CN118963911A

CN118963911A - Virtual machine management method, device, target device and server

Info

Publication number: CN118963911A
Application number: CN202410984099.7A
Authority: CN
Inventors: 蔡启申; 郭亚云
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Suzhou Software Technology Co Ltd
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Suzhou Software Technology Co Ltd
Priority date: 2024-07-22
Filing date: 2024-07-22
Publication date: 2024-11-15

Abstract

The present application provides a virtual machine management method, apparatus, target device and server, and relates to the field of communication technology. The method includes: receiving a first request message sent by a first server; creating a first vTPM process and obtaining first information according to the first request message; wherein the first information is used to establish an interactive channel between the main process of the virtual machine carried by the second target device and the first vTPM process; and sending the first information to the first server. The present application can solve the current solution of providing trusted computing capabilities to virtual machines through vTPM, which has the problems of increased resource usage of the physical host where the main process of the virtual machine is located, poor security of vTPM, and complex virtual machine migration process.

Description

Virtual machine management method and device, target equipment and server

Technical Field

The present application relates to the field of communications technologies, and in particular, to a virtual machine management method, a device, a target device, and a server.

Background

The security and trustworthiness of computer systems is an increasingly important issue. To address security and trustworthiness issues, trusted computing organizations (Trusted Computing Group, TCG) have proposed the concept of trusted computing. Trusted computing relies on hardware trusted roots to provide the ability to trust metrics, storage, and verification. On a physical host, a trusted platform module (Trusted Platform Module, TPM) or trusted computing module (Trusted Computing Module, TCM) compliant with the TCG standard is typically employed as a hardware root of trust. However, in the context of cloud computing, virtual machines are the main computing carrier, and virtual machines face security problems similar to those of physical hosts, so that trusted computing is also required to ensure trusted states at the time of starting and at the time of running the virtual machines.

The technology commonly adopted at present is to realize a trusted computing module of software, also called a virtualized trusted computing module or a virtual trusted platform module (Virtual Trusted Platform Module, vTPM), and provide trusted computing capability for a virtual machine, but the current implementation scheme is that the vTPM and a virtual machine main process run on the same physical host, which leads to an increase in the occupation of resources of the physical host where the virtual machine main process is located, and reduces the security of the vTPM, and the virtual machine migration process is complex.

Disclosure of Invention

The application aims to provide a virtual machine management method, a device, target equipment and a server, which are used for solving the problems that the occupation of resources of a physical host where a virtual machine main process is located is increased, the security of the vTPM is poor and the migration process of the virtual machine is complex in the conventional scheme for providing trusted computing capacity for the virtual machine through the vTPM.

To achieve the above object, an embodiment of the present application provides a virtual machine management method applied to a first target device carrying a vTPM process, the method comprising:

receiving first request information sent by a first server;

according to the first request information, a first vTPM process is established and first information is obtained; the first information is used for establishing an interaction channel between a virtual machine main process borne by the second target device and the first vTPM process;

and sending the first information to the first server.

Optionally, the first information relates to the first vTPM process, the first information comprising at least one of:

an internet protocol (Internet Protocol, IP) address corresponding to the first target device;

Process identification information of the first vTPM process;

And monitoring port information corresponding to the first vTPM process.

Optionally, the creating a first vTPM process and obtaining the first information according to the first request information includes:

creating the first vTPM process through a proxy node in the first target device according to the first request information;

Creating a monitoring port through the first vTPM process and/or generating process identification information through the vTPM process;

and determining the first information according to the monitoring port information of the monitoring port created by the first vTPM process and/or the process identification information of the first vTPM process.

Optionally, the virtual machine management method further includes:

and generating a key pair through the first vTPM process, and requesting to issue a certificate to the operator equipment.

Optionally, after the sending the first information to the first server, the method further includes:

Performing key negotiation with a virtual machine host process carried by the second target device through a secure transport layer protocol (Transport Layer Security, TLS);

And under the condition that key negotiation is successful, establishing an encryption channel between the virtual machine main process and the first vTPM process.

receiving second request information sent by the second target equipment; wherein the second request information is used for requesting a trusted computing service;

And providing a trusted computing service when the second request information carries the process identification information of the first vTPM process, and/or discarding the second request information when the second request information does not carry the process identification information of the first vTPM process.

The embodiment of the application provides a virtual machine management method applied to second target equipment carrying a virtual machine main process, comprising the following steps:

receiving first information sent by a second server; the first information is used for establishing an interaction channel with a first vTPM process carried by first target equipment;

And establishing an interaction channel between the virtual machine main process and the first vTPM process according to the first information.

an IP address corresponding to the first target device;

Process identification information of the first vTPM process;

And monitoring port information corresponding to the first vTPM process.

Optionally, the establishing an interaction channel between the virtual machine main process and the first vTPM process according to the first information includes:

starting a virtual machine main process according to the first information, and requesting the certificate of the first vTPM process from operator equipment;

performing key negotiation with the first vTPM process through TLS;

Optionally, after establishing the interaction channel between the virtual machine main process and the first vTPM process according to the first information, the method further includes:

establishing connection with third target equipment bearing a source virtual machine main process;

and obtaining memory data of the virtual machine through memory iterative copying initiated by the third target device.

sending second request information to the first target device; the second request information is used for requesting trusted computing services, and the second request information carries process identification information of the first vTPM process.

The embodiment of the application provides a virtual machine management method, which is applied to a first server and comprises the following steps:

Receiving third request information sent by a third server; the third request information is used for requesting to create a vTPM process;

According to the third request information, determining a first target device from at least one device carrying a vTPM process;

transmitting first request information to a first target device; the first request information is used for requesting the first target device to create a first vTPM process;

Receiving first information fed back by the first target device according to the first request information, and forwarding the first information to the third server; and the first information is used for establishing an interaction channel between a virtual machine main process borne by the second target equipment and the first vTPM process.

The embodiment of the application provides a virtual machine management method which is applied to a second server and comprises the following steps:

Receiving fourth request information sent by a third server; the fourth request information is used for requesting to create and/or migrate the virtual machine main process;

Determining a second target device from devices bearing the virtual machine main process according to the fourth request information;

Transmitting first information to the second target device; the first information is used for establishing an interaction channel between a virtual machine main process borne by the second target device and a first vTPM process borne by the first target device.

Optionally, the fourth request information carries the first information.

The embodiment of the application provides a virtual machine management method, which is applied to a third server and comprises the following steps:

receiving fifth request information sent by user equipment; the fifth request information is used for requesting to create a virtual machine;

according to the fifth request information, third request information is sent to the first server; the third request information is used for requesting to create a vTPM process;

receiving first information fed back by the first server according to the third request information; the first information is used for establishing an interaction channel between a virtual machine main process borne by the second target device and a first vTPM process borne by the first target device;

Sending fourth request information to a second server; the fourth request information is used for requesting to create a virtual machine main process, and the fourth request information carries the first information.

The embodiment of the application provides a virtual machine management device, which comprises:

the first receiving module is used for receiving first request information sent by the first server;

the creation module is used for creating a first vTPM process and obtaining first information according to the first request information; the first information is used for establishing an interaction channel between a virtual machine main process borne by the second target device and the first vTPM process;

And the sending module is used for sending the first information to the first server.

