一种云计算适用的虚拟可信报告根构建机制

可信计算技术能够为云计算基础设施提供可信赖的状态及其验证手段，而可信报告这一可信平台基础功能在云环境的实现与普通主机有较大差异，如何构建虚拟可信报告根还没有通用和成熟的方案，将影响远程证明等可信技术在云环境的应用。为构建云计算适用的可信计算体系结构，解决为虚拟机提供唯一性身份标志和反映虚拟机与物理宿主机统一的完整性状态问题，明确了虚拟机应拥有各自独立的基于秘钥的身份标志以及虚拟机所属平台配置寄存器（PCR）类敏感信息必须是受保护的、可迁移的以适应虚拟机迁移需求。由进一步分析可知虚拟机完整性状态应包含以PCR值表示的虚拟机完整性状态和物理平台完整性状态。由此，在集中管理虚拟化/非虚拟化可信计算平台的模型预设条件下，基于国际可信计算组织（TCG）规范提出的身份证明秘钥（AIK）概念进行扩展，提出一种使用虚拟AIK作为虚拟机身份标志，并为每个虚拟机生成由其实际物理平台启动PCR值和虚拟机启动虚拟PCR值连接而成的PCR值的可信报告模型。设计了对应的虚拟PCR值复制机制、完整性报告机制、虚拟机敏感数据管理机制，并与TCG规范中方法进行了对比。该机制在兼容传统AIK验证机制的基础上，能够为每个虚拟机产生独立身份标识，向验证者证明自身完整性状态的同时简化了对虚拟机的验证流程。

Construction Mechanism of Virtual Root of Trust for Report in Cloud

Trusted computing technology can provide trustworthy state and corresponding verification method for cloud infrastructure.The first step of building trusted computing architecture is to build root of trust.The problem of building root of trust for report was not well solved in virtual trusted computing platform because of the differences between virtual machine and ordinary host.No universal and proven solution was developed,which affects the application of trusted computing technology,such as attestation in cloud environment.In this paper,by analyzing related works,it was concluded that the independent identity based on asymmetric key for each VM as well as protected and migratable storage of sensitive data such as platform configuration register (PCR) value and keys used in a VM were all required for constructing trusted computing architecture in cloud infrastructure.Furthermore,the integrity state of a VM reported with PCR should consist of both the physical PCR value emerged from physical booting procedure and virtual PCR value recording VM software boot procedure.With assumption of centralized and virtualization/non-virtualization unified trusted computing platform management,a model of building root of trust for report with virtual attestation identity key (AIK) as a virtual machine''s identity was proposed.It can maintain a set of individual virtual and physical combined PCR values for each VM.Then the verification procedure of virtual trusted computing platform to identify itself with VAIK and report its unique integrity state with VPCR to verifiers including attestation challenger were proposed to support this model.At last,it was compared with TCG specification''s method from several different management dimensions.Our model can build unambiguous identity for each VM.Meanwhile it can reduce complexity of verification procedure of VM and keep the compatibility of ordinary AIK verification mechanism.