| 摘要: |
| 机密容器通过采用AMD SEV等可信执行环境技术进行硬件隔离和加密,能够在操作系统或运行平台不可信的情况下保护容器中的数据,提高程序的安全性。在当前产业环境下,机密容器作为新兴的安全技术有着广阔的应用前景。随着产业的升级发展,会出现多个机密容器共享同一机密虚拟机的情况。当机密虚拟机的性能无法满足多个机密容器的需求时,就需要对一个或多个机密容器进行热迁移。然而,当前传统的容器热迁移技术不支持机密容器,因为机密容器内存状态是加密的,导致现有迁移技术无法直接应用。尽管AMD SEV提供了对机密虚拟机整体迁移的支持,但在一个机密虚拟机中包含多个机密容器的场景下,仍难以满足机密容器故障恢复、负载均衡等实际应用需求。为解决这一问题,论文结合机密容器技术的发展现状,并借鉴普通容器和虚拟机的热迁移方案,首次提出了在多机密容器运行环境下的一种机密容器跨平台可信热迁移技术的基础架构,以及在使用设备驱动处理请求过程中用于识别单一容器的新技术方案。在此基础上,论文给出了一种面向该架构的热迁移方法。通过检索机密虚拟机中的Virtio结构,在运行多个机密容器的机密虚拟机中获取单一机密容器虚拟设备状态的详细信息,在源平台保存该机密容器的虚拟设备状态,并在迁移的目标平台进行恢复。论文基于AMD SEV-SNP平台对提出的机密容器热迁移方案进行了原型实现,并集成至CRIU框架中。论文对提出的热迁移方案进行了评估,实验结果表明,本方案能够在可忽略的停机时间下完成对机密容器的可信热迁移。 |
| 关键词: 机密容器 热迁移 可信执行环境 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2025.04.28 |
| 投稿时间:2024-01-30修订日期:2024-05-24 |
| 基金项目:国家自然科学基金项目(面上项目,重点项目,重大项目),国家重点基础研究发展计划(973计划) |
|
| A Trusted Cross-Platform Live Migration Technology for Confidential Containers |
|
GengZhaoyang, MinZhennan, WangWenhao
|
| (Key Laboratory of Cyberspace Security Defense, Institute of Information Engineering, Chinese Academy of Sciences) |
| Abstract: |
| Confidential containers, which utilize hardware isolation and encryption through trusted execution environment technologies such as AMD SEV, can safeguard the data within the container when the operating system or runtime platform is untrustworthy. This enhances the overall security of the program. In the contemporary industrial landscape, confidential containers are gaining traction as emerging security technologies due to their wide-ranging application potential. As the industry undergoes advancements and evolution, there will likely be multiple confidential containers sharing a single confidential virtual machine. If the performance of this shared virtual machine falls short for multiple confidential containers, it becomes imperative to execute live migration on one or more of these containers. Traditional container live migration techniques, however, do not accommodate confidential containers because the memory state of these containers is encrypted. This makes existing migration methodologies unsuitable for direct application. While AMD SEV offers support for the comprehensive migration of confidential virtual machines, addressing the specific requirements of confidential container failure recovery, load balancing, and other applications remains challenging, especially when multiple confidential containers are housed within a single confidential virtual machine. To address this gap, this paper integrates the current state of confidential container technology and draws inspiration from the live migration strategies of ordinary containers and virtual machines. It introduces, for the first time, an infrastructure for cross-platform trusted live migration technology tailored for the cases when multiple confidential containers run within the same container runtime environment and proposes a novel technical approach for identifying individual container identifiers during the process of utilizing device drivers to handle requests. Building on this foundation, the paper presents a live migration methodology that aligns with this architecture. This paper presents a prototype of a confidential container live migration scheme, implemented on the AMD SEV-SNP platform and integrated into the CRIU framework. The scheme involves retrieving Virtio structures from confidential virtual machines running multiple confidential containers to obtain detailed information about the states of these virtual devices. This information is then saved on the source platform and restored on the target platform where the confidential containers are migrated. The evaluation of the proposed live migration scheme demonstrates its effectiveness, with experimental results indicating that it can successfully complete trusted live migration of confidential containers with negligible downtime. |
| Key words: confidential container, live migration, trusted execution environment |
