CN110659509A

Movatterモバイル変換

Info

Publication number: CN110659509A
Application number: CN201910809586.9A
Authority: CN
Inventors: 韩春超
Original assignee: Beijing Inspur Data Technology Co Ltd
Current assignee: Beijing Inspur Data Technology Co Ltd
Priority date: 2019-08-29
Filing date: 2019-08-29
Publication date: 2020-01-07
Anticipated expiration: 2039-08-29
Also published as: CN110659509B

Abstract

The application discloses a method for generating a memory snapshot file, which aims to improve the security of the memory information of vTPM equipment contained in the memory snapshot file. The method only encrypts the memory information of the vTPM equipment, not only ensures the security of the memory information of the vTPM equipment, but also has the advantages of high encryption and decryption speed, short time consumption and high efficiency due to small data volume. The application also discloses a device for generating the memory snapshot file, the electronic equipment and a computer readable storage medium, and the beneficial effects are achieved.

Description

Memory snapshot file generation method and device, electronic equipment and medium

Technical Field

The present application relates to the field of virtual machine recovery technologies, and in particular, to a method and an apparatus for generating a memory snapshot file, an electronic device, and a computer-readable storage medium.

Background

In the computer field, TPM standards refer to the relevant standards and specifications of Trusted computers established by the Trusted Computing Group (TCG).

On physical devices, usually a TPM chip (also called a security chip) is provided, and a chip conforming to the TPM standard must first have a function of generating an encryption/decryption key, and must also be capable of performing high-speed data encryption and decryption, and serve as an auxiliary processor for protecting a BIOS and an operating system from being modified. It can be seen that the information stored in the TPM chip is the basis for providing high security to the computer device where the TPM chip is located, which is very important.

In a virtual machine constructed based on a virtualization technology, a virtualized TPM chip is generally referred to as a vTPM device (i.e., a virtual TPM device). Because the virtual machine often needs to be destroyed and rebuilt, when the hardware device corresponding to the virtual machine is abnormally powered off, the previous virtual machine also often needs to be restored, so as to continue to process data in the previous running state. In order to achieve the purpose, a memory snapshot file is created according to the memory information of the virtual machine, and the memory snapshot file is generated according to the memory information of the current virtual machine during operation.

In the prior art, data in the memory snapshot file usually exists in a plaintext form, and since the memory snapshot file contains memory information of the vTPM device, once the memory snapshot file leaks, the memory information of the vTPM device leaks, which means that the security mechanism of the virtual machine is exposed to others.

Therefore, in view of the above-mentioned drawbacks of the prior art, a problem to be solved by those skilled in the art is to provide a mechanism for generating a memory snapshot file that can prevent specific contents in the memory information of the vTPM device from being leaked.

Disclosure of Invention

The application provides a method and a device for generating a memory snapshot file, electronic equipment and a computer readable storage medium, and aims to improve the security of the memory information of vTPM equipment contained in the memory snapshot file.

In order to achieve the above object, the present application provides a method for generating a memory snapshot file, including:

extracting vTPM equipment memory information from the full memory information of the virtual machine;

encrypting the internal memory information of the vTPM equipment to obtain encrypted vTPM internal memory information;

and generating a memory snapshot file of the virtual machine according to the encrypted vTPM memory information so as to recover the virtual machine according to the memory snapshot file.

Optionally, extracting the internal memory information of the vTPM device from the full internal memory information of the virtual machine includes:

acquiring the full memory information of the virtual machine;

positioning a vTPM equipment running process from the full amount of memory information by using a preset vTPM function;

and obtaining the memory information of the vTPM equipment according to the running process of the vTPM equipment.

Optionally, restoring the virtual machine according to the memory snapshot file includes:

creating a new virtual machine;

writing part of memory information in the memory snapshot file except the encrypted vTPM memory information into the memory of the new virtual machine;

decrypting the encrypted vTPM memory information to obtain the vTPM equipment memory information;

and writing the internal memory information of the vTPM equipment into the internal memory of the new virtual machine to obtain the new virtual machine with the same internal memory information as the virtual machine.

Optionally, encrypting the internal memory information of the vTPM device to obtain encrypted internal memory information of the vTPM device includes:

encrypting a preset password to obtain an encryption key;

and encrypting the internal memory information of the vTPM equipment by using the encryption key to obtain the encrypted vTPM internal memory information.

