1. Patent Search
  2. Details

Method and system for protecting root CA certificate in a virtualization environment

20170295024 ยท 2017-10-12

    Inventors

    Cpc classification

    International classification

    Abstract

    The present invention discloses a method and a system for protecting root CA certificates in a virtualization environment. The method installs a root CA certificate security manager on a host computer. The root CA certificate security manager stores the lists of root CA certificates and provides certificate validation service to virtual machines via a read-only interface. When a virtual machine needs the verification of a certificate, it sends a certificate validation service request to the root CA security manager. The root CA certificate security manager provides certificate validation services to the virtual machine in response to the request. The virtual list of root CA certificates in the present invention has the following features: it isolates the list of the root CA certificates from the virtual machine; the virtual machine can only access the list of the root CA certificates in a read-only manner; modification or configuration of the lists of root CA certificates can only be made via an interface of the CA certificate security manager on the host computer; and the virtual machine can flexibly choose the way how a certificate is to be verified.

    Claims

    1. A method for protecting root CA certificate in a virtualization environment, comprising: 1) installing a root CA certificate security manager on a host computer; operating the root CA certificate security manager in a virtual machine monitor on the host computer; storing lists of root CA certificates in the root CA certificate security manager; providing certificate validation service to virtual machines by the root CA certificate security manager via a read-only interface to virtual machines in a virtualization environment; accessing the lists of root CA certificates in the root CA certificate security manager by the virtual machine via the read-only interface; and) 2) sending a service request from the virtual machine to the root CA certificate security manager when the virtual machine needs verification of a certificate; providing certificate validation service for the certificate by the root CA certificate security manager in response to the service request.

    2. The method of claim 1, further comprising: selecting a mode of certificate validation service by the virtual machine when sending a service request from the virtual machine to the root CA certificate security manager, wherein the step of providing certificate validation service by the root CA certificate security manager comprises one of the following steps: a) when the virtual machine requests the root CA certificate security manager to verify a certificate, verifying the certificate received from the virtual machine by the root CA certificates security manager using the root CA certificate list corresponding to the virtual machine; returning a result to the virtual machine via the read-only interface; or b) when the virtual machine requests to read a root CA certificate from the root CA certificate security manager, sending information about the root CA certificate from the root CA certificates security manager to the virtual machine via the read-only interface; completing the verification of the certificate by the virtual machine.

    3. The method of claim 1, wherein each of the lists of root CA certificates is associated with a virtual machine, wherein the lists of root CA certificates are configured only via an interface of the root CA certificate security manager on the host computer.

    4. The method of claim 1, wherein the virtual machine sends the service request for certificate validation service to the root CA certificate security manager through a secure virtual communication channel shared with the root CA certificate security manager.

    5. The method of claim 1, wherein the root CA certificate security manager is implemented in a Xen-based virtualization system, or based on VMware ESX/ESXi, or based on Hyper-V virtualization system, or based on KVM-QEMU virtualization system.

    6. The method of claim 5, wherein the root CA certificate security manager is implemented in KVM-QEMU virtualization system, wherein the root CA certificate security manager uses Virtio in combination with QEMU to deliver the service requests and responses for certificate validation between the root CA certificate security manager and the virtual machine.

    7. The method of claim 6, wherein the Virtio system comprises a front-end driver in a driver module of the virtual machine, a back-end processing program implemented in QEMU, and two layers between the back-end processing program and the front-end driver to support communications between the virtual machines and QEMU, wherein the two layers comprises a virtual queue interface and a virtio-ring, wherein the virtual queue interface attaches the front-end driver to the back-end processing program, and the virtual queue interface calls the virtio-ring in a lower layer to enable the front-end driver and the back-end processing program to send and receive data with each other using the same Application Binary Interface, thus providing a communication channel between the two sides, wherein the virtio-ring implements a ring buffer for storing information processed by the front-end driver and the back-end processing program, wherein the virtio-ring stores multiple I/O requests from the front-end driver altogether, and sends such information to the back-end processing program for batch processing.

