| CPC G06F 9/45558 (2013.01) [G06F 2009/45587 (2013.01)] | 12 Claims |
|
1. A novel method of measuring a confidential computing application layer, which comprises a confidential computing virtual machine, wherein a trigger module is deployed in an underlying component in which the confidential computing virtual machine is capable of being measured, and the confidential computing application layer based on a virtual machine level is measured by the following steps:
starting and loading, by the confidential computing virtual machine, the underlying component;
measuring the trigger module for a native chip-level trusted measurement of the underlying component in which the trigger module is deployed based on confidential computing;
triggering a user-mode application by using the triggering module and carrying out a trusted measurement on the user-mode application to obtain one or more trusted measurement values M, wherein carrying out the trusted measurement on the user-mode application by the triggering module comprises static measurement and/or dynamic measurement;
providing the trusted measurement values M signed at a chip level to a remote user, so that the remote user carries out trusted verification on the user-mode application;
the trusted measurement values M is provided to the remote user by the following steps:
generating, by the trigger module, a chip-level report which is signed at the chip level and comprises an underlying measurement value obtained by measuring the underlying component, the trusted measurement values M, and public key information P of remote attestation security connection to be established by triggering a confidential computing native Application Programming Interface (API);
providing the chip-level report to the remote user, so that the remote user carries out trusted verification on the user-mode application, and a secure connection with the user-mode application and the trigger module is established based on P after the trusted verification passes;
the static measurement measures an application file of the user-mode application before the user-mode application is started, and triggers the start of the user-mode application after the measurement verification of the user-mode application passes;
the dynamic measurement measures various parameters of the user-mode application at different times in an operating state of the user-mode application after the user-mode application is started;
wherein during the static measurement,
after the remote user passes the trusted verification of the user-mode application based on a measurement result, secret data S of original data needed by the user-mode application is transmitted to the trigger module through the secure connection, and
the trigger module triggers the start of the corresponding user-mode application after receiving the secret data S, and transmits the secret data S to the user-mode application in the form of parameters, so that the user-mode application uses the required original data; and
the triggering of the user-mode application by using the triggering module further comprises:
if the user-mode application to be started is pre-installed in the confidential computing virtual machine, measuring, by the trigger module, the application file of the user-mode application;
if the user-mode application to be started is not pre-installed in the confidential computing virtual machine, pulling, by the trigger module, an application according to specified parameters and measuring the pulled application by measuring the application file of the user-mode application or parsing and measuring a configuration file corresponding to the application.
|