| CPC G06F 9/45558 (2013.01) [G06F 8/65 (2013.01); G06F 21/51 (2013.01); G06F 21/53 (2013.01); G06F 21/57 (2013.01); H04L 9/0825 (2013.01); H04L 9/0836 (2013.01); H04L 9/3247 (2013.01); H04L 9/3268 (2013.01); H04L 9/50 (2022.05); G06F 8/63 (2013.01); G06F 2009/45587 (2013.01); G06F 2009/45595 (2013.01)] | 11 Claims |
|
1. A container platform-oriented trusted software authorization and verification system, comprising
a public key infrastructure builder, a container image identity builder, a signature list builder, a container image verifier, a signature list and user certificates loader, and a container program verifier, wherein the public key infrastructure builder is configured to build a public key infrastructure, and issue a user certificate-key pair for each user according to different application scenarios;
the container image identity builder is configured to generate container images with a same function as an original container and having identities based on an original container image using a digital signature algorithm and the user certificate-key pair and push the container images to a container image repository for use, wherein each identity comprises a user certificate and an original container image signature generated by a user's private key and subsequently, a container platform will pull the container images from the container image repository to start a container;
the signature list builder is configured to generate a signature list for the container images using a digital signature algorithm and the user certificate-key pair and upload the signature list to the container platform; the signature list containing programs capable of being run by the container based on a container image;
the container image verifier is configured to verify the identity of the container image to ensure the trustworthiness of the container image when the container is created; and suspend a creation process of the container when the verification fails;
the signature list and user certificates loader is configured to load the signature list for the container image and a user certificate of an image producer into an operating system kernel as programs inside the container for verification when the container is started; and the container program verifier is configured to verify programs inside the container based on the loaded signature list and user certificate after loading the programs capable of being run by the container based on the container image and before the programs run, and suspend the running of the programs when the verification fails;
wherein the signature list and user certificates loader is further configured to:
load the signature list and certificate only when the verification of the container image passes before all the programs in the container run when the container is started, wherein the startup of the container occurs after the container is created;
load both signature list and certificate from a user space into a kernel space and write through a file system; when data are loaded using the file system, data write points are placed in a directory that only the host may access, thereby avoiding that the signature list or certificate is tampered by a malware in the container; and
write the signature list and certificate prior to converting a host file system to a container file system.
|