    8. A system for protecting root CA certificates in a virtualization environment, comprising: a host computer comprising a root CA certificate security manager on the host computer, wherein the root CA certificate security manager operates in a virtual machine monitor on the host computer, wherein the root CA certificate security manager stores lists of root CA certificates; and a virtual machine, wherein the root CA certificate security manager provides certificate validation service via a read-only interface to the virtual machine, wherein the virtual machine accesses the list of root CA certificates in the root CA certificate security manager via the read-only interface, wherein the virtual machine sends a service request for certificate validation to the root CA certificate security manager when the virtual machine needs to verify a certificate, wherein the root CA certificate security manager provides certificate validation service for the certificate in response to the service request.

    9. The system of claim 8, wherein the virtual machine selects a mode of certificate validation when it sends the service request for certificate validation to the root CA certificate security manager, wherein the root CA certificate security manager provides certificate validation service in one of the following ways: a) when the virtual machine requests the root CA certificate security manager to verify the certificate, the root CA certificate security manager verifies the certificate received from the virtual machine, uses the lists of root CA certificates corresponding to the virtual machine, and returns a result to the virtual machine via the read-only interface; or b) when the virtual machine requests to read a root CA certificate from the root CA certificate security manager, the root CA certificate security manager sends the root CA certificate to the virtual machine via the read-only interface, wherein the root CA certificate is associated with the information in the request, wherein the virtual machine completes certificate verification of the certificate.

    10. The system of claim 8, wherein the configuration of the lists of root CA certificates, including adding, deleting, modifying the list of root CA certificates used by each virtual machine, is achieved only via an interface provided by the root CA certificate security manager.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0029] FIG. 1 is a schematic diagram for providing certificate validation service in an embodiment.

    [0030] FIG. 2 is a schematic diagram of the Virtio system in an embodiment.

    DETAILED DESCRIPTION OF THE INVENTION

    [0031] In order to make objects, features, and advantages of the present invention mentioned above more easily understood, the present invention is further described below based on the embodiments and the drawings.

    [0032] FIG. 1 is an illustration of a present disclosed method for providing a root CA certificate security management services in a virtualization environment. The list of root CA certificates is stored in the root CA certificate security manager. The root CA certificate security manager can run in KVM-QEMU and has a user interface provided by the QEMU. The configuration of the root CA certificate security manager, such as adding or deleting root CA certificates, can be directly achieved by calling functions of the host machine. After the virtual machine submits a request for certificate validation service and selects a mode for the certificate validation, the root CA certificate security manager responds to the request, and provides certificate validation service according to the mode selected by the virtual machine. The root CA certificate security manager can provide a read-only interface to the virtual machine via VMM. The virtual machine can read the information of a certain root CA certificate or access the interface for certificate verification. The root CA certificate security manager provides corresponding services to the virtual machine to its request through the interface according: delivering the required root CA certificate information for certificate verification via a read-only interface to the virtual machine, or accomplishing the requested certificate verification and returning result via the interface.

    [0033] In the present embodiment, the root CA certificate security manager can be implemented in KVM-QEMU virtualization platform. Its configuration interface is integrated in the QEMU console and provides an interface to administrator, allowing the administrator to directly configure the root CA certificate list in the host. KVM is a Linux kernel module, and is the core of the KVM-QEMU virtualization platform. It initializes the processor, and offers a series of VMM management interfaces via ioctl system calls, including creating VM, VM physical address mapping, assigning VM virtual CPU (vCPU), and so on. QEMU process provides an emulator for the virtual machine, and calls the KVM interface to run virtual machine program. The function of the KVM module is mainly to capture the virtual machine IO instructions (including Port IO and mmap IO) and to terminate virtualization, by operating Virtual-Machine Control Data Structure (VMCS).

    [0034] In the present embodiment, the request for certificate validation and the result, transferred between the root CA certificate security manager and the virtual machine, are conducted using Virtio. The framework of Virtio is shown in FIG. 2.

    [0035] In the present embodiment, the front-end driver (such as virtio-blk, virtio-net, etc.) is in the driver module of the virtual machine, while the back-end processing program (back-end driver) is implemented in QEMU. In this implementation, virtio-ca is the front-end driver. Virtio-ca is a virtual root CA certificate equipment whose main purpose is to guarantee that the root CA certificate list cannot be directly accessed by the virtual machine in the digital certificate validation process. The back-end processing program is achieved by the root CA certificate security manager. It either provides the information needed in the root CA certificate request, or accomplishes and returns the results of the digital certificate verification.