The receiving module is used for receiving the first information sent by the second server; the first information is used for establishing an interaction channel with a first vTPM process carried by first target equipment;

and the first establishing module is used for establishing an interaction channel between the virtual machine main process and the first vTPM process according to the first information.

the first receiving module is used for receiving third request information sent by a third server; the third request information is used for requesting to create a vTPM process;

the determining module is used for determining a first target device from at least one device bearing a vTPM process according to the third request information;

the sending module is used for sending first request information to the first target equipment; the first request information is used for requesting the first target device to create a first vTPM process;

The second receiving module is used for receiving first information fed back by the first target equipment according to the first request information and forwarding the first information to the third server; and the first information is used for establishing an interaction channel between a virtual machine main process borne by the second target equipment and the first vTPM process.

the receiving module is used for receiving fourth request information sent by the third server; the fourth request information is used for requesting to create and/or migrate the virtual machine main process;

the determining module is used for determining a second target device from devices carrying the main process of the virtual machine according to the fourth request information;

A sending module, configured to send first information to the second target device; the first information is used for establishing an interaction channel between a virtual machine main process borne by the second target device and a first vTPM process borne by the first target device.

the first receiving module is used for receiving fifth request information sent by the user equipment; the fifth request information is used for requesting to create a virtual machine;

the first sending module is used for sending third request information to the first server according to the fifth request information; the third request information is used for requesting to create a vTPM process;

the second receiving module is used for receiving first information fed back by the first server according to the third request information; the first information is used for establishing an interaction channel between a virtual machine main process borne by the second target device and a first vTPM process borne by the first target device;

the second sending module is used for sending fourth request information to the second server; the fourth request information is used for requesting to create a virtual machine main process, and the fourth request information carries the first information.

The embodiment of the application provides target equipment, which comprises the following components: a transceiver, a processor, a memory, and a program or instructions stored on the memory and executable on the processor; the steps of the virtual machine management method described above at the first target device side are implemented when the processor executes the program or the instruction, or the steps of the virtual machine management method described above at the second target device side are implemented when the processor executes the program or the instruction.

The embodiment of the application provides a server, which comprises: a transceiver, a processor, a memory, and a program or instructions stored on the memory and executable on the processor; the steps of the virtual machine management method described above on the first server side are implemented when the processor executes the program or the instruction, or the steps of the virtual machine management method described above on the second server side are implemented when the processor executes the program or the instruction, or the steps of the virtual machine management method described above on the third server side are implemented when the processor executes the program or the instruction.

Embodiments of the present application provide a readable storage medium having stored thereon a program or instructions which, when executed by a processor, implement the steps of a virtual machine management method as described above.

Embodiments of the present application provide a computer program product comprising computer instructions which, when executed by a processor, implement the steps of a virtual machine management method as described above.

The technical scheme of the application has the following beneficial effects:

According to the embodiment of the application, the equipment bearing the vTPM process and the equipment bearing the virtual machine main process are deployed on different physical equipment, the first target equipment creates the first vTPM process based on the first request information sent by the first server, obtains the first information, and reports the first information related to the created first vTPM process to the first server, so that the first information is forwarded to the second target equipment by the first server, and the virtual machine main process borne by the second target equipment can establish an interaction channel with the first vTPM process borne by the first target equipment based on the first information, thereby realizing the trusted computing capability of the virtual machine. According to the scheme, the vTPM process and the virtual machine main process are deployed on different physical devices, so that the vTPM process can be prevented from occupying CPU resources of the device where the virtual machine main process is located, virtual migration can be realized through migration of the virtual machine main process, complex processes of synchronous migration of the vTPM process and the virtual machine main process are reduced, and security reduction of the vTPM caused by the fact that the vTPM process and the virtual machine main process are deployed on the same physical device can be avoided.

Drawings

FIG. 1 is one of the schematic diagrams of a virtual machine architecture supporting trusted computing;

FIG. 2 is a second schematic diagram of a virtual machine architecture supporting trusted computing;

FIG. 3 is a diagram of a virtualized architecture of trusted computing according to an embodiment of the present application;

FIG. 4 is a flowchart of a virtual machine management method at a first target device side according to an embodiment of the present application;

FIG. 5 is a flowchart of a virtual machine management method at a second target device side according to an embodiment of the present application;

FIG. 6 is a flowchart of a virtual machine management method at a first server side according to an embodiment of the present application;

FIG. 7 is a flowchart of a virtual machine management method on a second server side according to an embodiment of the present application;

FIG. 8 is a flowchart of a virtual machine management method on a third server side according to an embodiment of the present application;

FIG. 9 is an interactive schematic diagram of a virtual machine creation process according to an embodiment of the present application;

FIG. 10 is an interactive schematic diagram of a virtual machine migration process according to an embodiment of the present application;

FIG. 11 is a block diagram of a virtual machine management apparatus on a first target device side according to an embodiment of the present application;

FIG. 12 is a block diagram of a virtual machine management apparatus on a second target device side according to an embodiment of the present application;

FIG. 13 is a block diagram of a virtual machine management device on a first server side according to an embodiment of the present application;

FIG. 14 is a block diagram of a virtual machine management device on a second server side according to an embodiment of the present application;

FIG. 15 is a block diagram of a third server-side virtual machine management apparatus according to an embodiment of the present application;

FIG. 16 is a block diagram of a target device according to an embodiment of the present application;

Fig. 17 is a block diagram of a server according to an embodiment of the present application.

Detailed Description

In order to make the technical problems, technical solutions and advantages to be solved more apparent, the following detailed description will be given with reference to the accompanying drawings and specific embodiments.

It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.

In various embodiments of the present application, it should be understood that the sequence numbers of the following processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present application.

In addition, the terms "system" and "network" are often used interchangeably herein.

In the embodiments provided herein, it should be understood that "B corresponding to a" means that B is associated with a from which B may be determined. It should also be understood that determining B from a does not mean determining B from a alone, but may also determine B from a and/or other information.

With the popularity of computers and the Internet, the reliance on computer systems to process and store sensitive information (e.g., personal identification information, financial data, business secrets, etc.) has increased. Such as: by establishing a connection with a computer system and processing sensitive or high value data and information within the computer system. However, if the state of the computer system to be relied on cannot be confirmed, connection with the computer system can be established blindly, and the hidden danger of safety and credibility exists.

Therefore, the security and trustworthiness of computer systems is an increasingly important issue, and for this reason the concept of trusted computing is proposed. The trusted computing is based on a hardware trusted root, and a trust chain transfer from the trusted root to a measured component is constructed through trusted measurement and trusted verification, so that the system or software is determined to run in a trusted state expected by a design target, and the integrity of the system and the application is ensured. The trusted measurement is to collect the detected state of the software or the system, the verification is to say that the measurement result is compared with the reference value to see whether the measurement result is consistent with the reference value, if so, the verification is passed, and if not, the verification is failed.

Trusted computing is similar to computing resources and storage resources, and also needs to provide support for virtualization technologies. However, trusted computing differs from computing and storage resources in that trusted computing hardware stores keys that cannot be derived for security, and do not leave the hardware for the entire life cycle. However, in order to ensure high availability of the system in the cloud computing environment, virtual machine migration is a very important characteristic, but due to the characteristics of trusted computing hardware, some virtual machine use resources (mainly keys) cannot be migrated together with the virtual machine, which makes the technology of directly virtualizing the trusted hardware impractical.