Optionally, the method for generating the memory snapshot file further includes:

recording the length of the memory information of the vTPM equipment as a first length;

recording the length of the encrypted vTPM memory information as a second length;

correspondingly, generating the memory snapshot file of the virtual machine according to the encrypted vTPM memory information includes:

and generating a memory snapshot file of the virtual machine according to the encrypted vTPM memory information, the first length and the second length.

In order to achieve the above object, the present application further provides a device for generating a memory snapshot file, where the device includes:

the vTPM equipment memory information acquisition unit is used for extracting vTPM equipment memory information from the full memory information of the virtual machine;

the encryption unit is used for encrypting the internal memory information of the vTPM equipment to obtain encrypted vTPM internal memory information;

and the memory snapshot file generating unit is used for generating a memory snapshot file of the virtual machine according to the encrypted vTPM memory information so as to recover the virtual machine according to the memory snapshot file.

Optionally, the vTPM device memory information obtaining unit includes:

a full memory information obtaining subunit, configured to obtain full memory information of the virtual machine;

the process positioning subunit is used for positioning the running process of the vTPM equipment from the full amount of memory information by using a preset vTPM function;

and the vTPM equipment memory information acquisition subunit is used for acquiring the vTPM equipment memory information according to the vTPM equipment running process.

Optionally, the apparatus for generating a memory snapshot file further includes:

the virtual machine recovery unit is used for recovering the virtual machine according to the memory snapshot file;

the virtual machine recovery unit includes:

the new virtual machine creating subunit is used for creating a new virtual machine;

a common memory information writing subunit, configured to write part of the memory information in the memory snapshot file, except for the encrypted vTPM memory information, into the memory of the new virtual machine;

the encrypted vTPM memory information decryption subunit is used for decrypting the encrypted vTPM memory information to obtain the vTPM equipment memory information;

and the vTPM equipment memory information writing subunit is used for writing the vTPM equipment memory information into the memory of the new virtual machine to obtain the new virtual machine with the same memory information as the virtual machine.

Optionally, the encryption unit includes:

the encryption key generation subunit is used for encrypting the preset password to obtain an encryption key;

and the key encryption subunit is used for encrypting the internal memory information of the vTPM equipment by using the encryption key to obtain the encrypted vTPM internal memory information.

the length recording unit before encryption is used for recording the length of the internal memory information of the vTPM equipment as a first length;

the encrypted length recording unit is used for recording the length of the encrypted vTPM memory information as a second length;

correspondingly, the memory snapshot file generating unit includes:

and the memory snapshot file generating subunit is configured to generate a memory snapshot file of the virtual machine according to the encrypted vTPM memory information, the first length, and the second length.

To achieve the above object, the present application also provides an electronic device, including:

a memory for storing a computer program;

and the processor is configured to implement the method for generating the memory snapshot file as described in the foregoing content when executing the computer program.

To achieve the above object, the present application further provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the method for generating the memory snapshot file as described above.

The method for generating the memory snapshot file comprises the following steps: extracting vTPM equipment memory information from the full memory information of the virtual machine; encrypting the internal memory information of the vTPM equipment to obtain encrypted vTPM internal memory information; and generating a memory snapshot file of the virtual machine according to the encrypted vTPM memory information so as to recover the virtual machine according to the memory snapshot file.

According to the scheme, in order to improve the security of the internal memory information of the vTPM device contained in the internal memory snapshot file, after the internal memory information of the vTPM device is separated from the full internal memory information, only the internal memory information of the vTPM device is encrypted, and the internal memory snapshot file is generated based on the obtained encrypted vTPM internal memory information, namely the internal memory information of the vTPM device exists in the internal memory snapshot file in a ciphertext mode. The method only encrypts the memory information of the vTPM equipment, not only ensures the security of the memory information of the vTPM equipment, but also has the advantages of high encryption and decryption speed, short time consumption and high efficiency due to small data volume.

The application also provides a device for generating the memory snapshot file, the electronic device and a computer readable storage medium, which have the beneficial effects and are not described herein again.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.

Fig. 1 is a flowchart of a method for generating a memory snapshot file according to an embodiment of the present application;

fig. 2 is a flowchart of a method for extracting internal memory information of a vTPM device from full internal memory information in a method for generating an internal memory snapshot file according to an embodiment of the present application;

fig. 3 is a flowchart of a method for restoring a virtual machine according to a memory snapshot file according to an embodiment of the present application;

fig. 4 is a block diagram of a structure of a device for generating a memory snapshot file according to an embodiment of the present application.

Detailed Description

The core of the application is to provide a method for generating a memory snapshot file, which aims to improve the security of the memory information of the vTPM device contained in the memory snapshot file.

