machine, the processor starts the first virtual machine. The method according to any one of claims 1 to 5, wherein the processor starts the first virtual machine, comprising: When the processor runs the first virtual machine manager under the EL3 and determines that the computing device is a secure device, the processor starts the first virtual machine. The method according to any one of claims 1 to 6, characterized in that the method further comprises: The processor obtains, on the REE side, a first management command for the life cycle of the first virtual machine; The processor runs the first virtual machine manager under the EL3, and performs one or any combination of the following operations on the first virtual machine according to the first management command: power on, power off, change specifications, migrate, and release. The method according to any one of claims 1 to 7, characterized in that the method further comprises: The processor obtains, on the REE side, a second management command for the first virtual machine; The processor runs the first virtual machine manager under the EL3, and performs one or any combination of the following operations on the first virtual machine according to the second management command: installing an application, starting the application, shutting down the application, upgrading the application, uninstalling the application, and migrating the application. The method according to any one of claims 1 to 8, characterized in that the method further comprises: When an exception occurs in the first virtual machine, the processor runs the first virtual machine manager under the EL3 to establish the first virtual machine. The context of the virtual machine; The processor runs the first virtual machine manager under the EL3 to process an exception that occurs in the first virtual machine; When the processor has processed the exception that occurred in the first virtual machine, the processor runs the first virtual machine manager under the EL3 to restore the context of the first virtual machine to the first virtual machine, so as to resume the operation of the first virtual machine. The method according to claim 9, characterized in that when the exception occurring in the first virtual machine is a page fault exception, an MMIO operation exception, or a data termination synchronization exception, the processor runs the first virtual machine manager to process the exception occurring in the first virtual machine, comprising: The processor runs the first virtual machine manager to receive a page fault exception handling instruction, an MMIO operation exception handling instruction, or a data termination synchronization exception handling instruction sent by the first virtual machine, wherein the page fault exception handling instruction, the MMIO operation exception handling instruction, or the data termination synchronization exception handling instruction is an instruction of a safe mode calling SMC type, and the MMIO operation exception is an exception caused when the first virtual machine performs an MMIO operation; The processor runs the first virtual machine manager to process the page fault exception according to the page fault exception processing instruction; Alternatively, the processor runs the first virtual machine manager to process the MMIO operation exception according to the MMIO operation exception processing instruction; Alternatively, the processor runs the first virtual machine manager to process the data termination synchronization exception according to the data termination synchronization exception processing instruction. The method according to any one of claims 1 to 10, characterized in that the method further comprises: The processor runs the first virtual machine manager under the EL3 to perform one or any combination of the following operations: create, change or destroy a first-level page table of the first virtual machine, where the first-level page table of the first virtual machine is a page table that maps the virtual address VA of the first virtual machine to the physical address PA allocated to the first virtual machine in the computing device. The method according to any one of claims 1 to 11 is characterized in that the REE side includes a second virtual machine manager, the first virtual machine is deployed with a virtualized input and output VirtIO front-end driver, the second virtual machine manager is deployed with a VirtIO back-end driver, the first virtual machine manager is deployed with a memory synchronization module, the TEE side includes a first memory for data transmission between the VirtIO front-end driver and the VirtIO back-end driver, the REE side includes a second memory, and the memory synchronization module includes a mapping relationship between the first memory and the second memory; The method further comprises: The processor runs the memory synchronization module to synchronize first data in the first memory to the second memory according to a mapping relationship between the first memory and the second memory, wherein the first data is data that the VirtIO front-end driver needs to send to the VirtIO back-end driver; or, The processor runs the memory synchronization module to synchronize second data in the second memory to the first memory according to a mapping relationship between the first memory and the second memory, where the second data is data from the VirtIO backend driver that the VirtIO front-end driver needs to receive. A computing device, characterized in that the computing device comprises a processor and a memory; the processor of the computing device is used to execute instructions stored in the memory of the computing device, so that the computing device executes the method according to any one of claims 1 to 12. A computer-readable storage medium, characterized in that it includes computer program instructions, and when the computer program instructions are executed by a computing device, the computing device executes the method according to any one of claims 1 to 12.