To enable a software trusted platform module to provide trusted computing power to a virtual machine, consider a vTPM running in the process space of a virtual machine host process (qemu), as shown in fig. 1. Or consider that the vTPM exists as a separate process that communicates with the qemu process through UNIX system sockets (UNIX sockets) or character devices, as shown in fig. 2. Both the two modes are that the vTPM and the qemu process are operated on the same physical host, and the following disadvantages exist:

(1) The vTPM occupies valuable central processing unit (Central Processing Unit, CPU) resources on the physical host, resulting in a reduction in the overall energy efficiency ratio of the system: as moore's law slows down, isomerism becomes the dominant way of future computational growth, and the isomerism nature is to offload each load onto the chip architecture that is most suitable for it, so various processing units (x Processing Unit, xPU) have evolved, such as: an image processor (Graphics Processing Unit, GPU), a neural network processor (Neural network Processing Unit, NPU), a deep learning processor (DEEP LEARNING Processing Unit, DPU), and the like. The computing power required by the trusted computing is small, and the virtualized TPM module running on the general CPU not only can influence the performance of CPU virtualization, so that performance fluctuation is caused, but also is a great waste of CPU resources.

(2) The vTPM and the virtual machine main process are integrated together, so that the security of the vTPM is greatly reduced: the virtual machine main process is always the most vulnerable component in the virtualized software stack due to the need to simulate numerous devices. A malicious attacker can modify or steal key data information of the virtualized trusted computing module by attacking the virtual machine host process, so that the virtualized trusted computing module cannot provide the capabilities of trusted metrics, trusted storage and trusted verification.

(3) The vTPM, as an external device of the virtual machine, needs to migrate with the virtual machine, which makes the logic of virtual machine migration more complex, and inevitably brings about performance loss: through testing, the performance loss of the virtual machine with the vTPM in the migration process is about 7%, the performance loss mainly refers to the loss in migration time, and the virtual machine with the virtualized trusted computing module needs longer time to restore the normal operation of the service.

As shown in fig. 3, an embodiment of the present application provides a virtualized architecture of trusted computing, including: cloud management platform 21 (or referred to as a third server), trusted resource management module 22 (or referred to as a first server), computing resource management module 23 (or referred to as a third server), vTPM-bearing device 24, virtual machine host process-bearing device (not shown in fig. 3).

Cloud tube platform 21: the virtual machine is used for carrying out task decomposition on the creation task of the virtual machine supporting the trusted computing aiming at the user equipment, and then respectively issuing the task decomposition to the trusted resource management module 22 and the computing resource management module 23.

The computing resource management module 23 is configured to select an appropriate physical host (i.e. a device carrying the virtual machine host process, or referred to as a second target device) to start the virtual machine host process in combination with the bound created vTPM related information for the created vTPM related information issued by the cloud management platform 21 and the task of creating and/or migrating the virtual machine.

The trusted resource management module 22 is configured to select an appropriate physical device (i.e. a device 24 carrying the vTPM, or referred to as a first target device) for a creation task of the vTPM issued by the cloud management platform 21, forward the creation task of the vTPM to a trusted resource management Agent (Agent) node running on the physical device, and forward the created vTPM-related information fed back by the Agent node to the cloud management platform 21 or the computing resource management module 23.

The Agent node in the vTPM-bearing device 24 is used to create a task for the vTPM issued by the trusted resource management module 22, create the vTPM (where the vTPM may be implemented in software or may also be implemented in hardware), and return the created vTPM-related information to the trusted resource management module 22.

The vTPM created by the Agent node can be completely realized by software or can also be realized as an adaptation layer to the lower hardware TPM instance, and is used for creating an asymmetric key pair and generating a certificate based on a device root key; the method is also used for creating a TLS monitoring port, and when a new connection exists, an encryption channel is established with the other party through TLS key negotiation; and generating random process identification information (token) and returning the random process identification information to the Agent node.

The device carrying the virtual machine main process is used for starting the virtual machine main process aiming at the vTPM related information sent by the computing resource management module 23, and establishing an encryption channel with the vTPM created by the device 24 carrying the vTPM to realize the trusted computing capability of the virtual machine.

As shown in fig. 4, an embodiment of the present application provides a virtual machine management method applied to a first target device carrying a virtualized trusted computing module vTPM process, the method including the steps of:

Step 41: and receiving first request information sent by the first server.

Step 42: according to the first request information, a first vTPM process is established and first information is obtained; and the first information is used for establishing an interaction channel between a virtual machine main process borne by the second target equipment and the first vTPM process.

Step 43: and sending the first information to the first server.

Alternatively, the first target device may be a target device selected by the first server from at least one device for carrying the vTPM to meet the creation requirement based on the creation requirement of the vTPM.

Optionally, the first request information is used for requesting the first target device to create a vTPM process, that is, the first target device creates the first vTPM process and obtains the first information based on the first request information sent by the first server.

Optionally, the first information is related to the first vTPM process, so that the first target device reports the first information related to the created first vTPM process to the first server, and then the first information is forwarded to the second target device by the first server. Such as: the first server sends the first information to the third server, and the third server forwards the first information to the second target device through the second server, or the first server forwards the first information to the second target device through the second server directly, etc., which is not limited by the embodiment of the present application.

Optionally, the first target device and the second target device are different devices which are physically isolated, the virtual machine host process carried by the second target device establishes an interaction channel with the first vTPM process carried by the first target device based on the first information, so as to realize the trusted computing capability of the virtual machine.

In the embodiment of the application, the equipment bearing the vTPM process and the equipment bearing the virtual machine main process are deployed on different physical equipment, the first target equipment creates the first vTPM process based on the first request information sent by the first server, acquires the first information, and reports the first information related to the created first vTPM process to the first server, so that the first information is forwarded to the second target equipment by the first server, and the virtual machine main process borne by the second target equipment can establish an interaction channel with the first vTPM process borne by the first target equipment based on the first information, thereby realizing the trusted computing capability of the virtual machine. According to the scheme, the vTPM process and the virtual machine main process are deployed on different physical devices, so that the vTPM process can be prevented from occupying CPU resources of the device where the virtual machine main process is located, virtual migration can be realized through migration of the virtual machine main process, complex processes of synchronous migration of the vTPM process and the virtual machine main process are reduced, and security reduction of the vTPM caused by the fact that the vTPM process and the virtual machine main process are deployed on the same physical device can be avoided.

Optionally, the first information includes at least one of:

an IP address corresponding to the first target device; for example: the IP address may be used for the second target device to determine the target device that created the first vTPM process.

Process identification information of the first vTPM process; for example: the process identification information can be used for request authentication or authorized access authentication between a virtual machine host process carried by the second target device and the first vTPM process, so as to prevent unauthorized access. Such as: when the second target device sends a request to the first vTPM process, if the process identification information is carried, the first vTPM process processes the corresponding request (e.g., provides a trusted computing service), otherwise if the process identification information is not carried, the first vTPM process will refuse to process the corresponding request and discard the request.