In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

Referring to fig. 1, fig. 1 is a flowchart of a method for generating a memory snapshot file according to an embodiment of the present application, including the following steps:

s101: extracting vTPM equipment memory information from the full memory information of the virtual machine;

in order to generate the memory snapshot file for restoring the original virtual machine, the memory information of the original virtual machine needs to be acquired first, because the memory snapshot file is obtained by integrating the total memory information of the virtual machine at a certain moment.

The step aims to improve the security of the vTPM equipment memory information in the total memory information in a targeted manner, so that key data such as a key stored in the vTPM equipment memory information can not be stolen due to the leakage of a memory snapshot file, and further the damage to a virtual machine security mechanism is prevented.

The full memory information refers to information of all running applications and programs when the virtual machine runs, and the applications and programs run in the memory. Therefore, the full amount of memory information includes various information, including not only the vTPM device memory information, but also some information such as user personal information and some other irrelevant information.

Compared with other memory information, the memory information of the vTPM equipment, which is used for enabling the virtual machine to have high security, is undoubtedly more important, so that in order to prevent the leakage of the part of information or the acquisition of the part of information by other people, the security of the memory information of the vTPM equipment is only purposefully processed, and the security of the memory information of the vTPM equipment is not fully processed. It should be understood that, regardless of the kind of the memory information, the difficulty of processing the whole memory information is significantly less than that of processing the specific memory information, but it will take more time and occupy more storage space to process more memory information.

For ease of understanding, the following are illustrated:

assuming that there are 10 different types of memory information in the current memory of the virtual machine, the vTPM device memory information is only one of the 10 types, the total size of the total memory information is 500MB, and the vTPM device memory information is only 50 KB. If the operation of improving the security is directly performed on the whole amount of memory information, the memory information with the size of 500MB needs to be processed; if only the security of the key internal memory information of the vTPM device is improved, only the internal memory information with the size of 50KB needs to be processed, but a step of finding the internal memory information of the vTPM device from the 10 types of internal memory information needs to be additionally added. In practical situations, although a step of determining the internal memory information of the vTPM device is additionally added, compared with a mode of processing the whole amount of internal memory information, time consumption and occupied storage space can be greatly reduced, and efficiency is improved.

Specifically, how to extract the internal memory information of the vTPM device from the full amount of internal memory information may be performed in various ways, for example, the internal memory information may be located by a character string feature that different types of internal memory information have alone, and may also be extracted in a targeted manner by locating a process in which the vTPM device operates, and even may also set a fixed internal memory storage address for the internal memory information of the vTPM device in advance, so as to facilitate direct extraction from the fixed internal memory storage address, and may also be implemented by customizing some location functions, and the like, which is not specifically limited herein.

For convenience of understanding, an implementation manner of extracting internal memory information of the vTPM device by means of a positioning process is provided, please refer to a flowchart shown in fig. 2:

s201: acquiring the full memory information of the virtual machine;

s202: positioning a vTPM equipment running process from the full amount of memory information by using a preset vTPM function;

the preset vTPM function is a user-defined function, the function of the function is to position the running process of the vTPM equipment according to preset specific keywords or paths, specific parameters can be automatically adjusted according to actual application scenes, and the method is not specifically limited here.

S203: and obtaining the memory information of the vTPM equipment according to the running process of the vTPM equipment.

S102: encrypting the memory information of the vTPM equipment to obtain encrypted vTPM memory information;

on the basis of S101, this step is intended to encrypt the extracted vTPM device memory information to obtain encrypted vTPM memory information existing in a ciphertext form. Specifically, the security is improved by encrypting plaintext data to express the plaintext data as ciphertext.

Specifically, the encryption mode is various, as long as the generated encrypted vTPM memory information can hide the key data therein, and the other key point is that the obtained encrypted vTPM memory information should be reversibly replied to the vTPM device memory information, so as to ensure that a consistent virtual machine is obtained after the memory snapshot file is restored. The specific encryption method may be a symmetric or asymmetric encryption algorithm, or may be another specific encryption algorithm with similar or same function, which is not limited herein.

One implementation, including but not limited to, is:

encrypting a preset password to obtain an encryption key;

and encrypting the internal memory information of the vTPM equipment by using the encryption key to obtain the encrypted internal memory information of the vTPM.

It can be seen that the storage information of the vTPM device is encrypted based on the encryption key, and the essence of the encryption key is the preset password, so as to prevent the plaintext of the preset key from appearing in the storage snapshot file, and therefore, the encryption key is encrypted to also appear in the storage snapshot file in the form of the ciphertext.