    [0036] Between the front-end and the back-end, two extra layers are defined to support communication between virtual machines and QEMU. Wherein, the virtio layer is the virtual queue (virtqueues) interface, which conceptually attaches a front-end driver to the back-end processing program. By calling virtio-ring in the lower level, the virtual queue enables the front-end driver and the back-end processing program to send and receive data with each other using the same Application Binary Interface (ABI), thus providing a communication channel between the two sides. Therefore, the virtual queue is considered as the joint between the virtual machines and VMM. In the present embodiment, virtio-ca instantiates a pair of virtual queues (virtqueues) during initialization, to be used for delivering messages in certificate validation service.

    [0037] The virtio-ring layer implements a ring buffer to store information from the front-end driver and the back-end processing program. It can store multiple I/O requests from the front-end driver in bulk, and send them to the back-end together for batch processing. In the present example, the virtual machine dynamically requests memory, and allocates the address to the root CA certificate security manager via the PCI interface. The root CA certificate security manager adds an offset to obtain the virtual address in memory. Both sides communicate with each other via the shared memory area.

    [0038] In this embodiment, the root CA certificate security manager is driven by virtio-ca, which is recognized by a guest operating system using the PCI interface. When a virtual machine attached to the root CA certificate security manager startups, the probe function of the virtio-ca-pci is triggered, and registers to virtio-ca via register _virtio_driver, indicating that virtio-ca is now associated with the root CA certificate security manager. Virtio-ca has now established a communication channel with the root CA certificate security manager. The virtual machine can use virtio-ca to send a request message to the root CA security manager and to accept the response information from the root CA certificate security manager. Virtio-ca-pci option should be added into QEMU start command to enable the virtual machine to identify the root CA certificate security manager.

    [0039] The request for certificate validation service from a virtual machine to the root CA certificate security manager includes the following steps:

    [0040] a) The virtual machine provides the related root CA certificate issuer's name to the root CA certificate security manager via virtio-ca (i.e. the Issuer field in the X.509 root CA certificate; for the root CA certificate, the Issuer field is the same as the Subject field), or the subject key identifier (i.e. The X.509 root CA certificate SubjectKeyIdentifier extension field).

    [0041] b) The root CA certificate security manager searches for the root CA certificate that meets the conditions in the request, by querying the configuration file associated with the virtual machine.

    [0042] c) If a root CA certificate that meets the conditions of the certificate issuer's name or the subject key identifier is found in the configuration file associated with the virtual machine, the root CA certificate security manager accesses the folder of the list of root CA certificates, and reads the certificate issuer's name or the subject key identifier in sequence therein, to find the root CA certificate that satisfies the request conditions of the virtual machine, then proceed step d). If not, the root CA certificate security manager terminates the request for certificate validation service from the virtual machine.

    [0043] d) After the root CA certificate that meets the conditions has been found, based on the certificate validation mode selected by the virtual machine, the following steps are performed:

    [0044] When the virtual machine requests the root CA certificate security manager to conduct the certificate verification, the root CA certificate security manager sends a request to the virtual machine via virtio-ca, and asks the virtual machine to send the information of the certificate to be verified. The virtual machine returns the information of the certificate to be verified to the root CA certificate security manager through virtio-ca. The root CA certificate security manager verifies the digital signature in the certificate using the public key in corresponding root CA certificate, and returns the verification result to the virtual machine via virtio-ca.

    [0045] When the virtual machine requests the root CA certificate security manager to provide information about the root CA certificate required, the root CA certificate security manager sends the corresponding information about the root CA certificate to the virtual machine via virtio-ca. The virtual machine independently completes the verification process.

    [0046] The foregoing description of the embodiment is provided for illustration only, rather than for the purpose of limiting, the technical solutions of the present invention. One of ordinary skill in the art may modify or vary the exemplary embodiment without departing from the spirit and scope of the present invention. The scope of the present invention should be subject to the claims.