Monitoring port information corresponding to the first vTPM process; for example: the monitoring port information is used for establishing an interaction channel between a virtual machine main process borne by the second target device and the first vTPM process.

For example: the first target device is deployed with a proxy node (or referred to as a trusted resource management Agent node), and the first server may send first request information to the proxy node running on the first target device, and create a first vTPM process by using the proxy node, where the first vTPM process may be a TPM instance implemented by software, or may also be a trusted computing hardware device as an adaptation layer interfacing bottom layer.

The first vTPM process creates a monitoring port and provides an interaction channel with a virtual machine main process borne by the second target device; and/or the first vTPM process generates random process identification information (Token). The first vTPM process feeds back the monitoring port information of the created monitoring port and/or the generated random Token, together with the IP address of the current physical host (namely the first target device) to the proxy node, and the proxy node reports the monitoring port information, the random Token and the IP address of the current physical host to the first server.

Optionally, the virtual machine management method further includes:

In this embodiment, the first vTPM process may generate a pair of asymmetric keys and use the root key of the current physical host as a public key to request issuing of a certificate from the carrier device to provide a secure encrypted channel between the virtual machine host process carried by the second target device and the first vTPM process.

performing key negotiation with a virtual machine main process carried by the second target equipment through TLS;

For example: under the condition that the second target device obtains the first information related to the first vTPM process, the virtual machine main process can be started, and a certificate is requested to the operator device, so that key negotiation can be conducted between the virtual machine main process carried by the second target device and the first vTPM process through TLS, and a safe encryption channel is established.

For example: the second target device obtains first information related to the first vTPM process, where the first information includes process identification information (such as a random Token) corresponding to the first vTPM process, where the process identification information may be used as an authorized access identifier between a virtual machine host process carried by the second target device and the first vTPM process. The virtual machine main process carried by the second target device can initiate a trusted computing service request (namely second request information) to the first vTPM process, if the second request information carries process identification information corresponding to the first vTPM process, the authorization is passed, and the first vTPM process can provide trusted computing service. Otherwise, if the second request information does not carry the process identification information corresponding to the first vTPM process, which indicates that the authorization fails, the first vTPM process will refuse to process and discard the request to prevent unauthorized access.

As shown in fig. 5, an embodiment of the present application provides a virtual machine management method applied to a second target device carrying a virtual machine main process, the method including the steps of:

step 51: receiving first information sent by a second server; the first information is used for establishing an interaction channel with a first vTPM process carried by first target equipment;

step 52: and establishing an interaction channel between the virtual machine main process and the first vTPM process according to the first information.

Alternatively, the second target device may be a target device selected by the second server from at least one device for carrying a virtual machine host process to meet the creation and/or migration requirements based on the creation and/or migration requirements of the virtual machine. For example: the second target device may be determined based on the creation requirement of the virtual machine, and the second server may send virtual machine creation request information to the second target device, where the virtual machine creation request information may carry the first information; or the second target device may be determined based on the virtual machine migration requirement, the second server may send virtual machine migration request information to the second target device, where the virtual machine migration request information may carry the first information.

Optionally, the first information is related to a first vTPM process created by the first target device, so that the first target device reports the first information related to the created first vTPM process to the first server, and then the first information is forwarded to the second target device by the first server. Such as: the first server sends the first information to the third server, and the third server forwards the first information to the second target device through the second server, or the first server forwards the first information to the second target device through the second server directly, etc., which is not limited by the embodiment of the present application.

In the embodiment of the application, the equipment bearing the vTPM process and the equipment bearing the virtual machine main process are deployed on different physical equipment, and the second target equipment establishes an interaction channel between the virtual machine main process borne by the second target equipment and the first vTPM process borne by the first target equipment through the first information obtained from the second server, so that the trusted computing capacity of the virtual machine is realized. According to the scheme, the vTPM process and the virtual machine main process are deployed on different physical devices, so that the vTPM process can be prevented from occupying CPU resources of the device where the virtual machine main process is located, virtual migration can be realized through migration of the virtual machine main process, complex processes of synchronous migration of the vTPM process and the virtual machine main process are reduced, and security reduction of the vTPM caused by the fact that the vTPM process and the virtual machine main process are deployed on the same physical device can be avoided.

An internet protocol, IP, address corresponding to the first target device; for example: the IP address may be used for the second target device to determine the target device that created the first vTPM process.

Performing key negotiation with the first vTPM process through a secure transport layer protocol TLS;

For example: during virtual machine creation, the first vTPM process may generate a pair of asymmetric keys and request issuance of certificates to the carrier device using the root key of the current physical host (i.e., the first target device) as the public key. Correspondingly, under the condition that the second target device obtains the first information related to the first vTPM process, the virtual machine main process can be started, and the certificate is requested to the operator device, so that key negotiation can be performed between the virtual machine main process carried by the second target device and the first vTPM process through TLS, and a safe encryption channel is established.

For another example: in the virtual machine migration process, the second server provides first information related to a first vTPM process for a target host (namely second target equipment), and starts a migrated target virtual machine main process on the target host; and the target virtual machine main process requests the certificate from the operator equipment, and performs key negotiation through TLS based on the first information to establish a safe encryption channel. At this time, the first vTPM process is connected with the source virtual machine main process and the destination virtual machine main process at the same time, but the source virtual machine main process is in a running state, and the destination virtual machine main process is in a suspended state, i.e. the trusted computing service or related tasks of the source virtual machine main process can continue to run and are not interrupted, and the destination virtual machine main process cannot initiate a request to the first vTPM process, so as to ensure the continuity and reliability of the trusted computing service.

For example: in the case that the creation of the virtual machine is completed, the second target device may access the first vTPM process based on process identification information (such as a random Token) corresponding to the first vTPM process. Such as: the process identification information can be used as an authorized access identification between a virtual machine main process carried by the second target device and the first vTPM process, the virtual machine main process carried by the second target device can initiate a trusted computing service request (namely second request information) to the first vTPM process, if the second request information carries process identification information corresponding to the first vTPM process, the process identification information indicates that authorization is passed, and the first vTPM process can provide trusted computing service. Otherwise, if the second request information does not carry the process identification information corresponding to the first vTPM process, which indicates that the authorization fails, the first vTPM process will refuse to process and discard the request to prevent unauthorized access.

In this embodiment, during the migration process of the virtual machine, the destination virtual machine host process and the first vTPM process perform key negotiation through TLS to establish a secure encrypted channel (at this time, the first vTPM process is connected to the source virtual machine host process and the destination virtual machine host process simultaneously). The source host (namely the third target device) establishes connection with the destination host (namely the second target device), initiates iterative copying of the memory, iteratively copies and sends the memory of the source host to the destination host until a critical condition for triggering migration is reached, closes the main process of the source virtual machine, and copies the rest of the memory to the destination host together, so that the second target device obtains the memory data of the virtual machine, and ensures the continuity and reliability of the trusted computing service or related tasks in a virtual machine migration scene.

