Abstract: Virtualization technology is the core technology of cloud computing, and there are problems of regarding the integrity and security of virtual machines. Trusted computing technology, as an effective solution to cloud computing security, accomplishes the active monitoring and protection of virtual machines through trusted measurement. Currently, virtual machine trusted measurement can be divided into the report measurement mode and adjudication measurement mode. However, these methods have the problems of high starting point of trust or high hardware cost. Therefore, this paper proposes a trusted enhanced virtual machine hybrid measurement scheme, which takes vTPM as the root of trust and vTSB as the supporting software platform. Starting from the measurement of host to virtual machine vCRTM, the trust chain is extended through the reporting measurement mode part and the decision measurement mode part. The scheme extends the trust chain from the host machine to the virtual machine by adding a link to measure the vCRTM of the virtual machine, ensures the security of the trusted root of the virtual machine, and solves the problem of delayed trust starting point caused by the absence of vTPCM. Experiments demonstrate that the scheme has good security and feasibility.

Key words: virtualization, trusted computing, trust chain, trusted root, trusted measurement

摘要： 虚拟化技术是云计算的核心技术，其存在着虚拟机完整性和安全性的问题.可信计算技术作为云计算安全的有效解决方案，通过可信度量实现对虚拟机的主动监控和保护.目前虚拟机可信度量可分为报告度量模式和裁决度量模式，然而这些方法存在信任起点高或硬件成本高的问题.为此，提出了一种以虚拟可信平台模块(virtual trusted platform module, vTPM)为可信根、虚拟可信软件基(virtual trusted software base, vTSB)为支撑软件平台的可信增强的虚拟机混合度量方案，以宿主机对虚拟机的vCRTM的度量为起点，通过报告度量模式部分和裁决度量模式部分扩展信任链.通过增加对虚拟机的vCRTM进行度量的环节，并将信任链从宿主机延伸至虚拟机，保证了虚拟机的可信根安全，解决了虚拟可信平台控制模块(virtual trusted platform control module, vTPCM)缺失导致的信任起点延后问题.实验表明该方案具有良好的安全性和可行性.

关键词: 虚拟化, 可信计算, 信任链, 可信根, 可信度量