Further, since the lengths of the internal memory information of the vTPM device before encryption and the encrypted internal memory information of the encrypted vTPM device may not be consistent (the side lengths may possibly be shortened according to different lengths of the encryption algorithms), in order to prevent that the encrypted internal memory information of the encrypted vTPM device cannot be restored to the original length when some encryption and decryption algorithms are selected, the lengths before and after encryption may also be recorded, and the length information and the encrypted internal memory information of the vTPM device are generated into an internal memory snapshot file in subsequent steps, so as to verify whether correct restoration is performed during decryption and restoration.

The specific implementation mode can be as follows:

and recording the length of the encrypted vTPM memory information as a second length.

S103: and generating a memory snapshot file of the virtual machine according to the encrypted vTPM memory information so as to recover the virtual machine according to the memory snapshot file.

On the basis of S102, this step is intended to generate a memory snapshot file of the virtual machine according to the obtained encrypted vTPM memory information, that is, generate the memory snapshot file according to the encrypted vTPM memory information and other memory information except for the vTPM device memory information in the full amount of memory information. It can be seen that, of the various types of memory information included in the memory snapshot file, only the memory information of the vTPM device exists in a ciphertext form, and other memory information that has little influence on the security of the virtual machine still exists in a plaintext state. Based on the characteristics of the vTPM device, the data stored in the vTPM device is critical but the data volume is not large, so that the security of the memory snapshot file can be greatly improved only by consuming a short encryption time.

Correspondingly, when the first length and the second length (i.e. two lengths before and after encryption) are recorded in S102, the two parameters are also required to be added for verifying the recovery effect of decryption when the memory snapshot file is generated.

The generated memory snapshot file is used for restoring the virtual machine, and a specific implementation manner for restoring the virtual machine according to the memory snapshot file is further provided here, please refer to the flowchart shown in fig. 3:

s301: creating a new virtual machine;

s302: writing part of memory information in the memory snapshot file except the encrypted vTPM memory information into the memory of the new virtual machine;

s303: decrypting and encrypting the vTPM memory information to obtain vTPM equipment memory information;

s304: and writing the memory information of the vTPM equipment into the memory of the new virtual machine to obtain the new virtual machine with the same memory information as the virtual machine.

According to the steps, the virtual machine recovery according to the memory snapshot file is essentially an operation of writing the memory information contained in the memory snapshot file into the memory of the new virtual machine, so that the scheme divides the memory information forming the memory snapshot file into two categories according to the influence on the security, namely the memory information of the vTPM device and the common memory information, and the memory information of the vTPM device exists in a ciphertext form, so that the memory information needs to be decrypted firstly during writing so as to be written into the memory of the new virtual machine after being restored into a plaintext.

In order to improve the security of the internal memory information of the vTPM device included in the internal memory snapshot file, in this embodiment, after the internal memory information of the vTPM device is separated from the full amount of internal memory information, only the internal memory information of the vTPM device is encrypted, and the internal memory snapshot file is generated based on the obtained encrypted internal memory information of the vTPM device, that is, the internal memory information of the vTPM device exists in the internal memory snapshot file in a ciphertext form. The method only encrypts the memory information of the vTPM equipment, not only ensures the security of the memory information of the vTPM equipment, but also has the advantages of high encryption and decryption speed, short time consumption and high efficiency due to small data volume.

In order to facilitate understanding of the present solution, specific application scenarios (a virtualized environment provided by qemu, which is an open source simulator and can simulate and implement a real computer environment) are also combined here, and specific implementation manners of the present solution are described from an encryption process and a decryption process, respectively:

encryption process (i.e. memory snapshot file generation process):

(1) before creating a memory snapshot file of a virtual machine, firstly, a key for encrypting memory information of vTPM equipment needs to be created, and in order to ensure confidentiality, the key needs to be encrypted to obtain an encryption key;

(2) when a memory snapshot file is created, transmitting the encrypted key to a virtual machine memory snapshot creating command of qemu;

(3) qemu obtains the plaintext content of the memory information of vTPM equipment in the process of creating a memory snapshot file;

(4) the qemu decrypts the transmitted encryption key according to an agreed decryption mode;

(5) qemu uses the decrypted key to encrypt the plaintext memory information of the vTPM equipment by using a symmetric encryption algorithm, so as to obtain encrypted vTPM memory information. Because the character lengths before and after encryption may be different, the lengths of a plaintext and a ciphertext before and after encryption need to be recorded at the same time;

(6) qemu creates a memory snapshot file according to other memory information of the encrypted vTPM memory information virtual machine.