Further, after the migration of the virtual machine is completed, the source virtual machine main process is closed, the virtual machine main process on the target host (i.e. the second target device) enters an operation state, and at this time, the virtual machine main process borne by the second target device can initiate a request to the first vTPM process. Specifically, a virtual machine host program borne by a second target device sends second request information to the first target device; the second request information is used for requesting trusted computing services, and the second request information carries process identification information of the first vTPM process, that is, the second target device may access the first vTPM process based on process identification information (such as a random Token) corresponding to the first vTPM process. Such as: the process identification information can be used as an authorized access identification between a virtual machine main process carried by the second target device and the first vTPM process, the virtual machine main process carried by the second target device can initiate a trusted computing service request (namely second request information) to the first vTPM process, if the second request information carries process identification information corresponding to the first vTPM process, the process identification information indicates that authorization is passed, and the first vTPM process can provide trusted computing service. Otherwise, if the second request information does not carry the process identification information corresponding to the first vTPM process, which indicates that the authorization fails, the first vTPM process will refuse to process and discard the request to prevent unauthorized access.

In the embodiment, in the migration process of the virtual machine, since the virtual machine main process on the target host establishes the encryption channel with the first vTPM process before migration, the influence on the whole migration process can be avoided, and the loss of the whole migration time is reduced.

As shown in fig. 6, an embodiment of the present application provides a virtual machine management method, applied to a first server, including the following steps:

Step 61: receiving third request information sent by a third server; the third request information is used for requesting to create a vTPM process;

Step 62: according to the third request information, determining a first target device from at least one device carrying a vTPM process;

Step 63: transmitting first request information to a first target device; the first request information is used for requesting the first target device to create a first vTPM process;

step 64: receiving first information fed back by the first target device according to the first request information, and forwarding the first information to the third server; and the first information is used for establishing an interaction channel between a virtual machine main process borne by the second target equipment and the first vTPM process.

Optionally, the user device may send, to the third server, creation request information for creating the virtual machine that is overlapped with the vTPM, where the creation request information may carry a user's creation requirement for the vTPM, for example: the vTPM is required to be implemented by software or hardware, device manufacturers, whether the vTPM needs to be authenticated by standard, whether the vTPM needs to be authenticated by TCG, etc. The third server performs task splitting for the creation request information of the user equipment, namely, sends the third request information for requesting to create the vTPM process to the first server, and simultaneously temporarily blocks the request for creating the virtual machine.

The first server selects an appropriate physical host (i.e. determines a first target device) according to the resource status of each physical host (i.e. the device carrying the vTPM process) and the vTPM attribute carried by each physical host, sends the first request information to the proxy node running on the first target device, executes the vTPM process creation process (see the above embodiment for details, which will not be described further herein), and forwards the first information about the first vTPM process obtained from the proxy node to the third server.

In this embodiment, the device carrying the vTPM process and the device carrying the virtual machine main process are deployed on different physical devices, and the first server requests the first target device to create the first vTPM process, and can provide the first information related to the created first vTPM process to the second target device through the third server, so that the second target device can establish an interaction channel between the virtual machine main process carried by the second target device and the first vTPM process carried by the first target device based on the first information, thereby implementing the trusted computing capability of the virtual machine. According to the scheme, the vTPM process and the virtual machine main process are deployed on different physical devices, so that the vTPM process can be prevented from occupying CPU resources of the device where the virtual machine main process is located, virtual migration can be realized through migration of the virtual machine main process, complex processes of synchronous migration of the vTPM process and the virtual machine main process are reduced, and security reduction of the vTPM caused by the fact that the vTPM process and the virtual machine main process are deployed on the same physical device can be avoided.

As shown in fig. 7, an embodiment of the present application provides a virtual machine management method applied to a second server, the method including the following steps:

Step 71: receiving fourth request information sent by a third server; the fourth request information is used for requesting to create and/or migrate the virtual machine main process;

step 72: determining a second target device from devices bearing the virtual machine main process according to the fourth request information;

Step 73: transmitting first information to the second target device; the first information is used for establishing an interaction channel between a virtual machine main process borne by the second target device and a first vTPM process borne by the first target device.

For example: in the virtual machine creation process, the user device may send, to the third server, creation request information for creating the virtual machine that is overlapped with the vTPM, where the creation request information may carry a user's creation requirement for the vTPM, for example: the vTPM is required to be implemented by software or hardware, device manufacturers, whether the vTPM needs to be authenticated by standard, whether the vTPM needs to be authenticated by TCG, etc. The third server performs task splitting for the creation request information of the user equipment, namely, sends the third request information for requesting to create the vTPM process to the first server, and simultaneously temporarily blocks the request for creating the virtual machine.

Further, a virtual machine creation process is initiated if the third server receives first information about a first vTPM process sent by the first server. That is, the third server transmits fourth request information to the second server to request creation of the virtual machine main process. The second server may select an appropriate physical host (i.e., determine a second target device) according to the resource status of each physical host (i.e., a device carrying the virtual machine host process), and start the virtual machine host process based on the first information related to the first vTPM process, where the virtual machine host process is connected to the first vTPM process, and establish a secure encrypted channel through TLS key negotiation.

Optionally, the fourth request information carries the first information.

For example: in the virtual machine migration process, the user equipment initiates a virtual machine migration request to a third server, and the third server sends fourth request information to a second server to request migration of a virtual machine main process. The third server searches the database for the first information associated with the first vTPM process carried by the source virtual machine, selects the destination host (i.e., the second target device), and sends the first information associated with the first vTPM process carried by the source virtual machine to the destination host (see the above embodiment for a specific virtual machine migration process, which is not described herein).

In this embodiment, the device carrying the vTPM process and the device carrying the virtual machine main process are deployed on different physical devices, and the second server provides the second target device with first information related to the first vTPM process created by the first target device obtained from the third server, so that the second target device can establish an interaction channel between the virtual machine main process carried by the second target device and the first vTPM process carried by the first target device based on the first information, thereby implementing a trusted computing capability of the virtual machine. According to the scheme, the vTPM process and the virtual machine main process are deployed on different physical devices, so that the vTPM process can be prevented from occupying CPU resources of the device where the virtual machine main process is located, virtual migration can be realized through migration of the virtual machine main process, complex processes of synchronous migration of the vTPM process and the virtual machine main process are reduced, and security reduction of the vTPM caused by the fact that the vTPM process and the virtual machine main process are deployed on the same physical device can be avoided.

As shown in fig. 8, an embodiment of the present application provides a virtual machine management method applied to a third server, the method including the following steps:

Step 81: receiving fifth request information sent by user equipment; the fifth request information is used for requesting to create a virtual machine;

step 82: according to the fifth request information, third request information is sent to the first server; the third request information is used for requesting to create a vTPM process;

Step 83: receiving first information fed back by the first server according to the third request information; the first information is used for establishing an interaction channel between a virtual machine main process borne by the second target device and a first vTPM process borne by the first target device;

Step 84: sending fourth request information to a second server; the fourth request information is used for requesting to create a virtual machine main process, and the fourth request information carries the first information.

In this embodiment, the device carrying the vTPM process and the device carrying the virtual machine main process are deployed on different physical devices, and the third server issues a vTPM process creation request to the second server according to a virtual machine creation and/or migration request of the user device, issues a virtual machine creation and/or migration request to the third server, and provides first information related to a first vTPM process created by a first target device obtained from the second server to the second target device through the second server, so that the second target device can establish an interaction channel between the virtual machine main process carried by the second target device and the first vTPM process carried by the first target device based on the first information, thereby implementing a trusted computing capability of the virtual machine. According to the scheme, the vTPM process and the virtual machine main process are deployed on different physical devices, so that the vTPM process can be prevented from occupying CPU resources of the device where the virtual machine main process is located, virtual migration can be realized through migration of the virtual machine main process, complex processes of synchronous migration of the vTPM process and the virtual machine main process are reduced, and security reduction of the vTPM caused by the fact that the vTPM process and the virtual machine main process are deployed on the same physical device can be avoided.

In the embodiment of the application, the capability of providing the trusted link to the outside is added in the vTPM realized by software, so that the vTPM can be operated on the physical equipment isolated from the virtual machine main process, the limitation that the vTPM process and the virtual machine main process are positioned on the same physical equipment is eliminated, namely the problem of waste of general CPU resources is solved, unified management of the vTPM instance is facilitated, the security assurance is provided for the vTPM process through the physical isolation of the vTPM process and the virtual machine main process, the complex flow of synchronous migration of the vTPM process and the virtual machine main process is reduced, and in the migration process of the virtual machine, because the virtual machine main process on a target host machine and the first vTPM process establish an encryption channel before migration, the influence on the whole migration process can be avoided, and the loss of the whole migration time is reduced.

The following describes the interaction procedure of the virtual machine management method according to the present application in conjunction with the trusted computing virtualization architecture shown in fig. 3:

example 1: as shown in fig. 9, the virtual machine creation flow for carrying the vTPM specifically includes:

Step 91: the user equipment sends request information for requesting to create the virtual machine carrying the vTPM to the cloud management platform, wherein the request information comprises, but is not limited to, carrying the user's requirement for creating the vTPM, for example: the vTPM is required to be realized by software or hardware, equipment manufacturers, whether the vTPM is authenticated by a standard, whether the vTPM is authenticated by a TCG, and the like;

step 92: the cloud management platform sends an instruction to the trusted resource management module to request to create a vTPM, and simultaneously temporarily blocks the request for creating the virtual machine;

Step 93: the trusted resource management module selects a proper physical host according to the resource state of each physical host and the attribute of the trusted computing device carried by each physical host, and sends a request to the trusted resource management Agent running on the physical host;

Step 94: the trusted resource management Agent creates a vTPM process;

step 95: the method comprises the steps that a monitoring port is created by a vTPM process, wherein the vTPM process can be a TPM instance realized by software, and can also be a trusted computing hardware device as an adaptation layer and a butt joint bottom layer; the vTPM process generates a pair of asymmetric keys and issues certificates for the public keys by using the device root keys;

Step 96: the vTPM process generates Token and sends the Token, the IP address of the current physical host and the monitoring port of the vTPM process to the trusted resource management Agent;

Step 97: returning Token, IP address and monitoring port to the trusted resource management module;

Step 98: returning Token, IP address and monitoring port to the cloud management platform;

step 99: the cloud management platform adds the Token, the IP address and the monitoring port into virtual machine creation request information, and sends the request information to a computing resource management module;

step 910: the computing resource management module starts a virtual machine main process based on the IP address, the monitoring port and the Token;

step 911: the virtual machine main process is connected to the vTPM process, and the two parties establish a safe encryption channel through TLS key negotiation;

Step 912: the virtual machine process carries Token each time it sends a request to the vTPM process, and for requests that do not carry the correct Token, the vTPM process refuses to process and discard to prevent unauthorized access.

Example 2: as shown in fig. 10, the virtual machine migration process of the vTPM includes:

step 101: the user equipment initiates a virtual machine migration request to the cloud management platform;

Step 102: the cloud management platform sends a virtual machine migration request to a computing resource management module;

step 103: the computing resource management module searches information such as an IP address, a monitoring port, a Token and the like associated with a vTPM process carried by a source virtual machine main process in a database;

step 104: the computing resource management module selects a target host and sends information such as an IP address, a monitoring port, a Token and the like associated with the vTPM to the target host;

Step 105: the computing resource management module starts a migrated target virtual machine main process on a target host;

Step 106: the target virtual machine main process establishes an encryption channel with the vTPM through TLS key negotiation based on the IP address and the monitoring port. At this time, the source virtual machine main process and the target virtual machine main process are connected at the same time, but the source virtual machine main process is in an operation state at this time, and the target virtual machine main process is in a suspension state, so that a request cannot be initiated to the vTPM;

Step 107: the source host establishes connection with the destination host and initiates iterative copying of the memory;

Step 108: and performing iterative copying of the memory on the source host and sending the iterative copying to the destination host until a critical condition of migration is triggered. Closing a main process of a source virtual machine, and copying the rest memory to a target host;

step 109: the virtual machine main process on the target host enters an operation state;

Step 1010: the virtual machine main process on the target host carries a Token to send a request to the vTPM process;

In the migration flow, the virtual machine main process on the target host establishes an encryption channel with the vTPM process before migration, so that the influence on the whole migration process can be avoided, and zero loss on the whole migration time is realized.

The embodiment of the application avoids the limitation that the vTPM process and the virtual machine main process are in the same physical host by realizing the establishment of the TLS encryption channel in the vTPM process, and provides a virtual machine management method, which mainly has the following advantages:

1) All the trusted computing loads are concentrated and borne on other equipment, so that the utilization rate of a general CPU of the cloud host is improved, and the energy efficiency ratio of the whole system is improved;

2) The virtual machine main process of the vTPM process and the vulnerability frequency are physically isolated, so that security assurance is provided for the vTPM;

3) The virtual machine main process on the target host establishes an encryption channel with the vTPM process before the migration is successful, so that the influence on the migration performance of the virtual machine is avoided;

4) The method and the device realize that all the trusted computing loads are concentrated in the same device, and provide commercial and technical feasibility for developing the trusted computing device supporting multiple instances.

As shown in fig. 11, an embodiment of the present application provides a virtual machine management apparatus 1100, including:

A first receiving module 1110, configured to receive first request information sent by a first server;

The creating module 1120 is configured to create a first virtualized trusted computing module vTPM process according to the first request information and obtain first information; the first information is used for establishing an interaction channel between a virtual machine main process borne by the second target device and the first vTPM process;

And a sending module 1130, configured to send the first information to the first server.

an internet protocol, IP, address corresponding to the first target device;

Process identification information of the first vTPM process;

And monitoring port information corresponding to the first vTPM process.

Optionally, the creating module 1120 includes:

The first creating unit is used for creating the first vTPM process through the proxy node in the first target device according to the first request information;

The second creating unit is used for creating a monitoring port through the first vTPM process and/or generating process identification information through the vTPM process;

And the determining unit is used for determining the first information according to the monitoring port information of the monitoring port created by the first vTPM process and/or the process identification information of the first vTPM process.

Optionally, the virtual machine management apparatus 1100 further includes:

and the first processing module is used for generating a key pair through the first vTPM process and requesting to issue a certificate to the operator equipment.

Optionally, the virtual machine management apparatus 1100 further includes:

The negotiation module is used for carrying out key negotiation with a virtual machine main process borne by the second target equipment through a secure transport layer protocol TLS;

The establishing module is used for establishing an encryption channel between the virtual machine main process and the first vTPM process under the condition that key negotiation is successful.