Decryption process (i.e. virtual machine recovery process):

(1) when the same virtual machine is restored by using the memory snapshot file, transmitting the key to qemu;

(2) qemu executes a command to restore the virtual machine;

(3) qemu finds the encrypted vTPM memory information from the memory snapshot file;

(4) the qemu decrypts the encrypted vTPM memory information by using the transmitted key to obtain the vTPM equipment memory information of a plaintext;

(5) qemu loads the internal memory information of vTPM equipment and other internal memory information in the internal memory snapshot file into the internal memory of the newly created virtual machine one by one, so as to obtain the recovered virtual machine.

Because the situation is complicated and cannot be illustrated by a list, a person skilled in the art can realize that many examples exist according to the basic method principle provided by the application and the practical situation, and the protection scope of the application should be protected without enough inventive work.

Referring to fig. 4, fig. 4 is a block diagram illustrating a structure of a device for generating a memory snapshot file according to an embodiment of the present application, where the device may include:

a vTPM device memoryinformation obtaining unit 100, configured to extract vTPM device memory information from the full amount of memory information of the virtual machine;

theencryption unit 200 is configured to encrypt the internal memory information of the vTPM device to obtain encrypted vTPM internal memory information;

the memory snapshotfile generating unit 300 is configured to generate a memory snapshot file of the virtual machine according to the encrypted vTPM memory information, so as to restore the virtual machine according to the memory snapshot file.

The vTPM device memoryinformation obtaining unit 100 may include:

the system comprises a full memory information acquisition subunit, a full memory information acquisition subunit and a full memory information acquisition subunit, wherein the full memory information acquisition subunit is used for acquiring full memory information of the virtual machine;

the process positioning subunit is used for positioning the running process of the vTPM equipment from the full-amount memory information by using a preset vTPM function;

Further, the apparatus for generating the memory snapshot file may further include:

wherein, the virtual machine recovery unit may include:

the common memory information writing subunit is used for writing part of memory information in the memory snapshot file, except for the encrypted vTPM memory information, into the memory of the new virtual machine;

the encrypted vTPM memory information decryption subunit is used for decrypting the encrypted vTPM memory information to obtain vTPM equipment memory information;

Theencryption unit 200 may include:

and the key encryption subunit is used for encrypting the internal memory information of the vTPM equipment by using the encryption key to obtain the encrypted internal memory information of the vTPM.

the length recording unit before encryption is used for recording the length of the memory information of the vTPM equipment as a first length;

correspondingly, the memory snapshotfile generating unit 300 may include:

and the memory snapshot file generating subunit is used for generating a memory snapshot file of the virtual machine according to the encrypted vTPM memory information, the first length and the second length.

The present embodiment exists as a product embodiment corresponding to the above method embodiment, and has all the advantages of the method embodiment, which are not described in detail herein.

Based on the foregoing embodiments, the present application further provides an electronic device, a memory of the electronic device, and a processor, where the memory stores a computer program, and the processor calls the computer program in the memory to implement the steps provided by the foregoing embodiments. Of course, the electronic device may also include various necessary network interfaces, power supplies, other components, and the like.

The present application also provides a computer-readable storage medium, on which a computer program is stored, which, when executed by an execution terminal or processor, can implement the steps provided by the above-mentioned embodiments. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.

Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It will be apparent to those skilled in the art that various changes and modifications can be made in the present invention without departing from the principles of the invention, and these changes and modifications also fall within the scope of the claims of the present application.

It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims

1. A method for generating a memory snapshot file is characterized by comprising the following steps:

2. The generation method according to claim 1, wherein extracting vTPM device memory information from the full memory information of the virtual machine includes:

acquiring the full memory information of the virtual machine;

3. The method according to claim 1, wherein restoring the virtual machine according to the memory snapshot file comprises:

creating a new virtual machine;

4. The generation method according to any one of claims 1 to 3, wherein encrypting the vTPM device memory information to obtain encrypted vTPM memory information includes:

encrypting a preset password to obtain an encryption key;

5. The generation method according to claim 4, further comprising:

6. An apparatus for generating a memory snapshot file, comprising:

7. The generation apparatus according to claim 6, wherein the vTPM device memory information acquisition unit includes:

8. The generation apparatus according to claim 6, wherein the encryption unit includes:

9. An electronic device, comprising:

a memory for storing a computer program;

a processor, configured to implement the method for generating the memory snapshot file according to any one of claims 1 to 5 when executing the computer program.

10. A computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the method for generating a memory snapshot file according to any one of claims 1 to 5.