Optionally, the virtual machine management apparatus 1100 further includes:

the second receiving module is used for receiving second request information sent by the second target equipment; wherein the second request information is used for requesting a trusted computing service;

The second processing module is configured to provide a trusted computing service when the second request information carries process identification information of the first vTPM process, and/or discard the second request information when the second request information does not carry process identification information of the first vTPM process.

It should be noted that, in the embodiment of the present application, the virtual machine management device and the virtual machine management method on the first target device side are based on the same inventive concept, and the two embodiments may refer to each other, and the same technical effects can be achieved, so that repetition is avoided, and no further description is given here.

As shown in fig. 12, an embodiment of the present application provides a virtual machine management apparatus 1200, including:

A receiving module 1210, configured to receive first information sent by the second server; the first information is used for establishing an interaction channel with a first virtualized trusted computing module (vTPM) process carried by first target equipment;

A first establishing module 1220, configured to establish an interaction channel between the virtual machine host process and the first vTPM process according to the first information.

an internet protocol, IP, address corresponding to the first target device;

Process identification information of the first vTPM process;

And monitoring port information corresponding to the first vTPM process.

Optionally, the first establishing module 1220 includes:

The starting unit is used for starting a virtual machine main process according to the first information and requesting the certificate of the first vTPM process from the operator equipment;

The negotiation unit is used for carrying out key negotiation with the first vTPM process through a secure transport layer protocol TLS;

The establishing unit is used for establishing an encryption channel between the virtual machine main process and the first vTPM process under the condition that key negotiation is successful.

Optionally, the virtual machine management apparatus 1200 further includes:

The second establishing module is used for establishing connection with third target equipment carrying the main process of the source virtual machine;

And the acquisition module is used for acquiring the memory data of the virtual machine through the memory iterative copy initiated by the third target equipment.

Optionally, the virtual machine management apparatus 1200 further includes:

A sending module, configured to send second request information to the first target device; the second request information is used for requesting trusted computing services, and the second request information carries process identification information of the first vTPM process.

It should be noted that, in the embodiment of the present application, the virtual machine management device and the virtual machine management method on the second target device side are based on the same inventive concept, and the two embodiments may refer to each other, and the same technical effects can be achieved, so that repetition is avoided, and no further description is given here.

As shown in fig. 13, an embodiment of the present application provides a virtual machine management apparatus 1300, including:

A first receiving module 1310, configured to receive third request information sent by a third server; the third request information is used for requesting to create a virtualized trusted computing module (vTPM) process;

a determining module 1320, configured to determine, according to the third request information, a first target device from at least one device that carries a vTPM process;

A sending module 1330, configured to send first request information to a first target device; the first request information is used for requesting the first target device to create a first vTPM process;

A second receiving module 1340, configured to receive first information fed back by the first target device according to the first request information, and forward the first information to the third server; and the first information is used for establishing an interaction channel between a virtual machine main process borne by the second target equipment and the first vTPM process.

It should be noted that, in the embodiment of the present application, the virtual machine management device and the virtual machine management method on the first server side are based on the same inventive concept, and the two embodiments may refer to each other, and the same technical effects can be achieved, so that repetition is avoided, and no further description is given here.

As shown in fig. 14, an embodiment of the present application provides a virtual machine management apparatus 1400, including:

A receiving module 1410, configured to receive fourth request information sent by the third server; the fourth request information is used for requesting to create and/or migrate the virtual machine main process;

A determining module 1420, configured to determine, according to the fourth request information, a second target device from devices that carry a host process of the virtual machine;

a transmitting module 1430 configured to transmit the first information to the second target device; the first information is used for establishing an interaction channel between a virtual machine main process borne by the second target device and a first virtualized trusted computing module (vTPM) process borne by the first target device.

Optionally, the fourth request information carries the first information.

It should be noted that, in the embodiment of the present application, the virtual machine management device and the virtual machine management method on the second server side are based on the same inventive concept, and the two embodiments may refer to each other, and the same technical effects can be achieved, so that repetition is avoided, and no further description is given here.

As shown in fig. 15, an embodiment of the present application provides a virtual machine management apparatus 1500, including:

a first receiving module 1510, configured to receive fifth request information sent by a user equipment; the fifth request information is used for requesting to create a virtual machine;

a first sending module 1520, configured to send third request information to the first server according to the fifth request information; the third request information is used for requesting to create a virtualized trusted computing module (vTPM) process;

a second receiving module 1530, configured to receive first information fed back by the first server according to the third request information; the first information is used for establishing an interaction channel between a virtual machine main process borne by the second target device and a first vTPM process borne by the first target device;

A second sending module 1540, configured to send fourth request information to a second server; the fourth request information is used for requesting to create a virtual machine main process, and the fourth request information carries the first information.

It should be noted that, in the embodiment of the present application, the virtual machine management device and the virtual machine management method on the third server side are based on the same inventive concept, and the two embodiments may refer to each other, and the same technical effects can be achieved, so that repetition is avoided, and no further description is given here.

A target device according to an embodiment of the present application, as shown in fig. 16, includes a transceiver 1610, a processor 1600, a memory 1620, and a program or instruction stored on the memory 1620 and executable on the processor 1600; the steps of the virtual machine management method applied to the first target device side are implemented when the processor 1600 executes the program or the instruction, or the steps of the virtual machine management method applied to the second target device side are implemented when the processor 1600 executes the program or the instruction, and the same technical effects can be achieved, so that repetition is avoided and redundant description is omitted here.

The transceiver 1610 is configured to receive and transmit data under the control of the processor 1600.

Where in FIG. 16, the bus architecture may comprise any number of interconnected buses and bridges, and in particular one or more processors represented by the processor 1600 and various circuits of memory represented by the memory 1620. The bus architecture may also link together various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are well known in the art and, therefore, will not be described further herein. The bus interface provides an interface. The transceiver 1610 may be a number of elements, i.e., include a transmitter and a receiver, providing a means for communicating with various other apparatus over a transmission medium. The processor 1600 is responsible for managing the bus architecture and general processing, and the memory 1620 may store data used by the processor 1600 in performing operations.

The server according to the embodiment of the present application, as shown in fig. 17, includes a transceiver 1710, a processor 1700, a memory 1720, and a program or instructions stored on the memory 1720 and executable on the processor 1700; the steps of the virtual machine processing method applied to the first server side are implemented when the processor 1700 executes the program or the instruction, or the steps of the virtual machine processing method applied to the second server side are implemented when the processor 1700 executes the program or the instruction, or the steps of the virtual machine processing method applied to the third server side are implemented when the processor 1700 executes the program or the instruction, and the same technical effects can be achieved, so that repetition is avoided and no further description is given here.

The transceiver 1710 is configured to receive and transmit data under the control of the processor 1700.

Wherein in fig. 17, a bus architecture may comprise any number of interconnected buses and bridges, and in particular one or more processors represented by processor 1700 and various circuits of memory represented by memory 1720. The bus architecture may also link together various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are well known in the art and, therefore, will not be described further herein. The bus interface provides an interface. The transceiver 1710 may be a number of elements, i.e. comprising a transmitter and a receiver, providing a unit for communicating with various other apparatus over a transmission medium. The processor 1700 is responsible for managing the bus architecture and general processing, and the memory 1720 may store data used by the processor 1700 in performing operations.

The readable storage medium of the embodiment of the present application stores a program or an instruction, which when executed by a processor, implements the steps in the virtual machine management method described above, and can achieve the same technical effects, and is not repeated here.

The embodiment of the application also provides a computer program product, which comprises computer instructions, wherein the computer instructions realize the processes of the virtual machine management method embodiment when being executed by a processor, and can achieve the same technical effects, and in order to avoid repetition, the description is omitted.

Wherein the processor is a processor in the target device or the server described in the above embodiment. The readable storage medium includes a computer readable storage medium, such as a Read-Only Memory (ROM), a random access Memory (Random Access Memory RAM), a magnetic disk or an optical disk.

It is further noted that the terminals described in this specification include, but are not limited to, smartphones, tablets, etc., and that many of the functional components described are referred to as modules in order to more particularly emphasize their implementation independence.

In an embodiment of the application, the modules may be implemented in software for execution by various types of processors. An identified module of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions which may, for instance, be organized as an object, procedure, or function. Nevertheless, the executables of an identified module need not be physically located together, but may comprise disparate instructions stored in different bits which, when joined logically together, comprise the module and achieve the stated purpose for the module.

Indeed, a module of executable code may be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and across several memory devices. Likewise, operational data may be identified within modules and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different storage devices.

Where a module may be implemented in software, taking into account the level of existing hardware technology, a module may be implemented in software, and one skilled in the art may, without regard to cost, build corresponding hardware circuitry, including conventional Very Large Scale Integration (VLSI) circuits or gate arrays, and existing semiconductors such as logic chips, transistors, or other discrete components, to achieve the corresponding functions. A module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices or the like.

The exemplary embodiments described above are described with reference to the drawings, many different forms and embodiments are possible without departing from the spirit and teachings of the present application, and therefore, the present application should not be construed as limited to the exemplary embodiments set forth herein. Rather, these exemplary embodiments are provided so that this disclosure will be thorough and complete, and will convey the scope of the application to those skilled in the art. In the drawings, the size of the elements and relative sizes may be exaggerated for clarity. The terminology used herein is for the purpose of describing particular example embodiments only and is not intended to be limiting. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. Unless otherwise indicated, a range of values includes the upper and lower limits of the range and any subranges therebetween.

While the foregoing is directed to the preferred embodiments of the present application, it will be appreciated by those skilled in the art that various modifications and adaptations can be made without departing from the principles of the present application, and such modifications and adaptations are intended to be comprehended within the scope of the present application.

Claims

1. A method of virtual machine management, applied to a first target device carrying a virtualized trusted computing module vTPM process, the method comprising:

receiving first request information sent by a first server;

and sending the first information to the first server.

2. The virtual machine management method of claim 1, wherein the first information relates to the first vTPM process, the first information comprising at least one of:

an internet protocol, IP, address corresponding to the first target device;

Process identification information of the first vTPM process;

And monitoring port information corresponding to the first vTPM process.

3. The virtual machine management method according to claim 1 or 2, wherein creating a first vTPM process and obtaining first information from the first request information comprises:

4. A virtual machine management method as claimed in claim 3, further comprising:

5. The virtual machine management method according to claim 2, further comprising, after the sending the first information to the first server:

Performing key negotiation with a virtual machine main process carried by the second target equipment through a secure transport layer protocol TLS;

6. The virtual machine management method according to claim 2 or 5, further comprising, after the sending the first information to the first server:

7. A method for virtual machine management, applied to a second target device carrying a virtual machine host process, the method comprising:

Receiving first information sent by a second server; the first information is used for establishing an interaction channel with a first virtualized trusted computing module (vTPM) process carried by first target equipment;

8. The virtual machine management method of claim 7, wherein the first information relates to the first vTPM process, the first information comprising at least one of:

an internet protocol, IP, address corresponding to the first target device;

Process identification information of the first vTPM process;

And monitoring port information corresponding to the first vTPM process.

9. The method of virtual machine management according to claim 7, wherein the establishing an interaction channel between the virtual machine host process and the first vTPM process according to the first information comprises:

10. The method of virtual machine management according to claim 7, wherein after establishing the interaction channel between the virtual machine host process and the first vTPM process according to the first information, further comprising:

11. The method according to any one of claims 7 to 10, wherein after establishing an interaction channel between the virtual machine main process and the first vTPM process according to the first information, further comprising:

12. A method of virtual machine management, applied to a first server, the method comprising:

Receiving third request information sent by a third server; the third request information is used for requesting to create a virtualized trusted computing module (vTPM) process;

13. A method of virtual machine management, applied to a second server, the method comprising:

Transmitting first information to the second target device; the first information is used for establishing an interaction channel between a virtual machine main process borne by the second target device and a first virtualized trusted computing module (vTPM) process borne by the first target device.

14. The virtual machine management method of claim 13, wherein the fourth request information carries the first information.

15. A virtual machine management method, applied to a third server, the method comprising:

According to the fifth request information, third request information is sent to the first server; the third request information is used for requesting to create a virtualized trusted computing module (vTPM) process;

16. A virtual machine management apparatus, comprising:

The creation module is used for creating a first virtualized trusted computing module (vTPM) process and obtaining first information according to the first request information; the first information is used for establishing an interaction channel between a virtual machine main process borne by the second target device and a first vTPM process;

17. A virtual machine management apparatus, comprising:

The receiving module is used for receiving the first information sent by the second server; the first information is used for establishing an interaction channel with a first virtualized trusted computing module (vTPM) process carried by first target equipment;

18. A virtual machine management apparatus, comprising:

the first receiving module is used for receiving third request information sent by a third server; the third request information is used for requesting to create a virtualized trusted computing module (vTPM) process;

19. A virtual machine management apparatus, comprising:

a sending module, configured to send first information to the second target device; the first information is used for establishing an interaction channel between a virtual machine main process borne by the second target device and a first virtualized trusted computing module (vTPM) process borne by the first target device.

20. A virtual machine management apparatus, comprising:

The first sending module is used for sending third request information to the first server according to the fifth request information; the third request information is used for requesting to create a virtualized trusted computing module (vTPM) process;

21. A target device, comprising: a transceiver, a processor, a memory, and a program or instructions stored on the memory and executable on the processor; the method according to any one of claims 1 to 6, characterized in that the steps of the method according to any one of claims 7 to 11 are implemented when the program or instructions are executed by the processor, or when the program or instructions are executed by the processor.

22. A server, comprising: a transceiver, a processor, a memory, and a program or instructions stored on the memory and executable on the processor; the method according to claim 12 is characterized in that the processor executes the program or the instruction to implement the method according to claim 12, or the processor executes the program or the instruction to implement the method according to claim 13 or 14, or the processor executes the program or the instruction to implement the method according to claim 15.

23. A readable storage medium having stored thereon a program or instructions which when executed by a processor implement the steps of the virtual machine management method of any of claims 1 to 15.

24. A computer program product comprising computer instructions which, when executed by a processor, implement the steps of the virtual machine management method of any one of claims 1 to 15.